Customers moving to the cloud ask us two questions more than any others:
"What's the best way to connect my on-premises directory to Office 365?"
– and –
"What's the best way to connect my on-premises directory to Azure?"
The answer hinges on the fact that Office 365, Azure and many other Microsoft Cloud Services don't actually connect directly to your on-premises directory. They use Azure AD as their identity system, and it handles all the identity connections with your enterprise and your users. This specialization simplifies connecting to the cloud and means you can use a single connection to access multiple services from Microsoft and 3rd parties.
As a result "How should I connect to Office 365?" (or Azure or CRM Online or PowerBI) is more accurately:
"How should my organization provision identities into Azure AD? And which authentication option should we use?"
Once this is answered, Office365, Azure, Microsoft CRM and PowerBI all "just work". Let's take a look at what the data tells us customers are actually doing.
Provisioning users into Azure AD:
To get started, as of this morning, 4.9M organizations are using Azure AD to manage > 430M identities:
- The majority of the 4.9M are smaller businesses and have < 500 employees.
A subset of the 4.9M organizations are medium/large and have 500 or more employees. Because these organizations are comparatively large, they account for 93% of identities in Azure AD.
- 55% of them are using Azure AD Sync (or its predecessor DirSync) to provision identities in Azure AD.
- 2% of them are using a 3rd party cloud identity service (i.e. Centrify, Okta, OneLogin, etc.) for provisioning.
- Another 2% use a wide variety of home grown and custom provisioning tools.
- The remainder are using one of our portals (Azure or Office365) and PowerShell scripts for provisioning.
Fig 1: How organizations with >500 employees provision users in Azure AD
Authenticating with Azure AD:
If you follow this blog, you know that every day we process > 1 billion authentications and on our busiest days > 2 billion. Azure AD supports a variety of approaches to authentication, but a few of them are much more widely used than the others:
Of these 1B+ daily authentications
- 56% are cloud only and completed directly by Azure AD
- 32% are completed by an ADFS server deployed at a customer site
- 7% are completed using a password that was synced from on-premises using our Password Sync feature
- Just over 1% are completed by syndication partners (i.e. large companies who resell Microsoft services)
- Just under 1% are completed by a 3rd third party federation server (i.e. CA Site Minder, Ping, etc.)
- Just under 1% are completed by a 3rd party identity service (i.e. a company like Centrify, Okta, OneLogin, etc.)
The remaining 1% are completed with a variety of open source and custom solutions.
(Note: These don't sum to 100% due to rounding errors)
Fig 2: Breakdown of how Azure AD Authentications are completed
The numbers tell a clear story. We've designed Azure AD to be open and standards based so as to give our customers access to a wide variety of 3rd party options. However the overwhelming majority of customers find that off-the-shelf AAD provides the best identity solution, eliminating added costs and the need to take dependencies.
For User Provisioning, they use either:
- Azure AD Sync or
- The Office 365 or Azure portals and PowerShell scripts
For authentication they use:
- Azure AD directly
- Active Directory Federation Server (ADFS) or
- The Password Sync feature of Azure AD Sync
We're thrilled to see this and happy to know that we're providing a complete solution that meets the needs of the vast majority of Microsoft's cloud customers!
If you found this blog post interesting/useful, please let me know. And as always, we'd love to receive any feedback or suggestions you have.
Alex Simons (Twitter: @Alex_A_Simons)
Director of PM
Microsoft Identity and Security Services Division