back to article Concerning Microsoft Azure Active Directory

Microsoft's Azure has moved forward in recent months with a clutch of upgrades and new feature releases. Microsoft is also expanding Azure's worldwide presence, and with the Australian Azure data centre launched in October most continents have a local presence now. This is great for IT staff who are either already on Azure or …

  1. Ben Rose


    Should this kind of content be labelled "this is an advertisement"?

    All I can see is Azure advertising and daily articles about Azure. Clearly there is a marketing push going on, maybe the odd bit of corporate lunch here and there?

    This kind of stuff is what makes me read other sites a lot these days. I know you scribes need to make a living but if this content is sponsored, shouldn't we get a bit more transparency?

    1. erikj

      Re: Advertorial?

      The last paragraph aside, I thought the piece was informative (uncharacteristically for El Reg). But it does lack balance -- no negative aspects to report? Really?

      1. This post has been deleted by its author

      2. AdamFowler_IT

        Re: Advertorial?

        I'll take that as a compliment :) it's hard to pick faults in a cloud based add-on to single sign on, but I'd say the biggest consideration is security. If someone knows your AD account, they can now access a bunch of third party sites. That should help a push for better password management including more complex passwords, and hopefully reduce password sharing.

        You're welcome to have a look and point out any big negatives... I couldn't find any that aren't stretches (e.g. not every cloud based app in the world is supported yet?).

        It's a value add and easy to do.

        1. Pascal Monett Silver badge

          point out any big negatives

          Um, how about Azure being unavailable for extended periods twice since last August ?

          Not so impressive in my view. Neither is the fact that MS is apparently only promising 99.9% update time, so three nines and not five. MS knows that a truly resilient and robust system can offer the famed five nines of uptime availability, yet it doesn't even mention it. Not a good point for something that is supposed to allow companies to have their apps and data online.

          Or is the five nines so last millenium now ?

          1. breakfast Silver badge

            Re: point out any big negatives

            That is less than nine hours per year of downtime - come to think of it I think the big outage last month broke that - but the neat thing is that the agreements are set up so if they fail to meet that target you're going to be lucky to claw back fifty pence and a red button.

        2. Anonymous Coward
          Anonymous Coward

          Re: Advertorial?

          "You're welcome to have a look and point out any big negatives... I couldn't find any that aren't stretches"

          Wow, The Register really is lacking skills in the evaluating technology department. I'm a consultant that has been working in the identity space for 15 years. I've worked with Oracle, CA, IBM, MIcrosoft on premises systems and in the past year spent a lot of time on behalf of my clients to research and evaluate cloud identity systems.

          There are about 10 viable solutions on the market. All are still fairly new to really delivering what enterprises need and Azure AD is very late to the game. I have friends who work at Microsoft, and people were asking for 3-4 years where was the cloud version of AD? Although they are now moving quickly, they still have some serious issues.

          The first big problem is their use of aging software to connect AD to the cloud. Dirsync/AADSync and FIM are all heavy, bloated systems that they should've just got rid of. They are poorly designed for cloud identity synchronization. Other vendors (Ping, OneLogin, Okta) all have much better architectures in this regard.

          That aside, their catalog of integration's with cloud services is weak. It will improve, but they barely just do provisioning for 10 or so cloud services. Their competitors are 5x this number. I'm sure Microsoft will catch up, but they are not leading right now.

          Their integration with the Phonefactor for MFA is poor. They acquired Phonefactor 2 years ago, and it's still not very well integrated. Reporting is separate, many administrative controls are in a totally different interface tot he main Azure portal. This makes my job as a consultant/admin a real pain.

          End user experience is terrible. Try loading their MyApp on your iPhone and get the user to work with it. They've just injected the web version of their user portal directly into a phone app wrapper with zero optimization for the platform. In many cases I saw my customers users struggling to even read the text on the screen, never mind actually interact with the UI.

          End user customization is also poor. They can't change the order of the UI, they can't add their own personal apps (i.e. many of my clients users want to add their own Facebook to their portal). It looks like an intern put it together, i'm sure it will improve, simply because Microsoft customers will demand better quality.

          There are also some painfully poor solutions for things like self service group management and password reset when you are in a hybrid mode. I had one customer try and use self service groups, but there are missing pieces that are critical to administration. For example being able to look at the owners of groups that were created by end users, or being able to scope group creation to subset of users.

          I've not gone into some of the finer points about how their directory is a true globally unique system. i.e. would be a unique identity across the ENTIRE Azure AD platform. This presents huge problems from an identity management perspective when you need to create an identity with a username that may already exist somewhere else in the global cloud system. To a true identity management architect, that presents a lot of problems. My customer might want to create an account for a partner, but it's not their account, it's just a representation I store and a place where I can add my own unique attributes for that identity.

          Overall i'm sure a lot of this will change in coming year. Microsoft will improve the service bit by bit and it may well end up a decent system. But they are years behind the competition at the moment. Go look at someone like Okta or OneLogin. They have much more feature rich solutions and they have the advantage they could build a solution from scratch and design for the cloud from the ground up. Sound familiar? A start up which had the chance to get a 3-4 year head start on Microsoft and build a solution from a totally new perspective without being hampered by existing legacy on premises solutions they were either forced to use or at least maintain. Microsoft is a serious player here, but they are going to have to do a lot better and improve their current v1 solution to seriously win over customers.

          1. AdamFowler_IT

            Re: Advertorial?

            I think the intro to the article made it clear what I was testing and the scope.

            This isn't a product comparison article, nor does it get into the nitty gritty of all scenarios and real world strengths and weaknesses.

            Dirsync/AADSync didn't seem bloated to me in it's install or what it did, but I also didn't test 10,000+ users or inspect packets.

            It's an intro article for people to know what it is, and go off to find more and do their own testing... there's never a 'one size fits all' answer in IT.

  2. dan1980

    Looks interesting but here is the place where MS just keep losing me:

    "Basic and premium editions will require a chat with your enterprise agreement licenser."

    Why? This is 'cloud' - I want simple, I want a price structure that is easy to understand and sell, I want drop down boxes and radio buttons and I want to go from "hmmm, I'll provision a server" to "I've provisioned a server" in less time than it takes to think it through rationally once, let alone stop for a second thought.

    I am SICK of Microsoft licensing being so complex that I have to "speak to my local reseller". I am a fucking reseller and I don't understand the half of it. Our "partner" doesn't either and I am thankful I have a good relationship with someone rather senior and experienced (a 'lifer') in the licensing team other wise I'd be at a loss.

    Hell, at one point I was deploying a bunch of MS systems and got e-mailed the appropriate people and found out exactly what was needed, license-wise for the particular scenario. About a month after implementing it, I went back to MS to ask if they could audit the deployment and confirm that it was licensed correctly (I just wasn't confident I'd received the right information), as per their original assertions.

    MS doesn't do this directly, of course - they have a third party. They ran their tools* and, long story short (see below if you have any doubt how much of a palaver this was) it was wrong, then wrong, then wrong some more.

    This not directly relevant, of course, but the point is that MS need to get their act to get with licensing or they run a very real risk of being utterly left behind. Make it good value and make it simple to understand. If you're telling someone that they need to speak to a licensing specialist then you have failed in one of the key areas where 'cloud' succeeds - getting money signed off quickly and easily without gong through layers of crap.

    That aside, what if I don't have an "enterprise agreement licenser"? Sure, your company might, but what if you and your business unit are doing this specifically to go outside of the 'gatekeepers'. Sure, as IT guys we might frown on that, but as a company that is SELLING this, Microsoft should make it as easy as possible to buy.

    And how do I find out if I need the paid-for version or not? Say I want 'groups'. If I search, I find the following MSDN blog says that groups are a "free feature" but then implies that if I want to actually use those groups to apply permissions, through the "group-based application access feature" then I need pay. So what can I use 'groups' for in the free version?


    * - To be truthful, we had to run them - they just told us where to download them and find the instructions. "Send us the reports they said". Well, the tools only installed on some of the instances because the tool they had directed us to wasn't tested on the current editions of the software we were running. So they directed us to a new version. Which was notably different and for which they didn't have instructions or anyone who could assist us in configuring it. Then of course there was a conflict between the older versions of the tool and the newer, meaning we had to uninstall (about as fun as AV uninstalls) the old version and go fresh with the new version across the whole lot - running mismatched versions is not supported, you understand. So, after basically TEACHING them how the tool worked, we provide the reports. Then we (of course) find that this tool only covers about 1/2 of the licensing and we need to manually audit the rest. That all done, It would surprise no one at all to learn that we were apparently out by tens of thousands of dollars in licensing. Fixing some issues via more manual auditing (the software was tres stupid) we revised the number down quite significantly but still 5 figures.

    That having taken a whole month, we reached out to more senior people (lesson learned) and found that not only were we not in breach, we were actually OVER licensed, because we had been told that a given feature had to be licensed for every user on a server regardless of actual usage. It was only if we configured it in a very specific way (which we had never indicated we would) that would require the licensing originally specified.

    So yeah - Microsoft licensing. Try some BYOD and VDI some day.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like