Monday, February 15, 2016

Identity : The Microsoft landscape

I get asked a lot about this.
  • What is the stack?
  • What are the pieces?
  • How do they fit together?
There doesn’t seem to be a short, compact overview about this.

So in the spirit of the Github admin who when I ask “Is this feature available and if not when”? replies “Send me a PR”, here goes:

A very short summary – you could write a book on each :-)

In no particular order:


Active Directory Domain Controller

The heart of Microsoft on-premises Identity.

It stores users, groups, group policy, printers etc.

Authentication is via Kerberos or NTLM.

In the same domain, IWA can be used if the browser is configured correctly.


Active Directory Lightweight Directory Server - aka ADAM.

Provides ability to store application specific attributes.

Can have many instances on a server, each with a different schema.

Not domain centric.

With ADFS 4.0 (Server 2016) can be used for authentication - ADFS : Authenticating with LDAP.


Active Directory Federation Services.


Sits on top of AD. 

Provides WS-Fed / SAML 2.0 / OAuth2 (Server 2016) federation functionality.

Authentication is via WS-Fed or SAML 2 or OAuth.

Has claims rules to manipulate the claims. 

ADFS 4.0 (Server 2016) will support OpenID Connect and OAuth 2.0.

ADFS 4.0 (Server 2016) will authenticate against v3 LDAP or SQL Server.

Has DRS capability to allow devices to be “domain joined”.

Supports IWA.

Can federate with other IDP e.g. OpenAM, Ping Federate, shibboleth, simpleSAMLphp etc.

ADFS 2.0 was a separate download. From then on is a server role and part of the base server.


Web Application Proxy.


A proxy for ADFS.

Allows ADFS to sit behind a firewall.

Functionality is being added to make it closer to what TMG provided.

Azure AD

Azure Active Directory.

NOT AD in the cloud.

You can think of it as combining AD and ADFS functionality.

Graph based (not LDAP). Supports users and groups only.

Windows 10 devices can be added via “AD Join”.

Has three levels viz. Free / Basic / Premium. Comparison here  Azure Active Directory editions

Claims collection is hard-coded.

Has outbound SCIM support.

Azure AD Connect

Utility to sync. configured AD attributes from AD to Azure AD. 

This provides Same Sign On. Adding ADFS provides Single Sign On.

Was previously called DirSync.

Azure AD Application Proxy

WAP in the cloud.

Azure AD Domain Services

AD DC in the cloud.

Authentication is via Kerberos or NTLM.

Azure B2C

Business to Consumer.

Allows external user management - registration, SSPR, social logins

Azure B2B

Business to Business

Automated way to provision users so they can authenticate across tenants.

B2B vs. B2C - Comparing capabilities for managing external identities using Azure Active Directory.

Azure Access Panel

Allows end-users to launch their apps and access the self-service features that allow them to manage their apps and group memberships.  


Access Control Service

The "old" way to connect to social logins - superseded by B2C.

Azure MFA

Multi Factor Authentication.

Easily integrated with Azure applications or on-premises via agent in conjunction with ADFS.

Azure AD Connect Health

Helps monitor and gain insight into on-premises identity infrastructure and the synchronization services.

Monitoring capabilities for key identity components e.g. ADFS, Azure AD Connect, AD DC etc.

Makes the key data points about these components easily accessible, making it easy to get usage and other important insights.

Azure AD Identity Protection 

Helps prevent the use of compromised accounts using industry leading machine learning (ML) based real time detection and automated mitigation.

Helps protect all of the cloud and on-premises applications customers use with Azure AD.

Can auto-remediate by intercepting the request with an adaptive MFA challenge such as an SMS, phone call, push notification or a request for OATH token.

Azure AD PIM

Privileged Identity Management.

Discovery and control of who has administration rights where and when.

Microsoft Advanced Threat Analytics

Detects suspicious user and entry activity, known malicious attacks and security issues.

Cloud App Discovery

Helps IT departments learn which SaaS apps are being used throughout the organization.

Can measure app usage and popularity so that IT can determine which apps will benefit the most from being brought under IT control and being integrated with Azure AD.

Azure SaaS Market Place 

Aka Gallery - Active Directory Marketplace.

Instantly configure popular SaaS cloud applications on Azure AD for SSO and easier user account management.


WIF / OWIN / ADAL : Identity Libraries: Status


Windows Identity Foundation.

Provides WS-Fed client protocol support for .NET applications.

Can be passive (browser) or active (WCF).

Older technology.

Capability provided by web.config configuration.

WIF 1.0 (3.5) is a separate download. WIF 4.5 is part of the framework.


Open Web Interface for .NET.

Replaces WIF.

Provides WS-Fed / SAML 2.0  / OpenID Connect / OAuth 2.0 client protocol support for .NET applications.

NuGet packages here:
Capability provided by code.

Can be used for web applications or web API.

.NET Core 1.0 support for OpenID Connect / OAuth 2.0.

Aimed at Azure AD / ADFS with hybrid mode – not a general purpose stack.


Active Directory Authentication Library.

OpenID Connect / OAuth 2.0 client protocol support for native devices.

API so underlying protocol could be changed at some future point.

Libraries for JavaScript, Java, PHP etc.

Capability provided by code.

Aimed at Azure AD / ADFS with hybrid mode – not a general purpose stack.


Microsoft  Authentication Library - V2 API.

Unified library that helps to develop applications that work with Microsoft Accounts, Azure AD accounts and Azure AD B2C users indifferently – all in a single, streamlined programming model.

Targets the "converged model" i.e. Microsoft Accounts and "Work or School" Accounts combined.

"Successor" to ADAL with the important proviso that it will not work with ADFS and the original Azure AD V1 API.

Microsoft Graph

Was Office 365 Unified API / Graph API.

Exposes multiple APIs from Microsoft cloud services through a single REST API endpoint (


Microsoft Identity Manager.

Used to be FIM.

Synchronizes identities between directories, databases and applications.

Self-service password, group and certificate management.


No comments: