Active Directory heads to the cloud: What it does and doesn't do

Two new Microsoft services make Windows Azure a serious competitor to Amazon Web Services

Windows Azure has been evolving steadily since its release in spring 2010, its pricing is now fairer, and useful third-party add-ons can be found in the Windows Azure Store. Today, Windows Azure can be used not only in the development and testing environments for which it was originally geared, but in production enterprise environments as well.

Two new services that make Azure ready for production enterprise environments are Windows Azure Infrastructure Services and Windows Azure Active Directory. They provide a good excuse to take a second look at using Azure instead of Amazon Web Services.

[ Exchange 2013 and SharePoint 2013: Why they're even better together. | Stay atop key Microsoft technologies in our Technology: Microsoft newsletter. ]

Windows Azure Infrastructure Services helps you move existing apps and infrastructure to the cloud. For example, if you have an on-premises VM on Hyper-V as a .vhd file, you can use this tool to move that .vhd to the cloud. Or if you have a VMware VM, you can convert it for use on Azure and upload it. You can also build your own images or choose from preconfigured ones, such as a SharePoint Server farm or SQL Server support.

To extend your on-premises Active Directory to the cloud, such as when using Azure beyond isolated dev and test instances, you can use Windows Azure Active Directory to connect to servers running on Azure or to bridge the gap to Office 365. You create a hybrid Active Directory forest with domain controllers both on premises and in the cloud, so you can sync identities and authenticate users across them.

IT admins have long extended their Active Directory to external data centers; the ability to extend to Azure is a new development. Just make sure you have DNS server connectivity and VPN connectivity between your on-premises and cloud-based networks.

However, there are on-premises Active Directory features not available to Azure Active Directory, such as the widely used Group Policy. Currently, only Access Control Services is supported to federate identities between Azure Active Directory and on-premises Active Directory, as well as with other established identity management providers like Google and Facebook. The limited features in Azure Active Directory provide room for third-party assistance.

The lack of parity between on-premises Active Directory and Azure Active Directory might lead you to believe that Microsoft isn't serious about Azure or that its innovation is slowing -- fellow InfoWorld columnist David Linthicum certainly nurses that fear. Although I have concerns about the recent Microsoft reorg for the same reasons as another InfoWorld columnist, Woody Leonhard, I am not worried about Azure or the new Cloud and Enterprise Engineering group at Microsoft, which is in the capable hands of proven Microsoft cloud veteran Satya Nadella.

Although Microsoft wasn't the first to the cloud computing market, it may be last man standing when the smoke clears, especially with such a huge part of the enterprise population already running Active Directory in-house and now having the ability to extend Active Directory to the cloud for identity management and servers.

This story, "Active Directory heads to the cloud: What it does and doesn't do," was originally published at Read more of J. Peter Bruzzese's Enterprise Windows blog and follow the latest developments in Windows at For the latest business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.