Why is Active Directory Federation so critical to businesses?

As a Certified Cloud Security Professional (CCSP), one of the most common cloud services that I encounter across both the consumer and business worlds is the Microsoft Office 365 suite of services.  It is classed as a Software-as-a-Service and it provides a graphically driven user-interface that enables businesses to send emails, collaborate, create and share intellectual property both within their organisation and with their key external partners.  Here is a quick overview of the services.

Now, if you've happily signed up to a simple home plan, you'll likely only have access to the Office Pro Plus Apps, which we have all known and loved for years.  Apps such as Excel, PowerPoint, Word etc…  But if you're running a business with say 100+ users, you'll probably already using the Office 365 Enterprise E1 subscription, which includes the Pro Plus Apps, plus the suite of cloud services.  These cloud services will likely include Email, Contacts, SharePoint and many others, including Azure Active Directory.

​The diagram below shows a screenshot of a lesser known service called Delve:

This is a great illustration of how Microsoft is innovating by allowing users to intuitively view and find data that they have access to, that may have been shared by colleagues.  The Active Directory federation keeps all the data in a single synchronised entity , which allows services such as Delve to work efficiently and present a single source of truth to the end-user. 

This means if you're using an existing on-premise Active Directory service, with your servers housed in a data centre, or possibly in your small office, and are now using Office 365 services, you now have two Active Directories to worry about.  This means your users are already logging into your company Active Directory to gain access to their files in your office, and then having to login again to gain access to the Office 365 resources.

This is where directory federation, in this case Active Directory federation, adds huge value to end-users.  By federating the two Active Directories together, you create a single logical security entity that provides huge user-experience benefits:

• Users only need to sign-in once and they can access resources that reside on the company on-premise servers as well as the Office 365 services and resources in the cloud.
• All the contact information that is stored in your on-premise directory is replicated to the cloud and kept in sync, so there is still only a single source of truth for information.
• Because you have integrated not only Office 365 services, but also Microsoft Azure services, you now open up the entire Azure platform for end-user business development enablement.

This diagram below shows some of the complexity of the federation process, which is hidden from the end-user:

For example if you now wish to add Multi-Factor authentication (MFA) as a second security step when users are logging in, it is straight forward to integrate the Azure MFA with your Azure Active Directory, resulting in a 2nd step in the process that requires users to click accept on the Azure MFA app on their phones.  The Azure MFA is easy to download and install and simply requires the user to establish their identity, the first time they use it.

​Paul Colmer is a lead digital architect and cloud instructor for ALC training and consulting:  ​www.alctraining.com.au/courses/cloud-computing/