As part of its Azure cloud service, Microsoft yesterday turned on a “preview”, as it likes to call it, of a new proxy service for identity and access management (I&AM) that lets IT managers set up a way that users can access selected applications hosted in the internal corporate network or external cloud services.
Called Azure Active Directory Application Proxy, it’s not yet generally available, but one early adopter that’s been piloting it and offering input to Microsoft on its development says this Microsoft cloud-application proxy requires small changes to DNS servers in the corporate network to direct traffic to Microsoft Azure.
+More on Network World: | What’s the best approach to building next-generation data center networks?+
“You authenticate in the cloud first,” says Patrick Wirtz, innovation manager at the Chicago-based construction company, The Walsh Group, who says there can be some advantages in this, especially in terms of mobile-device use and external cloud services. As innovation manager reporting to the CIO, Wirtz’s job has him identifying technologies that might help the construction firm on a strategic level.
This new Azure reverse-proxy service potentially could make Microsoft almost a bulwark that can hide traces of the corporate network, even playing the role of fending off denial-of-service attacks and the like that the corporate network might otherwise first take head on, according to Wirtz. “This could protect our on premises infrastructure,” he adds.
Whether the Microsoft Azure data centers are up to that role, or can handle the traffic loads that arise in reverse-proxy services, remains to be seen. But Wirtz says the past few months The Walsh Group has piloted the Azure reverse-proxy service, things have gone very smoothly. There’s no need for client agent software. It offers single sign-on controls as well corporate and cloud applications. He adds that he is running a dual-network arrangement at present that could provide immediate redundancy should the Azure reverse-proxy fail.
Being made available as part of Azure Active Directory Premium Service, the Azure Active Directory Application Proxy is intended to extend Active Directory’s software-as-a-service application management capabilities to on premises applications, according to Alex Simons, director of product management on the Active Directory team. In his blog yesterday, he notes it gives customers the ability to manage access to internal browser-based applications, such as SharePoint sites, Outlook Web Access and IIS-based applications, using Azure AD. “You can make these apps available in a secure manner to authenticate users through a cloud-based proxy in Azure,” Simons wrote.
Microsoft wasn’t immediately available to comment about timeframe for general availability, but Wirtz says the current expectation is that Azure Active Directory Application Proxy service will be generally available within a few months.
There’s still a lot more work to add some kinds of authentication-based functionality that’s desirable in an enterprise environment, Wirtz points out. He says he’d like to see multifactor authentication be part of this as it’s important for controlling access to sensitive information. He says he’d like to see a way to have geo-location-related alerts sent when a suspicious login event occurs from a mobile device being used in an unexpected location or there are two logins that occur from vastly different geographic locations at about the same time, suggesting there could be a compromise of some sort.
Shai Kariv, group program manager for the Microsoft Active Directory engineering team in Herzliya, Israel, said in his blog yesterday that Microsoft does plan to add functionality over time.
“As this is only the first preview of our cloud app proxy, it has a basic set of selective publishing capabilities,” Kariv wrote. “We will be working over the next few months to add richer functionality, including pre-authentication for users and registered devices, support for workplace-joined devices, multifactor authentication, and support for specifying the strength and type of authentication required.”