I have been working with a company over the last year on trying to get them to pass a security audit. At some point I asked the question so how many identities do you have to manage? The answer was just 2; an Active Directory User and a Linux user. Hmm OK doesn’t sound too bad. Within about 10 minutes that had grown to 6 usernames and passwords for every user and 5 more for some users and departments.
But it’s not a problem because the username and password are stored by the app in question so our users don’t technically need to “manage” this
identity. So what happens if I my laptop needs replacing for whatever reason, what about the usernames and passwords then? Oh, ye that’s a bit painful.
Almost every company in the world uses Microsoft Active Directory as a local directory service for creating and managing users and passwords. In an effort to facilitate Singel Sign On (SSO), Microsoft and others have built out applications that would essentially sync one directory with another. The net effect was that I could log into my domain, and then go to other non-trusted domains or just standalone systems and use my one application and password.
This all worked fine when we are just talking about the on-premises environment, or where we created VPN’s to partner locations but it does not work or scale for globally dispersed public SaaS models like Office 365, SalesForce or Workday.
You do not need to be migrating to Exchange Online to use AAD, it can be deployed and used for;
Active Directory started out life in Windows 2000 when the world was a different place. The remote worker was a dream and work centered around the corporate office. Today we are using more cloud-based resources from ServiceNow to Workday, to Dropbox to Office 365. In a world where authentication only happened on-premises this cloud and mobile world would find it very hard to verify a user’s identity, and then keep it secure.
AAD is the identity bridge that allows you to use a single login to access your corporate and public resources, and have the authentication request filtered through some pretty amazing behavioral profiling technologies that can apply conditional access and MFA security protection.
I recorded a YouTube Video on AAD that explores the use cases in a bit more detail.