Microsoft has released a preview of new group management capabilities for Windows Azure Active Directory (AD), further narrowing the features gap between the on-premise and cloud-based implementations of the company’s user-management technology platform.
“Admins can now add, delete and manage the membership of security groups directly in Windows Azure AD in the cloud,” Alex Simons, director of program management for Microsoft Active Directory, wrote in a blog post. The preview, as expected, allows “directory administrators [to] create security groups they can use to manage access to applications and to resources, such as SharePoint sites.”
A “future release” of Windows Azure AD will include mail-enabled groups for Exchange, Simons wrote.
In a step-by-step walk-through, Active Director senior product manager Jeff Staiman detailed the new Windows Azure Active Directory Group Management options, which are accessible in the Windows Azure Management Portal. The preview, according to Staiman, enables AD administrators to:
1. Create or delete new security groups in Windows Azure Active Directory, and manage membership in these groups. These groups can be used to control access to resources, such as a SharePoint site in Office 365.
2. See groups in your Windows Azure AD that were synchronized from your local Active Directory, or created in Office 365. The management of these groups remains in your local Active Directory or in Office 365; these groups can’t be updated in the Windows Azure Management Portal.
3. Assign access for a group to a software-as-a-service (SaaS) application if you’re using Windows Azure AD Premium.
The new Windows Azure AD management options offer visibility into groups sourced from local Active Directory deployments or Office 365, provided that directory synchronization is configured.
As indicated by Staiman, local Active Directory management rights don’t transfer to Azure, meaning that administrators will be required to log in to their on-premise environments to make changes. Likewise, Office 365 distribution groups and mail-enabled security groups, while visible in Windows Azure AD, “must continue to be managed in the Exchange Admin Center,” Staiman said.
Microsoft is streamlining cloud application user management with new Windows Azure AD Premium features. “One of the cool features of Windows Azure AD Premium is the ability to use groups to assign access to a SaaS application that’s integrated with Windows Azure AD,” Staiman said.
The time-saving option allows administrators to assign cloud apps to entire departments, for example, and automatically configure or revoke access to apps when employees transition into or out of groups. “This capability can be used with hundreds of applications that you can add from within the Windows Azure AD Application Gallery,” said Staiman.
Microsoft has more Windows Azure AD group management capabilities in the works. Staiman said his company is working on enabling “administrators to create and manage nested groups in the Windows Azure Management Portal” and let them “see and manage the groups in which a particular user is a member.” Finally, his team is working on ways to allow “end users to create and manage their own groups,” he added.