In the previous post about identity management, I noted how the growing use of enterprise SaaS apps means IT needs to be proactive about how all of these apps are used and managed. Considering that there are often over 300 SaaS apps at use within an average organization (Box, salesforce.com, Office 365, etc.), a centralized management solution is critical to productivity.
As I mentioned in last week’s post, Azure Active Directory (AAD) allows you to sync with the on-prem Windows Server Active Directory using DirSync combined with either Active Directory Federation Services (ADFS), or, alternatively, with password hash sync. What I think is really interesting about this is with AAD you can now extend your investments in AD to the cloud as well as all the SaaS apps your organization will be using.
Right now you may be asking yourself this question: “What does it mean to extend Active Directory to the cloud and to the SaaS apps that your organization will be using?” Think of it like this: Consider the way your organization has used AD for the last decade plus. AD is the identity and access engine that is used around the world to manage access to corporate resources, i.e. data and apps. Once one of your users has authenticated to AD, they can access all the data and apps to which they’ve been granted access. The user never knows (or sees) that the apps and data are coming from lots of different servers across the enterprise because AD is managing the access and giving the user a single-sign-on experience.
For the IT Pro this is all automated. The AD user identity is created once and then that identity is used across all the resources in a domain or forest. I am sure many of you remember the NT 4 Domain days where you had to create the user account many, many times. And that was just half of the problem! Now, when a user leaves an organization an admin using AD just takes a single action to delete the identity that is used for enterprise-wide resource access. In the old NT 4 Domain days, you had to manually delete every one of the user accounts (and let’s be honest – it was nearly impossible to know every place a user account existed to delete it).
AD also had a big impact on the developers in an organization – they can use AD as their authoritative identity solution, and the majority of today’s internal Line-of-Business apps have been written to use AD for authentication.
I’ve got to admit, with the proliferation of SaaS apps being used today, it feels a little like the old NT 4 Domain days in a lot of ways. For example, many of these SaaS apps have their own identity solution which puts an incredible burden on IT to manage multiple user accounts – and, of course, that management is only possible if IT even knows what SaaS apps are being used (which isn’t always the case, unfortunately).
This issue is what I really want to focus on in this post: How can you as an IT organization discover all the SaaS apps that are in use within your organization, and how can you then bring those SaaS apps under management?
The first challenge to address is discovery, i.e. how many SaaS apps are being used in your organization, and which Saas apps are they. If you don’t think this question is a huge one, ask yourself this question: If I were to ask you to guestimate how many SaaS apps are in use in your organization today, how many would you guess? You’ll be really surprised at the actual number. As discussed before in this series, a big part of the identity management layer I have been talking about in this blog is Azure Active Directory Premium (which is a key element of the Enterprise Mobility Suite).
Cloud App Discovery runs an agent on your PCs (easy to deploy through SCCM or Intune) that collects all the SaaS app data from throughout your infrastructure and it returns with a report on SaaS usage.
It has been really interesting to be a part of this feature’s development. Previously, whenever we asked customers about their SaaS apps usage we’d hear guesses of, “Umm, probably about 30 SaaS apps, give or take.” Once we started showing them the results of the Cloud App Discovery tool, we found that the average organization is using more than 300 SaaS apps.
Talk about an eye-opening experience!
A lot of people reading this post are thinking, “Well, there is no way I have that many SaaS or cloud apps in my infrastructure.” As is so often the case, there’s a really big difference between perception and reality. Here’s the good news: If you want to find out what’s really running in your infrastructure, you can try the AAD Cloud App Discovery module now!
Included above (and below) are a couple of screen shots of what the Cloud App Discovery looks like. I encourage everyone to check this out as soon as you can – you’ll be surprised by what you find. You can use the Cloud App Discovery tool here.
Visibility is a great start, but to really make an impact you need to bring these SaaS apps under management. We have already done the work to integrate more than 2,000 SaaS apps into AAD Premium. It would take countless hours for you to try and build this from scratch, and now AAD Premium offers this big benefit through EMS. We’re adding new SaaS apps nearly every day, and, as you bring these SaaS apps under management you’ll get an automatic provisioning and de-provisioning solution for each one – just like what AD has been delivering for years in your own datacenter.
You get to go from mystery, to discovery, to management from one simple interface!
In addition to the SSO features and manageability, with AAD Premium also includes some other serious functionality:
- A new version of the DirSync tool that enables a public preview of self-service password reset with write-back to on-prem directories.
- Azure AD Sync, a new sync engine that can synchronize multi-forest, on-prem directories with Azure AD.
- Multi-Factor Authentication IP whitelisting allows companies to specify IP addresses from which MFA is not required (e.g. when a device is on-prem).
- Azure AD Application proxy can be used for publishing on-prem apps to external users.
I encourage everyone to take a look at the huge list of supported SaaS apps here. No matter what industry or scenario you need to support, you can confidently work with Microsoft to deploy and simplify secure access to that solution.
Tools like AAD Premium are a part of the larger Enterprise Mobility Suite which empowers you to confidently and effectively mobilize your workforce and manage each of those devices. With EMS you can manage both your end-users and their SaaS apps from the same console with the same processes. This is a huge benefit for IT Pros – and it is something that no other mobility vendor can deliver. When you also add on the ability to manage with on-prem resources like SCCM, as well as the seamless inclusion of Office 365 – Microsoft is empowering IT Pros in a way that simply cannot be duplicated anywhere.
Do not be satisfied with the limited options delivered by other MDM/MAM vendors. They are not delivering any value in protecting at the file layer or at the Identity layer. EMS is unique in its ability to provide protection at the device, app, file and identity layers. And, in typical Microsoft fashion, we are delivering more value at a better price.
To stay up to date with new and upcoming AD and AAD features, check out the Active Directory Team blog.