Today I’m happy to be able share some more improvements we’ve made to the identity and access management capabilities in Windows Azure. These improvements build upon the work I’ve previously blogged about that we are doing to fully integrate Windows Azure AD into Windows Azure
Starting today, if you already have Windows Azure Active Directory (AD) tenant or if you are a new customer and create an Azure subscriptions using an Windows Azure AD tenant, you can access the following three new features to more securely and efficiently manage access to Windows Azure.
- Manage users and their access rights in the Windows Azure Portal.
- Try out a preview of our new phone based two factor authentication for users who are Global Administrators in Windows Azure AD.
- Manage the synchronization and federation between your Windows Azure Active Directory and your Windows Server Active Directory from within the Windows Azure Portal.
This is another step in our continuing effort to bring a set of secure, enterprise grade identity and access management capabilities to Windows Azure.
Create and manage user accounts in your Active Directory:
As a Windows Azure Active Directory (AD) administrator, you can now create user accounts. You can assign users to your existing subscriptions and users can create their own new subscriptions. In addition as a Directory administrator you can disable user accounts or reset their passwords from within the Azure management portal.
And of you would expect, when an employee leaves your company, you can delete their user account in Windows Azure AD and have their access to all Azure subscriptions automatically revoked.
Directory administrators can also create user accounts that include company-issued usernames (e.g. firstname.lastname@example.org, instead of email@example.com), or they synchronize organization credentials from their on-premise Windows Server AD. This helps create a clear distinction between work and personal accounts.
Finally we’ve also introduced the beginnings of our role based access controls - specific users can be specified as administrators of Windows Azure AD. The admins will have the ability to modify/add/delete users.
Screen shot: Managing users in Windows Azure AD from within the Windows Azure management portal.
Screen Shot: Global Administrator adding a new domain to their Windows Azure Active Directory. Once this domain is verified, new users can be added in this domain.
Previewing phone based two factor authentication:
We have also released in preview, phone based two factor authentication for users who are Windows Azure Active Directory Global Administrators. This means that you can require a high level of identity assurance when administrators are accessing important assets like the subscriptions you are using to run production applications, Office365 or other Microsoft cloud services that work with Windows Azure AD.
With a simple click, you can enable two factor authentication for these administrators. Admins who are required to use two factor authentication have the option of choosing SMS or voice delivery of their two factor authentication challenge and will be automatically prompted for it whenever they log into your organization’s tenant in Windows Azure.
Screen Shot: Enabling two factor authentication for a user with Global Administrator privileges.
Screen Shot: User is prompted to provide additional information at first login after enabling two factor authentication.
Screen Shot: User configuring their two factor settings
Screen Shot: For subsequent logins to Azure management portal, user receives a verification phone call (or SMS) in addition to username/password
Sync and federate with your on-prem Windows Server Active Directory
With the 3.0 release of the Azure Active Directory extension you can now link your on-prem Windows Server AD and the cloud Windows Azure Active Directory from within the Windows Azure portal.
Following a few simple steps, you can create a synchronization and federation relationship between your on-prem AD and your cloud Windows Azure AD to ensure that as users are added, deleted, or modified on-prem, the changes are automatically replicated to Windows Azure. This greatly reduces the work required to securely manage access to your cloud resources.
Screen Shot: Setting up directory synchronization and federation using the Windows Azure management portal
For this blog post, we’ve also decided to try out something new, a video chalk talk demonstrating the new capabilities we’re introduction. This one was create by Abhishek Matthur, a lead PM in the Active Directory team with help from Steve Plank in the Channel 9 team:
Click here to view the video on Channel 9.
I hope you’ll find these new capabilities useful and valuable. We’re really looking forward to your feedback on them and to delivering more capabilities like this in the near future!
Director of PM, Windows Azure Active Directory
More Resources: https://azure.microsoft.com/en-us/home/features/identity/