Active Directory Moving To The Cloud?

We hear a lot about cloud IAM vendors offering metadirectories or user repositories in the cloud. We predict that in 1-2 years we'll see AD being moved from on-premises installations into cloud based services. This has a benefit of simpler provisioning, higher availability, muc, much easier support for federation both into SaaS applications and with business partners. Today the only technical difficulty is latency of access to AD in the cloud from on-premises applications, but we believe this will be resolved by some type of customer premises equipment (much like the reverse of Symplified's Identity Router today).  Moving AD into the cloud will also have a huge impact on reducing the cost of AD management and improving delegated administration by providing easy-to-use web interfaces.


Andras, Nice thought, but


Nice thought, but what happens to MS-RPC, Kerb v5, and CIFS ports and protocols? Will Firewalls need to get more permissive? Or will everything go RPC over HTTP? Thoughts?


SaaS adoption and proxy architectures will help here

I believe these concerns will be alleviated by the following factors:
1.) Companies are already moving to SaaS platforms and infrastructure where file shares or federated access don't require proprietary or heavy protocols.
2.) For infrastructure that cannot move to the cloud, we already see 'concentrators' or 'proxies' or 'customer premise equipment' etc. being part of standard Cloud based IAM offerings for IWA authentication integration. We expect that these piece of infrastructure will also be used for the above protocols and even protocol translation.

Title of your blog post a bit misleading ....

Andras -- good blog post, only nit is I think your title may be a bit misleading in that I don't think "Windows Active Directory" as we currently know it will be in the cloud per se, but "Windows Azure Active Directory" is already here today ( and supports a different set of protocols (SAML etc.) than what the on-premise AD supports (Kerb etc.). Much like MSFT integrated its on-premise apps (Exchange etc.) into Windows AD, MSFT is no doubt going to integrate its cloud based properties (Office 365 etc.) into this new AD, and as the link above mentions in the 2nd sentenced MSFT has already integrated Office 365 into Azure AD, and as you scroll down that link it is clear they want other SaaS vendors to tie their apps in the MSFT cloud directory. Whether they can get SaaS vendors to do that integration like they got all Windows ISVs to support AD is a big TBD. So I think (??) the real point of your blog and your first comment is that classic AD is not moving to the cloud, but is being re-built/re-imagined for the cloud, with FIM providing the integration between classic AD and new AD, and that MSFT is quite serious about being a leader in delivering a Cloud-based directory that others can build on top of. Which interestingly is not something that Google,, Amazon, etc. is currently not publicly promoting, and this seems to be a point of differentiation for MSFT. Thanks, Tom

Impact on Risks to Active Directory Security

Hello Andras, you've made some good points about the benefits of moving Active Directory to the cloud, but I wanted to know what the impact of moving to the cloud on risks to Active Directory Security.

One of the technical forums I'm on, there's an interesting discussion on the Active Directory Security Risks, and I just thought I'd ask you as to the impact of risks to Active Directory when moving to the cloud.

I look forward to your thoughts Andras.