Webinar Recording
Extend your existing Active Directory to the Cloud
KuppingerCole Webinar recording
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
Good afternoon, ladies and gentlemen, welcome to our call webinar, extend your existing active directory to the cloud. How to enable the new ABC, the actual business connected this webinar is supported by Microsoft speakers. Today are me market clip around founder and principal Analyst at Cole and Kim Cameron, creative of the loss of identity and Microsoft identity architect. And obviously he's employed by Microsoft. So before we start some general information, the first thing I want to hint on is our upcoming conference. So a little less than two weeks from now to European identity and cloud conference, 2014 will start in Munich, May 13th, 16th. It's about all leadership, best practice and digital ID at anti management, cloud security RC, with a lot of very interesting speeches, including Kim Cameron, including a lot of other peoples, have a look at the agenda. It's a mass attending went. I would say something you definitely should not.
Miss Ko call itself is an Analyst company for providing enterprise it research device services, decision support, and networking for it. Professionals. Our research services provide reports, including our leadership documents, which compare vendors and products and various market segments, our advisory services and our events. And as I've said, one of our events is the European identity cloud conference. We have our webinars and there will be a serious photo events starting in autumn this year. So have a look at what is coming up here regarding the webinar itself. For some guidelines, you are muted centrally, so you don't have to care about that. We are recording the webinar and the podcast recording will be available tomorrow and as well, the slide X will be available for download the Q and a session will be at the end. You can add the questions at any time using the questions feature, go to webinar control panel. It might also be named flag or so depending on language version, but enter your questions once they come to your mind so that we have comprehensive and a good list of questions at the end of the two presentations, so that we have an interesting Q and a session as well.
A trend on split into three parts as usual. The first part is me. I'm, we'll talk about cloud anti access management and the extended enterprise. So the need for extending your current IM I achieve infrastructure. And that includes especially also what you do with active directory to the cloud. So I will set a little bit the, the foundation for that. So what is the, the driver behind all these things? What is the need behind? And, and then I will put some emphasis on what does it mean from an active directory perspective? So I personally have a long history in that area. I spread probably some hundred articles, select active directory, very technical ones. Over the years, I wrote books like the German hunt for published by Microsoft press or the handbook for wind server systems, etcetera. So long history and active directory and early I'm looking forward to talk about active directory today, sort of back to the roots for me, second part will be Kim Cameron.
He will talk about Microsoft strategy and extending the active directory to the cloud and the new role of Azure active directory. As I set part three, that will be the Q and a part. So let's directly move to the topic. And the ones of you who are more frequently attending called webinars probably are familiar with this graphic. It's my computing slides. So showing that the scope of information security is changing, we have cloud computing. So we have to deal with different deployment models. It's not only on premise world anymore. We have to manage access and manage security of cloud services. We have to social computing and more than social computing, so different user populations. It's not only the employees anymore. We increasingly have to work with business partners, customers, etcetera, the number of users drawing and the business cases are changing. And then we have to mobile computing.
So users accessing services from external using their smartphones to tap cetera. Also this fundamentally changing right now. And, and that means we have to, to do a different way, or we have to find a different way of doing it than we did before, because it's really about supporting this entire ecosystem, which also means that we have to, to think about what to do with our essential elements in it infrastructure. And I think Ronda about 90% of the organizations are relying on Microsoft active directory. So extending active directory and thinking about what is the, the way to move forward from what you have an active directory to this new new world. This news scope of information security is clearly one of the challenges organizations are facing. So, and when we look at customers, it also means, and customer challenges. It also means we are looking at what I've called the identity explosion.
So instead of a few thousand of thousands, or maybe of even some hundred thousands of employees, we might have to deal with hundreds of thousands of business partners and millions of customers. So far more identities than ever before. Which also means that the systems which manage our identities have to be ready to, to serve these changing needs. And while the employee base is relatively stable, the business partners might be far more under change. Prospects, leads customers to something which is ever changing. So also that means we have to find different ways or we have to rethink, how do we do these things? On the other hand, I'm a very strong believer in protecting existing investments and what you should not forget on something I will touch later on just, we have a lot of it on premise, which we still need to serve. So we can't just say, okay, we look at the cloud and do everything perfectly well for the cloud.
What we need to do is to understand how can we extend our existing ecosystem here? And this entire thing is about sort of the new ABC, the agile business connected businesses today has to be agile. This is a it's mandatory thing. If you look at the changing economic landscape, the globalization, the more rapid, more, faster competition, et cetera, then businesses have to be a agile and they have to connect. They have to connect with their business partners with the customers. They even have to connect with a lot of devices. Cetera. So this entire internet of things are better, maybe internet of everything. And everyone means that this the way organizations are com communicating, collaborating with others is changing. So whether we call it open enterprise or connected enterprise where extended enterprise, I don't care. The main things is, are really, the businesses need to be agile.
So agile business models, faster changing business models, agile business processes changes in communication channels. The organization has to be agile, et cetera, and they need to be connected. They connect need to connect with far more people than ever, ever before. And you need to manage these entities. You need to manage their access and you need, this is where, where then the question arises on, okay, I have the active directory. What about arrest? How do I deal with the other users? Can I do it in the active directory or where should I do it? How to handle all this stuff. And also how to extend the reach of my active directory, maybe to new types of applications. And as I've said, all this is based on a demand from business. Business is demanding new things from unit. This is an increasing pressure for a lot of organizations.
So people want to use cloud services. They want to access business partner systems. They want to collaborate in industry networks. You need to enable the mobile workforce quickly, rapidly onboard and off for business partners. Interact with customers. You need technology behind us. There's a lot of, let's say newer and more advanced technology. And this is then what ends up in the business world, in the agility in compliance and innovation in collaboration, communication, which is then really ready for what you need today. So this is really where things are going and within this, the, the broader topic of cloud I am. So I am for identity access management plays an important role where we see a lot of evolution these days. And what we observe are in fact, three distinct areas, as of know, which are becoming sort of more stable. One is the cloud based identity, access management, identity, access governance, which is more running IM or I IG tools in the cloud as a services manager, a really cloud service.
Then there's the cloud user and access management, which is also the area of Azure active directory. And the other things where Kim will talk about later was single cell capabilities support for identity providers. Cetera communis came from various angles. So single cell on Federation services, strong indication, but these things are more and more converging. And most likely they will also converge first converge over time with they're more cloud-based, I, I actually sort of more technical stuff around us. And we have also in just three collaboration networks, so more closed networks, very specific networks for particular use stuff. When we look at this, then we have the cloud use access management, where we see an increasing number of functionalities to support access of internal land, external users to cloud services, and potentially also on premise web applications, which includes outbound Federation, inbound Federation, site registration, etcetera.
So there there's a number of features, cloud singles and almost one, but we also need to provision users to the cloud services on applications to support inbound, federations of business S outbound Federation to cloud services or to business partner applications. There needs to be an underlying directory services. We need authentication services, strong authentication services. Very importantly, we need self registration. So the ability of users to register themselves in defined workflows and access management for all those things. And it needs to be integrated with the on premise world, because we still have a lot of on premise directory servers, etcetera. We have people sometimes in there not only our employees, but also others. If you look at your customers who might manage them somewhere, and this is what we need to do. And as I've said, there's another area which I will skip to cloud based.
IM I G right now let's, let's look at the active directory. As I said, a very large number of organizations is using the active directory. And I think there is a good reason for that. It's a directory service, which works well. It allows you to run your primary network or authentication, provide some infrastructure services integrates well with your windows, client environments, etcetera cetera. So replication works quite well and all this stuff. So it's something which where you have good reasons to use it, but it's at the end of the day, the active directory sort of purpose built, it has been built for a specific purpose as a network directory service focus on the own purpose world, focus on the primary authentication.
And it also has to yeah. To, to, to carry some burden in sense of there are specific services in there. So such as network infrastructure services, which you will not need in, in any, in every environment. So this is something where you clearly the active directory. Good, but it's purposeful. And if the purpose changes you need to, you might consider changes there. So when it comes to managing external uses, when it comes to managing all the other users done, this is something I've I've, I've had this discussion tender, or even more years ago, some the discussions around how can I manage my externals in the active directory and that's something which is not that easy to solve. So how do you do it? There are security management challenges. So do I decide another forest or specific domain for specific groups of users? This is challenging.
Everyone who's familiar with the active directory knows that this is something which really requires a lot of syncing down. How do you structure reactive directory there? If you say I do it in the same domain, I have different groups of user in the same domain. Then it's about syncing. It's, it's, it's thinking about the security concepts. You need to spend a lot of time on how do you ensure that things don't go wrong. And however, you look at it, managing different groups of users with different requirements in the active directory is from a security management perspective, challenging. And there are other things. So if you replicate your internal users, there's a good reason to do it across your different branch offices, et cetera, your different subsidiaries. There's a, there's a good reason there's launching in doing it. But if you, instead of your, let's say 27,000 employees replicate data of 4 million customers, the way active, direct does replication might be not the best choice choice for that problem.
So again, this is where, where, where you have to think about how can you change it. And the other thing is chemo changes. So if you, if you want to scare your administrators of the active directory, you just go to them and say, Hey, we need to, to change this chemo reaction. Usually always is the same, oh no, we will not change the schema. We won't change the schema. You can change the sche. It's not as inflexible as it's sometimes, but it's still something which has to be well sought out. It's a little bit cumbersome. So there are challenges and the people who are familiar with the active directory are well aware of them, which just means if you, if you talk about this broader ecosystem of far more users, about explosion stuff, et cetera, then we have to think about how, which role shall the active directory play they're in. And there are various options them to extend your active directory to the cloud. So to speak, to serve all these other users, to manage access to cloud services, etcetera. So when we look at these various business cases and think about, okay, we want to deal with this 4 million customers, not only with the 30,000 employees.
So what, what could you do? You could build on your existing on premise active directory. It's it's not simple, a lot of design work. It's not simple. It's was not easy from a security perspective, a lot of syncing and management. If you can handle it, straightforwardness, forwardness. So you have other types of use and then you start syncing again. So probably it's not the ideal thing to do. There's an option provided by Microsoft where you can run in fact, active directory as virtual machine on Azure, sort of. So, so having your, your Azure based domain controllers, but in fact, the same type of domain controllers, clearly it's staying in a confer zone, but the design challenges remain security is wise more or less the same, et cetera. You might rely on cloud. I am service something which integrates well with the active directory. And if you look at the market, most of the things which are happening around cloud user and access management, have some integration back to the active directory. So this is something where you have to think about integration. That can be a challenge that is overall feasible.
You segregate your security issues, but a cloud service comes into play clearly. So you have to consider, can I manage users with the cloud service, cetera, there might be legal aspects, cetera. Nevertheless, I think it's something which can be handled well. And it's something which then if you say, I have a thing which works well for my own premise, it and I will have on premise it for a long period of time. And on the other hand, I have something which works well for accessing or managing access to cloud services for onboarding external uses, etcetera, for all that type of stuff. If you have this as well, then it's a stable approach for the foreseeable time. You might also think about moving everything to the cloud, but I think this is just an option. If you, on one hand, fully trust the cloud. And if you more or less purely rely on cloud services, because them going back to the on-premise, it might be somewhat challenging.
So these are various options. And my, my strong belief in fact, is that there's a good launching saying, okay, I have my active directory and an on-premise infrastructure I have will have a lot of on-premise it for, for, for the foreseeable future. I use that. And I find a way where I can really build a hybrid infrastructure with something running in the cloud, managing the new challenges, connecting well back and forth with my existing environment, and then serving the best different use cases for using cloud applications. I'm on premise applications. So my perspective is the future is hybrid. And when it's about extending reactive directory, then it's about thinking how to find a hybrid solution for that new, over these new challenges. So right now I will hand over to Kim who's the next speaker. So we are back to our presentation. I will make Kim the presenter right now, and then it's your term can,
Well, thank you, Martin, very interesting presentation. And you really outline all of the issues very, very clearly. And in fact, as, as the identity architect I've been working really, really focused in a focused way on reinventing active directory within the cloud environment. Now, when I say reinventing, I don't mean that it's going to replace active directory. I mean, that it is taking what, because I mean, my basic attitude towards infrastructure is that infrastructure stays around for a very long time and it has to be stable. And, you know, it's easy to introduce new types of infrastructure, but it's very hard to take out existing ones. And so active directory is so, so ubiquitous that it will continue to be used in, in its wall for a very long time. It's, it's still very central in many virtually all of the fortune 1000 companies, but at the same time, we'll be in a new world.
And that world has these new challenges, the challenges of not being able to limit people's choice of devices, not, not being able to prevent people in various business units from accessing cloud services, as, as, as useful as, as cloud services evolve that are really useful to their, to their business, people are gonna want to take advantage of those. And so there's this inevitable tendency for new, new ways of doing it to, to come around. So our question was, how do we take active directory and say, okay, let's, let's do all of the things that were successful and, and served our customers with active directory, but do them in this new cloud era. And so like a bunch of things have changed, you know, active directory was really oriented towards say, windows devices in the new cloud era, there are all kinds of devices. So the cloud era active directory has to be completely integrating of all the different devices, the Androids, the iPhones, the iPads, everything else, and as equal partners to the windows devices, it, it has to, and, and it has to adapt to the challenges of that, that, that our customers have to adapt to going into this new digital epic, which is that they, they will do be doing more and more of their interaction with their customers digitally and in a, in an, in an increasingly dangerous world.
And so they need ways of doing identity management with their customers, not just with their employees. So this shift towards integrating and being able to re manage your relationship with, with the customer is one of the key defining things about the directory that is needed in the cloud era. And so then our strategy is to be able to extend this, this, you know, the active directory components into the cloud so that all of the cloud era problems can be handled in the cloud and the, the enterprise intra enterprise issues that are best handled by ad can be managed there. But that the total amount of interaction that the administrators would have to do is as though it's one single system. And so we call that hybrid. So I'm gonna give a, a, a, you know, the, the, the problem is one of the great things about moving into the cloud is that we're able to function so much more efficiently and do a lot more, a lot more quickly.
So it's very exciting because we have so many things that, that, that we're, we we've been able to introduce at the same time as achieving. Like, I think we have 1.4 million enterprises and organizations using Azure right now, and we have 200, 220 million users, you know, active users using using Azure and so on. So, so that we have this tremendous scale, but we can also innovate much more quickly and, and have a lot, a lot of new abilities there. So trying to figure out exactly how to share this information with you is a bit challenging, but what I'm gonna do is go through some of the basic features that we've been releasing, and then just very quickly, and then leave, try and leave some time for us to, to, to, to talk about it questions. And of course, I'll be at the EIC conference and we'd be totally happy to speak with you if you have things that I can help clarify there. Okay. So let's see.
Okay. Finally. Okay. So I've spoke, spoken about this and I'll just move on. Basically we take the, the notion that the identity, and, and we say public identity here in the sense that it's not just being expressed inside the enterprise, but with, with, with partners, whether they be suppliers of services in the cloud, or whether they be actual people who you're collaborating with, or, or, you know, your own employees when they're outside the enterprise. And we have, and of course the most important part of all of this is the applications. So by applications, we, we, we've been sort of hardening this by offering our own applications, office 365 windows, Microsoft dynamics, CRM, and so on, but also we've been integrating with, as you'll see, we now are integrated with 1200 other cloud based applications.
And we have been reaching out to integrate not only windows server and active directory, but other, other directories and other sources of user information. Because for example, as we move towards this world of managing the identity of users, a lot of that of customers, a lot of that is kept in customer facing systems that are separate. And so if we want to be able to provide cloud services for them, we need to be able to, to, to integrate with those other directories and to integrate with this whole series of different PCs and devices, and be able to manage all of those in a central way that will apply both to cloud and to on-premise active directory. And so the basic high level story is we synchronize identity information from on-premise to Azure ad. And at some point in the future, we'll allow you to also synchronize it from Azure ad onto on-premise.
And we also have then the mechanisms to be able to integrate with all of these different services and so on. And what's interesting here is that it's, you know, the, the complexity of integrating with the services is handled in the cloud. So the, that doesn't become an it nightmare once, once they have this kind of a piece in the, in, in the, in the, in the puzzle. So in terms of the, the high level message, it's comprehensive, it's not just direct, just like ad was directory plus authentication plus certificates, plus, you know, Federation all those services, identity services, we're doing the same thing with Azure ad, except that there'll be done in the cloud and they'll integrate with on-premise and we'll be doing all of this in a, in a way that is, I think you'll be amazed at some of the identity governance, things that, that are coming out of this, the everything is totally standard spaced, you know, it's supporting, supporting, or, or supporting all of those things. And we have two skews, which I'll talk to about the basic service is free. We then have a, a premium offering that, that has the more advanced capabilities. So I'll just drill into that for a minute. It it's, it's sort of, one of the things it offers is the enterprise SLA of 99.9% usage rights to a forefront identity manager server, and the CALS necessary to do that so that you have, and then you have a whole bunch of continually evolving capabilities,
Which I'll describe briefly. So these capabilities are first of all the directory in the cloud, but also managing access to applications monitoring and protecting and empowered users, excuse me. Okay. So in terms of, of the way the directory works, you connect and sync and I'll show you how we've done this. First of all, as I said, you can synchronize not only ad into Azure, but any other directory that you have, or any other data repository in terms of the way that you handle authentication, you, you can do it in two ways. One is you can set up what we call password hash sync, so you synchron synchronize your user population. And then we synchronize hash of the ad hash encrypted under our own key. So in Azure, we have no visibility onto the original onto either the original password or what is stored in your ad. We only have the, you know, the function of that. So it, it it's, you know, extremely good from a, from the security point of view.
We also if have another option, which is that you run ADFS on your local systems, and then you synchronize through, through Samm or, you know, Ws fed or whatever you want. And so in that way, you can have a, a really transparent, and, and it's easy to set up. The smaller companies will just go with the, with the password hash sync companies with really strong compliance requirements would go through the Federation and so on, but everybody gets a seamless authentication experience. Now, the other thing that, that we manage are the applications. So you'll see it's. So it's not just a matter of integrating with directories. It's a matter of integrating with applications. And so there are basically a very large number of these applications and that it means that you, we, you, you end up with a control panel that your users can, can employ, and they can go to any of these applications. And if there're applications that we don't already support, we will, we have a way for you to submit name of the application and we'll do it for you. Or you can, you can write, you basically add your own configuration. So what this means is you, you know, you can bring in your line of business apps, your customs apps, and then you have the ability to, to control which, which of your users are able to access these applications either on premise or again in the cloud.
So you, you basically, the concept here is that you have one place where you can centrally manage identities and access. Then the it professional can put together the various policies, and you can have auditable business processes, which which help with in, with compliance and so on. We've also been working really hard on, on all kinds of security features reporting. And so, so you get the kinds of things like if people are logging in from geographically different places. In other words, if, if you have somebody who is stationed in Germany and some somebody logs in from their, to their account from Russia, well, it becomes all of that is picked up and tracked and generates alerts. And, you know, you can, you can then actually set up multifactor, you know, we, one, another, one of the offerings is, is this thing called multifactor authentication, which then allows you to, to require the, the, a user who is in perhaps traveling or something will have to use a second factor, use his cell phone, or her cell phone and do an SMS, or, or just answer a voice call or whatever it might be.
So the, the multifactor authentication is, is, is, is interesting. Something that's much, much simpler to do in the cloud than, than it is on premise. But in addition, the, what we, what we end up having is the ability to do real time analysis on the authentication attempts and detect people who are trying to abuse the system or, or hack the system, and then be able to dynamically upgrade the authentication requirements right now that in our current releases that requires the user to the administrator to respond to the alert and change the configuration. But our goal is that that will all be completely automated. So I'm not gonna go into this. The, there, there are, I'm just gonna skip in terms of the offering. We already have multifactor authentication for office 365 and for Azure administrators, the multifactor authentication for the enterprise as a whole, and it's, and it's a users is a separate offering, and it allows the whole multifactor experience to be customized and, and, and take on the personality of your enterprise.
You know, for example, when you're logging into, when you're using multifactor to log into Azure, the, the messages will be coming from Microsoft. Oh yes, you, you know, welcome to Azure, et cetera, please enter the European or whatever, when you're, you know, that clearly isn't appropriate when you're dealing with people who are partners of your own organization. So you need the control to be able to do, do that. And you need much higher degrees of you need your own security reports and ways to block and unblock, and one time pass bypass and everything else. So all of that is, is present in the service. And then here is the empowering users. Basically the administrator goes into these various menus and, and adds the users to and adds, they can say, well, this group of users should get access to the InterQual learning source. This group of users should get access to concur.
Oh, but we'll, we'll add Martin too, to the concur access. So you can do all of that kind of thing from a control panel, and you can, you can then automate it. And so you, you can see that as your synchronization gets sufficiently advanced, that you can automatically put people into the right groups. They can thereby be com automatically enabled for the right applications. And, and they get a sort of a control panel like this, be it on their computer or on a phone. And they can just, it's got a, when they choose one of these entry points, the system will either federate or will use password fills and things like that in order to get them logged in.
So also the, the self-service password reset and the password reset itself can, is gated to, to require multifactor authentication if you want to. And, and so all of these things can, can be reused in a very synergistic way. So some of once, again, some of these things are, are, are in the free offering. Some of them are in the Azure ad premium offering, and some of them are in the multi, well, the multifactor authentication is its own offering. Now what I'm gonna do is very quickly I'm, I'm gonna talk about just a few things to give you an idea of, of how, how the cloud changes things. One of the things that people have trouble with is, well, which, which AAS applications are the people in my enterprise using. So we, one of the things that we just put into preview is this thing where you put an agent on, on the people's on the employee's desktop, which is looking for access to, to the various SAS applications that are supported.
And so it can then give you reports about which, because most companies don't actually know which the SAS, these, these cloud applications are, are coming along so quickly. They they're really out of control and, and nobody has visibility into them. So we have this mechanism and what what's, the way this works is there is an agent that is used locally to, to pick up the information either from a egress point or, or through the, through an agent on the machines that is distributed through group policy, but then all of the information is sent into the cloud. And then the cloud does the machine learning analysis. And it's, it's very interesting. So that's in preview. You can actually go out and try that one. If you want to finally, I'm gonna just give you a few comments on the synchronization stuff. It should be clear that the synchronization is absolutely key to making this a single administration technology like you, either, you only administrator one place the cloud, isn't a second job that you have to take on. And so we put a lot of effort into, into this, and you'll see what we do is between Azure and the, and the cloud services, that's all automated at our end, and you only have to manage your users in one place.
So one of the new things we've released is this thing called AAD sync. And it supports, you know, it's basically an advanced version of Deere sync if you've seen how that works. And so it's basically an appliance that you can, that you can put in that will synchronize from, from, from ad and unlike Dearin, it will, it will work across forests. You can do attribute filtering and names, name transformations on the, on the attributes. And it supports our whole range of F connectors, PeopleSoft, SAP, L app, all of them. So you can actually synchronize people directly out of your HR, into the system. If, if you prefer, we also have a new product coming along, which is the next version of fi and that's called our Microsoft identity manager. We naturally would change the name it one more time.
One of the things that it has that, that, that it will have, this is 2015, is this very, this, this thing called privilege access management. And so administrators don't get the right to, to, to, to, to access resources, Beckley. They have to go through the manager and they get a, basically a ticket that allows them to be able to get into the resources for a specific period of time. And that can all be highly audited and logged, things like that. So I'm gonna sort of leave it there. One thing I haven't talked about is our upcoming work on customer and partner identity management. I'll be talking about that more at the conference. This is really taking on the challenge of doing identity management for customers, hugely important thing for Azure in the cloud. Okay. Thanks very much.
Thank you, Kim. So I will make me moderator, okay. We are now ready for entering the Q and a session. We already have some questions here, and if there are more questions than just ask this, I will start with the first one on, I think all of the questions go to Kim. So the first question to you, Kim is the typical size of windows. Azure customers are probably windows Azure ad customers. So what amount persons does these typical customers handle? Maybe you also can give some details about what are very large customers, what are very large installation system?
Ah, okay. The, well we have, for, for example, we have 14 million university students. So a whole bunch of university, we have a program for the universities and, and, and we do their email for, for their whole student populations. And so those can be, those are quite large. I think we have, and we have sort of customer populations that are coming, coming, coming our way. But I, I think, you know, I'll get back to you on what our largest current customer is, but we know that we can easily, we can easily handle in a single tenant, 50 million people. And we're also working on a version that that will have, you know, we could, you could then of course partition, but this is without partitioning.
Okay.
You know, what if I don't know what Martin, how do I, if you, if we can take the email address of that person. Yes,
We can. We can handle this also with more details afterwards. No problem. You'll all that information. Okay. The second question, maybe you can go a little bit more into detail on the, how do you multifactor a indication works?
Ah, well, you just basically select, you know, you basically configure the system so that all of your users, or some of your users or whatever else are, are, are required to use multifactor authentication. And so that's how, that's how the selection, in other words, you, you, you, you configure, there's a, there's a Porwal screen where you can configure it and you can actually go and try this yourself on the, on the system. So then in terms of how it works, the, we, we have Azure, Azure will, will analyze the kind of, you also configure how you want the phone factor to interact with your people, whether you want them to send SMSs or whatever it might be. And, and so then it, it, we just have a service in the sky that, that takes care of that. And we won't give them a token. We won't give them a SAML token until they've gone through whatever you have configured it for now in the, in the new offering that we're.
So this is, this is another set of technology that we'll be unfolding over the next couple of years are putting into, into, into production. It's currently in private preview with selected people. We actually have support multiple different kinds of, of multifactor. And, you know, and, and it's, it's dynamic. It can be dynamic so that different pages, different application pages have different, have different requirements in the current system. It's like all or nothing, but that will be, that is being evolved to something which is completely policy driven in terms of the policy of the application. And, and so it's very, very flexible.
Okay. So let's go ahead to the next question, because we have a number of questions right now, here is ever ad already available. If not, when is it scheduled to be released?
Oh yeah. Azure ad has 220 million people. You a use it, individual users and everything I told you about in the slides, except for the, everything that I, that I showed you in the slides is available. Some of it is in, is in what we call preview. Like, like the thing that does the analysis of where your, what, which websites, your, which applications your users are employing that's, that's in what we call preview the Azure, the, the AAD sync is still in preview. And what we do there is we invite you. You can, you can join the preview and then you can feed back to us. And we will, you know, of course I state that into account, and this is the wonderful thing about being cloud-based, you know, we can actually just continue evolving with, cuz we don't have to go through a four year ship cycle. So we, we can get lots of input during the preview and, and afterwards, and, and keep honing the products. So yes, it's available. I hope you go and use it. It's actually, it's becoming, you know, enough of it has shipped now that you are really starting to see what it is. And, and I find it the most exciting thing I've worked on in my career. It's very interesting. And all of the meta directory stuff is back again. So I'm super happy.
Okay. When we are talking about meta directory and stuff you worked on before, that's another question, will the new F offers next release of F support? The typical privilege management features such as shared account management, etcetera
Shared account management.
So, so you, you talked about is that it'll support privileged users. Yeah. Is it also about this type of, you know, have a rude and then you have the management of the passwords
For the, I I, so I don't know. So once again, I will get that back to the okay, perfect. Ask for it. Yeah.
Maybe you also could talk a little bit more about flexibility of SKIMA in Azure ID for various tenants.
Yes. It's there is schema extensibility, and you know, each tenant can do their own extensions and we just, we've just released that too. So yeah. It's, it's, it's, it's there. I don't know. What, is there more that, is there a supplementary to that question?
No, not, not really
Question. I think the, the limit, the current limitation is, I don't know, something like maybe a, a thousand characters in the attribute. So it currently, it doesn't support blobs and things like that, but it, it, it will, that's all in the plan currently. It just supports the same kind of, of things that we have in, in, in conventional active directory.
Okay. And then there's a question. What are the current capabilities of Azure ad for provisioning the users from HR systems? Let's say Workday.
Yeah. Well, that's, that's when, when you, when you configure an app, one of the things you configure is whether or not you want it to be provisioned. And so it will actually do the, for the apps that, okay, we don't do provisioning for all the 1200 apps, but there's a whole series of the apps. Like, and Workday is one of the ones we're that, that we either we support it or it will be like within the next few, you know, weeks. I think, I think it's already released, unfortunately, I'm an architect, so I don't know, know the release thing, but yeah. So yeah, you, you just, it's really unbelievable because you just go in and you say people from this group or whatever should have access to Workday and they'll just appear in Workday. It'll get provisioned.
Okay. So I think we've gone through the list of questions we have here. So let's say thank you to all the participants who attended this community webinar. Yes. Thank you to you, Kim. I apologize for my voice and hope to see everyone at the upcoming European identity and cloud conference. And, and maybe let me know that there's a lot of research related research on these topics available from KU cold, have a look at this as well. So thank you. Have a nice evening and hope to see you at.
Miss Ko call itself is an Analyst company for providing enterprise it research device services, decision support, and networking for it. Professionals. Our research services provide reports, including our leadership documents, which compare vendors and products and various market segments, our advisory services and our events. And as I've said, one of our events is the European identity cloud conference. We have our webinars and there will be a serious photo events starting in autumn this year. So have a look at what is coming up here regarding the webinar itself. For some guidelines, you are muted centrally, so you don't have to care about that. We are recording the webinar and the podcast recording will be available tomorrow and as well, the slide X will be available for download the Q and a session will be at the end. You can add the questions at any time using the questions feature, go to webinar control panel. It might also be named flag or so depending on language version, but enter your questions once they come to your mind so that we have comprehensive and a good list of questions at the end of the two presentations, so that we have an interesting Q and a session as well.
A trend on split into three parts as usual. The first part is me. I'm, we'll talk about cloud anti access management and the extended enterprise. So the need for extending your current IM I achieve infrastructure. And that includes especially also what you do with active directory to the cloud. So I will set a little bit the, the foundation for that. So what is the, the driver behind all these things? What is the need behind? And, and then I will put some emphasis on what does it mean from an active directory perspective? So I personally have a long history in that area. I spread probably some hundred articles, select active directory, very technical ones. Over the years, I wrote books like the German hunt for published by Microsoft press or the handbook for wind server systems, etcetera. So long history and active directory and early I'm looking forward to talk about active directory today, sort of back to the roots for me, second part will be Kim Cameron.
He will talk about Microsoft strategy and extending the active directory to the cloud and the new role of Azure active directory. As I set part three, that will be the Q and a part. So let's directly move to the topic. And the ones of you who are more frequently attending called webinars probably are familiar with this graphic. It's my computing slides. So showing that the scope of information security is changing, we have cloud computing. So we have to deal with different deployment models. It's not only on premise world anymore. We have to manage access and manage security of cloud services. We have to social computing and more than social computing, so different user populations. It's not only the employees anymore. We increasingly have to work with business partners, customers, etcetera, the number of users drawing and the business cases are changing. And then we have to mobile computing.
So users accessing services from external using their smartphones to tap cetera. Also this fundamentally changing right now. And, and that means we have to, to do a different way, or we have to find a different way of doing it than we did before, because it's really about supporting this entire ecosystem, which also means that we have to, to think about what to do with our essential elements in it infrastructure. And I think Ronda about 90% of the organizations are relying on Microsoft active directory. So extending active directory and thinking about what is the, the way to move forward from what you have an active directory to this new new world. This news scope of information security is clearly one of the challenges organizations are facing. So, and when we look at customers, it also means, and customer challenges. It also means we are looking at what I've called the identity explosion.
So instead of a few thousand of thousands, or maybe of even some hundred thousands of employees, we might have to deal with hundreds of thousands of business partners and millions of customers. So far more identities than ever before. Which also means that the systems which manage our identities have to be ready to, to serve these changing needs. And while the employee base is relatively stable, the business partners might be far more under change. Prospects, leads customers to something which is ever changing. So also that means we have to find different ways or we have to rethink, how do we do these things? On the other hand, I'm a very strong believer in protecting existing investments and what you should not forget on something I will touch later on just, we have a lot of it on premise, which we still need to serve. So we can't just say, okay, we look at the cloud and do everything perfectly well for the cloud.
What we need to do is to understand how can we extend our existing ecosystem here? And this entire thing is about sort of the new ABC, the agile business connected businesses today has to be agile. This is a it's mandatory thing. If you look at the changing economic landscape, the globalization, the more rapid, more, faster competition, et cetera, then businesses have to be a agile and they have to connect. They have to connect with their business partners with the customers. They even have to connect with a lot of devices. Cetera. So this entire internet of things are better, maybe internet of everything. And everyone means that this the way organizations are com communicating, collaborating with others is changing. So whether we call it open enterprise or connected enterprise where extended enterprise, I don't care. The main things is, are really, the businesses need to be agile.
So agile business models, faster changing business models, agile business processes changes in communication channels. The organization has to be agile, et cetera, and they need to be connected. They connect need to connect with far more people than ever, ever before. And you need to manage these entities. You need to manage their access and you need, this is where, where then the question arises on, okay, I have the active directory. What about arrest? How do I deal with the other users? Can I do it in the active directory or where should I do it? How to handle all this stuff. And also how to extend the reach of my active directory, maybe to new types of applications. And as I've said, all this is based on a demand from business. Business is demanding new things from unit. This is an increasing pressure for a lot of organizations.
So people want to use cloud services. They want to access business partner systems. They want to collaborate in industry networks. You need to enable the mobile workforce quickly, rapidly onboard and off for business partners. Interact with customers. You need technology behind us. There's a lot of, let's say newer and more advanced technology. And this is then what ends up in the business world, in the agility in compliance and innovation in collaboration, communication, which is then really ready for what you need today. So this is really where things are going and within this, the, the broader topic of cloud I am. So I am for identity access management plays an important role where we see a lot of evolution these days. And what we observe are in fact, three distinct areas, as of know, which are becoming sort of more stable. One is the cloud based identity, access management, identity, access governance, which is more running IM or I IG tools in the cloud as a services manager, a really cloud service.
Then there's the cloud user and access management, which is also the area of Azure active directory. And the other things where Kim will talk about later was single cell capabilities support for identity providers. Cetera communis came from various angles. So single cell on Federation services, strong indication, but these things are more and more converging. And most likely they will also converge first converge over time with they're more cloud-based, I, I actually sort of more technical stuff around us. And we have also in just three collaboration networks, so more closed networks, very specific networks for particular use stuff. When we look at this, then we have the cloud use access management, where we see an increasing number of functionalities to support access of internal land, external users to cloud services, and potentially also on premise web applications, which includes outbound Federation, inbound Federation, site registration, etcetera.
So there there's a number of features, cloud singles and almost one, but we also need to provision users to the cloud services on applications to support inbound, federations of business S outbound Federation to cloud services or to business partner applications. There needs to be an underlying directory services. We need authentication services, strong authentication services. Very importantly, we need self registration. So the ability of users to register themselves in defined workflows and access management for all those things. And it needs to be integrated with the on premise world, because we still have a lot of on premise directory servers, etcetera. We have people sometimes in there not only our employees, but also others. If you look at your customers who might manage them somewhere, and this is what we need to do. And as I've said, there's another area which I will skip to cloud based.
IM I G right now let's, let's look at the active directory. As I said, a very large number of organizations is using the active directory. And I think there is a good reason for that. It's a directory service, which works well. It allows you to run your primary network or authentication, provide some infrastructure services integrates well with your windows, client environments, etcetera cetera. So replication works quite well and all this stuff. So it's something which where you have good reasons to use it, but it's at the end of the day, the active directory sort of purpose built, it has been built for a specific purpose as a network directory service focus on the own purpose world, focus on the primary authentication.
And it also has to yeah. To, to, to carry some burden in sense of there are specific services in there. So such as network infrastructure services, which you will not need in, in any, in every environment. So this is something where you clearly the active directory. Good, but it's purposeful. And if the purpose changes you need to, you might consider changes there. So when it comes to managing external uses, when it comes to managing all the other users done, this is something I've I've, I've had this discussion tender, or even more years ago, some the discussions around how can I manage my externals in the active directory and that's something which is not that easy to solve. So how do you do it? There are security management challenges. So do I decide another forest or specific domain for specific groups of users? This is challenging.
Everyone who's familiar with the active directory knows that this is something which really requires a lot of syncing down. How do you structure reactive directory there? If you say I do it in the same domain, I have different groups of user in the same domain. Then it's about syncing. It's, it's, it's thinking about the security concepts. You need to spend a lot of time on how do you ensure that things don't go wrong. And however, you look at it, managing different groups of users with different requirements in the active directory is from a security management perspective, challenging. And there are other things. So if you replicate your internal users, there's a good reason to do it across your different branch offices, et cetera, your different subsidiaries. There's a, there's a good reason there's launching in doing it. But if you, instead of your, let's say 27,000 employees replicate data of 4 million customers, the way active, direct does replication might be not the best choice choice for that problem.
So again, this is where, where, where you have to think about how can you change it. And the other thing is chemo changes. So if you, if you want to scare your administrators of the active directory, you just go to them and say, Hey, we need to, to change this chemo reaction. Usually always is the same, oh no, we will not change the schema. We won't change the schema. You can change the sche. It's not as inflexible as it's sometimes, but it's still something which has to be well sought out. It's a little bit cumbersome. So there are challenges and the people who are familiar with the active directory are well aware of them, which just means if you, if you talk about this broader ecosystem of far more users, about explosion stuff, et cetera, then we have to think about how, which role shall the active directory play they're in. And there are various options them to extend your active directory to the cloud. So to speak, to serve all these other users, to manage access to cloud services, etcetera. So when we look at these various business cases and think about, okay, we want to deal with this 4 million customers, not only with the 30,000 employees.
So what, what could you do? You could build on your existing on premise active directory. It's it's not simple, a lot of design work. It's not simple. It's was not easy from a security perspective, a lot of syncing and management. If you can handle it, straightforwardness, forwardness. So you have other types of use and then you start syncing again. So probably it's not the ideal thing to do. There's an option provided by Microsoft where you can run in fact, active directory as virtual machine on Azure, sort of. So, so having your, your Azure based domain controllers, but in fact, the same type of domain controllers, clearly it's staying in a confer zone, but the design challenges remain security is wise more or less the same, et cetera. You might rely on cloud. I am service something which integrates well with the active directory. And if you look at the market, most of the things which are happening around cloud user and access management, have some integration back to the active directory. So this is something where you have to think about integration. That can be a challenge that is overall feasible.
You segregate your security issues, but a cloud service comes into play clearly. So you have to consider, can I manage users with the cloud service, cetera, there might be legal aspects, cetera. Nevertheless, I think it's something which can be handled well. And it's something which then if you say, I have a thing which works well for my own premise, it and I will have on premise it for a long period of time. And on the other hand, I have something which works well for accessing or managing access to cloud services for onboarding external uses, etcetera, for all that type of stuff. If you have this as well, then it's a stable approach for the foreseeable time. You might also think about moving everything to the cloud, but I think this is just an option. If you, on one hand, fully trust the cloud. And if you more or less purely rely on cloud services, because them going back to the on-premise, it might be somewhat challenging.
So these are various options. And my, my strong belief in fact, is that there's a good launching saying, okay, I have my active directory and an on-premise infrastructure I have will have a lot of on-premise it for, for, for the foreseeable future. I use that. And I find a way where I can really build a hybrid infrastructure with something running in the cloud, managing the new challenges, connecting well back and forth with my existing environment, and then serving the best different use cases for using cloud applications. I'm on premise applications. So my perspective is the future is hybrid. And when it's about extending reactive directory, then it's about thinking how to find a hybrid solution for that new, over these new challenges. So right now I will hand over to Kim who's the next speaker. So we are back to our presentation. I will make Kim the presenter right now, and then it's your term can,
Well, thank you, Martin, very interesting presentation. And you really outline all of the issues very, very clearly. And in fact, as, as the identity architect I've been working really, really focused in a focused way on reinventing active directory within the cloud environment. Now, when I say reinventing, I don't mean that it's going to replace active directory. I mean, that it is taking what, because I mean, my basic attitude towards infrastructure is that infrastructure stays around for a very long time and it has to be stable. And, you know, it's easy to introduce new types of infrastructure, but it's very hard to take out existing ones. And so active directory is so, so ubiquitous that it will continue to be used in, in its wall for a very long time. It's, it's still very central in many virtually all of the fortune 1000 companies, but at the same time, we'll be in a new world.
And that world has these new challenges, the challenges of not being able to limit people's choice of devices, not, not being able to prevent people in various business units from accessing cloud services, as, as, as useful as, as cloud services evolve that are really useful to their, to their business, people are gonna want to take advantage of those. And so there's this inevitable tendency for new, new ways of doing it to, to come around. So our question was, how do we take active directory and say, okay, let's, let's do all of the things that were successful and, and served our customers with active directory, but do them in this new cloud era. And so like a bunch of things have changed, you know, active directory was really oriented towards say, windows devices in the new cloud era, there are all kinds of devices. So the cloud era active directory has to be completely integrating of all the different devices, the Androids, the iPhones, the iPads, everything else, and as equal partners to the windows devices, it, it has to, and, and it has to adapt to the challenges of that, that, that our customers have to adapt to going into this new digital epic, which is that they, they will do be doing more and more of their interaction with their customers digitally and in a, in an, in an increasingly dangerous world.
And so they need ways of doing identity management with their customers, not just with their employees. So this shift towards integrating and being able to re manage your relationship with, with the customer is one of the key defining things about the directory that is needed in the cloud era. And so then our strategy is to be able to extend this, this, you know, the active directory components into the cloud so that all of the cloud era problems can be handled in the cloud and the, the enterprise intra enterprise issues that are best handled by ad can be managed there. But that the total amount of interaction that the administrators would have to do is as though it's one single system. And so we call that hybrid. So I'm gonna give a, a, a, you know, the, the, the problem is one of the great things about moving into the cloud is that we're able to function so much more efficiently and do a lot more, a lot more quickly.
So it's very exciting because we have so many things that, that, that we're, we we've been able to introduce at the same time as achieving. Like, I think we have 1.4 million enterprises and organizations using Azure right now, and we have 200, 220 million users, you know, active users using using Azure and so on. So, so that we have this tremendous scale, but we can also innovate much more quickly and, and have a lot, a lot of new abilities there. So trying to figure out exactly how to share this information with you is a bit challenging, but what I'm gonna do is go through some of the basic features that we've been releasing, and then just very quickly, and then leave, try and leave some time for us to, to, to, to talk about it questions. And of course, I'll be at the EIC conference and we'd be totally happy to speak with you if you have things that I can help clarify there. Okay. So let's see.
Okay. Finally. Okay. So I've spoke, spoken about this and I'll just move on. Basically we take the, the notion that the identity, and, and we say public identity here in the sense that it's not just being expressed inside the enterprise, but with, with, with partners, whether they be suppliers of services in the cloud, or whether they be actual people who you're collaborating with, or, or, you know, your own employees when they're outside the enterprise. And we have, and of course the most important part of all of this is the applications. So by applications, we, we, we've been sort of hardening this by offering our own applications, office 365 windows, Microsoft dynamics, CRM, and so on, but also we've been integrating with, as you'll see, we now are integrated with 1200 other cloud based applications.
And we have been reaching out to integrate not only windows server and active directory, but other, other directories and other sources of user information. Because for example, as we move towards this world of managing the identity of users, a lot of that of customers, a lot of that is kept in customer facing systems that are separate. And so if we want to be able to provide cloud services for them, we need to be able to, to, to integrate with those other directories and to integrate with this whole series of different PCs and devices, and be able to manage all of those in a central way that will apply both to cloud and to on-premise active directory. And so the basic high level story is we synchronize identity information from on-premise to Azure ad. And at some point in the future, we'll allow you to also synchronize it from Azure ad onto on-premise.
And we also have then the mechanisms to be able to integrate with all of these different services and so on. And what's interesting here is that it's, you know, the, the complexity of integrating with the services is handled in the cloud. So the, that doesn't become an it nightmare once, once they have this kind of a piece in the, in, in the, in the, in the puzzle. So in terms of the, the high level message, it's comprehensive, it's not just direct, just like ad was directory plus authentication plus certificates, plus, you know, Federation all those services, identity services, we're doing the same thing with Azure ad, except that there'll be done in the cloud and they'll integrate with on-premise and we'll be doing all of this in a, in a way that is, I think you'll be amazed at some of the identity governance, things that, that are coming out of this, the everything is totally standard spaced, you know, it's supporting, supporting, or, or supporting all of those things. And we have two skews, which I'll talk to about the basic service is free. We then have a, a premium offering that, that has the more advanced capabilities. So I'll just drill into that for a minute. It it's, it's sort of, one of the things it offers is the enterprise SLA of 99.9% usage rights to a forefront identity manager server, and the CALS necessary to do that so that you have, and then you have a whole bunch of continually evolving capabilities,
Which I'll describe briefly. So these capabilities are first of all the directory in the cloud, but also managing access to applications monitoring and protecting and empowered users, excuse me. Okay. So in terms of, of the way the directory works, you connect and sync and I'll show you how we've done this. First of all, as I said, you can synchronize not only ad into Azure, but any other directory that you have, or any other data repository in terms of the way that you handle authentication, you, you can do it in two ways. One is you can set up what we call password hash sync, so you synchron synchronize your user population. And then we synchronize hash of the ad hash encrypted under our own key. So in Azure, we have no visibility onto the original onto either the original password or what is stored in your ad. We only have the, you know, the function of that. So it, it it's, you know, extremely good from a, from the security point of view.
We also if have another option, which is that you run ADFS on your local systems, and then you synchronize through, through Samm or, you know, Ws fed or whatever you want. And so in that way, you can have a, a really transparent, and, and it's easy to set up. The smaller companies will just go with the, with the password hash sync companies with really strong compliance requirements would go through the Federation and so on, but everybody gets a seamless authentication experience. Now, the other thing that, that we manage are the applications. So you'll see it's. So it's not just a matter of integrating with directories. It's a matter of integrating with applications. And so there are basically a very large number of these applications and that it means that you, we, you, you end up with a control panel that your users can, can employ, and they can go to any of these applications. And if there're applications that we don't already support, we will, we have a way for you to submit name of the application and we'll do it for you. Or you can, you can write, you basically add your own configuration. So what this means is you, you know, you can bring in your line of business apps, your customs apps, and then you have the ability to, to control which, which of your users are able to access these applications either on premise or again in the cloud.
So you, you basically, the concept here is that you have one place where you can centrally manage identities and access. Then the it professional can put together the various policies, and you can have auditable business processes, which which help with in, with compliance and so on. We've also been working really hard on, on all kinds of security features reporting. And so, so you get the kinds of things like if people are logging in from geographically different places. In other words, if, if you have somebody who is stationed in Germany and some somebody logs in from their, to their account from Russia, well, it becomes all of that is picked up and tracked and generates alerts. And, you know, you can, you can then actually set up multifactor, you know, we, one, another, one of the offerings is, is this thing called multifactor authentication, which then allows you to, to require the, the, a user who is in perhaps traveling or something will have to use a second factor, use his cell phone, or her cell phone and do an SMS, or, or just answer a voice call or whatever it might be.
So the, the multifactor authentication is, is, is, is interesting. Something that's much, much simpler to do in the cloud than, than it is on premise. But in addition, the, what we, what we end up having is the ability to do real time analysis on the authentication attempts and detect people who are trying to abuse the system or, or hack the system, and then be able to dynamically upgrade the authentication requirements right now that in our current releases that requires the user to the administrator to respond to the alert and change the configuration. But our goal is that that will all be completely automated. So I'm not gonna go into this. The, there, there are, I'm just gonna skip in terms of the offering. We already have multifactor authentication for office 365 and for Azure administrators, the multifactor authentication for the enterprise as a whole, and it's, and it's a users is a separate offering, and it allows the whole multifactor experience to be customized and, and, and take on the personality of your enterprise.
You know, for example, when you're logging into, when you're using multifactor to log into Azure, the, the messages will be coming from Microsoft. Oh yes, you, you know, welcome to Azure, et cetera, please enter the European or whatever, when you're, you know, that clearly isn't appropriate when you're dealing with people who are partners of your own organization. So you need the control to be able to do, do that. And you need much higher degrees of you need your own security reports and ways to block and unblock, and one time pass bypass and everything else. So all of that is, is present in the service. And then here is the empowering users. Basically the administrator goes into these various menus and, and adds the users to and adds, they can say, well, this group of users should get access to the InterQual learning source. This group of users should get access to concur.
Oh, but we'll, we'll add Martin too, to the concur access. So you can do all of that kind of thing from a control panel, and you can, you can then automate it. And so you, you can see that as your synchronization gets sufficiently advanced, that you can automatically put people into the right groups. They can thereby be com automatically enabled for the right applications. And, and they get a sort of a control panel like this, be it on their computer or on a phone. And they can just, it's got a, when they choose one of these entry points, the system will either federate or will use password fills and things like that in order to get them logged in.
So also the, the self-service password reset and the password reset itself can, is gated to, to require multifactor authentication if you want to. And, and so all of these things can, can be reused in a very synergistic way. So some of once, again, some of these things are, are, are in the free offering. Some of them are in the Azure ad premium offering, and some of them are in the multi, well, the multifactor authentication is its own offering. Now what I'm gonna do is very quickly I'm, I'm gonna talk about just a few things to give you an idea of, of how, how the cloud changes things. One of the things that people have trouble with is, well, which, which AAS applications are the people in my enterprise using. So we, one of the things that we just put into preview is this thing where you put an agent on, on the people's on the employee's desktop, which is looking for access to, to the various SAS applications that are supported.
And so it can then give you reports about which, because most companies don't actually know which the SAS, these, these cloud applications are, are coming along so quickly. They they're really out of control and, and nobody has visibility into them. So we have this mechanism and what what's, the way this works is there is an agent that is used locally to, to pick up the information either from a egress point or, or through the, through an agent on the machines that is distributed through group policy, but then all of the information is sent into the cloud. And then the cloud does the machine learning analysis. And it's, it's very interesting. So that's in preview. You can actually go out and try that one. If you want to finally, I'm gonna just give you a few comments on the synchronization stuff. It should be clear that the synchronization is absolutely key to making this a single administration technology like you, either, you only administrator one place the cloud, isn't a second job that you have to take on. And so we put a lot of effort into, into this, and you'll see what we do is between Azure and the, and the cloud services, that's all automated at our end, and you only have to manage your users in one place.
So one of the new things we've released is this thing called AAD sync. And it supports, you know, it's basically an advanced version of Deere sync if you've seen how that works. And so it's basically an appliance that you can, that you can put in that will synchronize from, from, from ad and unlike Dearin, it will, it will work across forests. You can do attribute filtering and names, name transformations on the, on the attributes. And it supports our whole range of F connectors, PeopleSoft, SAP, L app, all of them. So you can actually synchronize people directly out of your HR, into the system. If, if you prefer, we also have a new product coming along, which is the next version of fi and that's called our Microsoft identity manager. We naturally would change the name it one more time.
One of the things that it has that, that, that it will have, this is 2015, is this very, this, this thing called privilege access management. And so administrators don't get the right to, to, to, to, to access resources, Beckley. They have to go through the manager and they get a, basically a ticket that allows them to be able to get into the resources for a specific period of time. And that can all be highly audited and logged, things like that. So I'm gonna sort of leave it there. One thing I haven't talked about is our upcoming work on customer and partner identity management. I'll be talking about that more at the conference. This is really taking on the challenge of doing identity management for customers, hugely important thing for Azure in the cloud. Okay. Thanks very much.
Thank you, Kim. So I will make me moderator, okay. We are now ready for entering the Q and a session. We already have some questions here, and if there are more questions than just ask this, I will start with the first one on, I think all of the questions go to Kim. So the first question to you, Kim is the typical size of windows. Azure customers are probably windows Azure ad customers. So what amount persons does these typical customers handle? Maybe you also can give some details about what are very large customers, what are very large installation system?
Ah, okay. The, well we have, for, for example, we have 14 million university students. So a whole bunch of university, we have a program for the universities and, and, and we do their email for, for their whole student populations. And so those can be, those are quite large. I think we have, and we have sort of customer populations that are coming, coming, coming our way. But I, I think, you know, I'll get back to you on what our largest current customer is, but we know that we can easily, we can easily handle in a single tenant, 50 million people. And we're also working on a version that that will have, you know, we could, you could then of course partition, but this is without partitioning.
Okay.
You know, what if I don't know what Martin, how do I, if you, if we can take the email address of that person. Yes,
We can. We can handle this also with more details afterwards. No problem. You'll all that information. Okay. The second question, maybe you can go a little bit more into detail on the, how do you multifactor a indication works?
Ah, well, you just basically select, you know, you basically configure the system so that all of your users, or some of your users or whatever else are, are, are required to use multifactor authentication. And so that's how, that's how the selection, in other words, you, you, you, you configure, there's a, there's a Porwal screen where you can configure it and you can actually go and try this yourself on the, on the system. So then in terms of how it works, the, we, we have Azure, Azure will, will analyze the kind of, you also configure how you want the phone factor to interact with your people, whether you want them to send SMSs or whatever it might be. And, and so then it, it, we just have a service in the sky that, that takes care of that. And we won't give them a token. We won't give them a SAML token until they've gone through whatever you have configured it for now in the, in the new offering that we're.
So this is, this is another set of technology that we'll be unfolding over the next couple of years are putting into, into, into production. It's currently in private preview with selected people. We actually have support multiple different kinds of, of multifactor. And, you know, and, and it's, it's dynamic. It can be dynamic so that different pages, different application pages have different, have different requirements in the current system. It's like all or nothing, but that will be, that is being evolved to something which is completely policy driven in terms of the policy of the application. And, and so it's very, very flexible.
Okay. So let's go ahead to the next question, because we have a number of questions right now, here is ever ad already available. If not, when is it scheduled to be released?
Oh yeah. Azure ad has 220 million people. You a use it, individual users and everything I told you about in the slides, except for the, everything that I, that I showed you in the slides is available. Some of it is in, is in what we call preview. Like, like the thing that does the analysis of where your, what, which websites, your, which applications your users are employing that's, that's in what we call preview the Azure, the, the AAD sync is still in preview. And what we do there is we invite you. You can, you can join the preview and then you can feed back to us. And we will, you know, of course I state that into account, and this is the wonderful thing about being cloud-based, you know, we can actually just continue evolving with, cuz we don't have to go through a four year ship cycle. So we, we can get lots of input during the preview and, and afterwards, and, and keep honing the products. So yes, it's available. I hope you go and use it. It's actually, it's becoming, you know, enough of it has shipped now that you are really starting to see what it is. And, and I find it the most exciting thing I've worked on in my career. It's very interesting. And all of the meta directory stuff is back again. So I'm super happy.
Okay. When we are talking about meta directory and stuff you worked on before, that's another question, will the new F offers next release of F support? The typical privilege management features such as shared account management, etcetera
Shared account management.
So, so you, you talked about is that it'll support privileged users. Yeah. Is it also about this type of, you know, have a rude and then you have the management of the passwords
For the, I I, so I don't know. So once again, I will get that back to the okay, perfect. Ask for it. Yeah.
Maybe you also could talk a little bit more about flexibility of SKIMA in Azure ID for various tenants.
Yes. It's there is schema extensibility, and you know, each tenant can do their own extensions and we just, we've just released that too. So yeah. It's, it's, it's, it's there. I don't know. What, is there more that, is there a supplementary to that question?
No, not, not really
Question. I think the, the limit, the current limitation is, I don't know, something like maybe a, a thousand characters in the attribute. So it currently, it doesn't support blobs and things like that, but it, it, it will, that's all in the plan currently. It just supports the same kind of, of things that we have in, in, in conventional active directory.
Okay. And then there's a question. What are the current capabilities of Azure ad for provisioning the users from HR systems? Let's say Workday.
Yeah. Well, that's, that's when, when you, when you configure an app, one of the things you configure is whether or not you want it to be provisioned. And so it will actually do the, for the apps that, okay, we don't do provisioning for all the 1200 apps, but there's a whole series of the apps. Like, and Workday is one of the ones we're that, that we either we support it or it will be like within the next few, you know, weeks. I think, I think it's already released, unfortunately, I'm an architect, so I don't know, know the release thing, but yeah. So yeah, you, you just, it's really unbelievable because you just go in and you say people from this group or whatever should have access to Workday and they'll just appear in Workday. It'll get provisioned.
Okay. So I think we've gone through the list of questions we have here. So let's say thank you to all the participants who attended this community webinar. Yes. Thank you to you, Kim. I apologize for my voice and hope to see everyone at the upcoming European identity and cloud conference. And, and maybe let me know that there's a lot of research related research on these topics available from KU cold, have a look at this as well. So thank you. Have a nice evening and hope to see you at.
Stay Connected
Related Videos
How can we help you