First look: Windows Azure Active Directory preview

Our analyst suggests giving this Microsoft release for app developers a pass. Here's why.

1 2 3 Page 2
Page 2 of 3

There is a huge restriction right now to how useful this service is. Right now DirSync is only one-way; it goes only from on-premises to cloud. If you were to, say, create a new user on your Office 365 cloud system, that user information wouldn't find its way down to your local directory.

Equally frustrating, the users you may already have created on your cloud tenant AD instance won't propagate down to your local directory, even upon first connection.

This process is essentially the same as using the directory synchronization tool in Office 365, something I've done with success four times now on domains of various sizes ranging from 10 users to 122 users. Users and groups (and memberships thereon) were transferred as expected within a few hours. It's best to expect the process to take up to 36 hours to allow for a full initial synchronization, especially for a large domain.

Office 365 admin portal
The Office 365 Administration Portal, shown here, is where you set up an instance of Windows Azure Active Directory at this time.

The authentication process works as you would expect it would for a federated configuration -- the ADFS2 instance running locally handles all credential authentication, so no passwords make their way up to the cloud. The system sends only tokens that give a green light to certain operations based upon who the user is and what actions he or she is authorized to take.

Once everything is up and running, you'll find that there are four main ways to interact with your cloud-based AD instance.

  1. DirSync. This aforementioned tool brings up the users and groups from an on-premises AD instance. It doesn't do anything else, and it works in one direction.
  2. The Office 365 Service Administration Portal. This Web-based management tool lets you create, manage and remove users, groups and Office 365 service licenses. This manages your cloud AD instance only.
  3. The PowerShell cmdlets for Office 365. This is the preferred and (for this preview release, at least) the only full-featured way of managing the directory. These cmdlets will allow you to read and write anything in the cloud AD instance. These are extensively documented in the online help guide for Office 365.
  4. The Graph API. New to the developer preview, the Graph API allows you to read a portion of the entries in WAAD, including users, groups, role memberships, subscription information, details about the company (tenant) overall and some of the relationships that provide the glue to bring all those pieces together. The graph API is read-only and isn't a way to create or update information. But it certainly can be useful for organizational purposes or for use in applications that base access levels on hierarchy, for example, and for other uses.

What we don't know yet

As WAAD is only in a developer preview release as of early August, there are a lot of unanswered questions. The current preview is geared toward software developers building Windows Azure-based applications that will consume and interact with identity information. As such, there are not a lot of bells and whistles for the average IT administrator yet. Among the concerns and unknowns are the following:

What will the graphical user interface for managing WAAD look like? Right now, since it's still early days in the product's lifecycle, IT users can administer the service only via remote sessions of PowerShell; there's not yet a GUI.

PowerShell command environment
The PowerShell command environment is the primary method, so far, for managing Windows Azure Active Directory instances.

Microsoft promises there will be a GUI included with a future preview release, but one wonders whether that GUI will be full-featured or if it will cover only the most commonly used aspects of WAAD. One also wonders whether to do advanced administration and federation, customers will have to drop down to PowerShell cmdlets and abandon any GUI completely for those more advanced features.

1 2 3 Page 2
Page 2 of 3
Shop Tech Products at Amazon