For instance, we are a B2B software vendor in the banking space, and we have to survive all kinds of audits regarding the nature of our code & vendors. By keeping nearly all of our 3rd party items under the Microsoft umbrella, we can automagically skip over vast chunks of our due diligence process (according to the mutual trust equation).
None of our customers is F500 (so far), but we have yet to encounter one who didn't already have AAD, or a willingness to set this up. From a product development perspective, we really prefer having a few known-good ways to do things. Authentication & authorization is one area that I strongly dislike having a large variety of flavors on. Especially considering the nature of our business and ever-increasing demands for complex MFA flows (e.g. SAML). There's been so many fly-by-night operations in this space, and our customers do not have patience for trying new things.
83.4% of 500 is exactly 417. The article is also exact about these numbers. No need to add "around".
Edit: Why was the title editorialized to begin with?
Edit2: looks like the title was updated to the original. Thanks.
"If the title contains a gratuitous number or number + adjective, we'd appreciate it if you'd crop it. E.g. translate "10 Ways To Do X" to "How To Do X," and "14 Amazing Ys" to "Ys." Exception: when the number is meaningful, e.g. "The 5 Platonic Solids."
Otherwise please use the original title, unless it is misleading or linkbait; don't editorialize."
This is directly against the guidelines and how article titles should be submitted. Editorialization of titles is heavily discouraged and here it even says something the article doesn't. Not at all a nitpick imho.
That is a big assumption though. A very well known big-four with two letters uses for instance [letters]gs.com ("Global Services") for instance.
85% of big businesses are on the one you don't support.
"Results for the Fortune 500 [to see who's on Azure AD using a] CSV with a list of all the Company Names for all 500 companies. Running it through this script, I find that 417, or 83.4% of companies have AAD, which is just a little off from Microsoft’s public claim of 85%."
https://www.shawntabrizi.com/aad/does-company-x-have-an-azur...
See also this top comment: https://news.ycombinator.com/item?id=33046968
Here's the perspective from the outside: M$ has billions of lines of code, or more, and they just keep patching their software. They established their way of doing things years ago with DOS and have built on top of that since. That's how the entire industry has done it, but since M$ got so big they can't just refactor things and drop support without a billion people yelling at them, so they keep the old code and just keep patching.
They have so many people banging on their software that most of the failures are caught pretty quickly, but then there are the edge cases that don't fit into daily business activity and M$ gets pwned in that space. Their software is so vast that it doesn't cover their entire decision tree, so on the edges people begin to play around and find things not covered by testing. They might be complicated exploits that tie many things together, but it's not beyond the general public to find them with a little digging. This opens up a full exploit on M$ systems or infrastructure, then they get around to patching it a month or two later.
From the perspective of a CISO this is unacceptable. I prefer my auth software to be explicitly precise.
This might sound crazy to someone who is in an industry where "everyone is doing it", and there appears to be no other way to integrate but with M$. I'll let you know we both feel the same way because it's crazy to use (and pay for) such slovenly designed software.
sso integration when interacting with a fortune 500 will be a minuscule aspect of the arrangement should you get there. an f500 does not simply decide to use your product and do an sso integration et voila. they want a compliance regiment, a custom crafted legal arrangement, risk assessment, probably an onprem discussion, if you’re small enough a straight out purchase discussion. months if not years of negotiation. basically the sso button is the least of your concerns.
If you want to be used by business users in a hurry, be under their p-card limit and support their SSO out of the box.
It has similar functionality integrated for discovering if a domain has an associated Azure AD Tenant and enumerating information about users in the tenant, who the "Owner" is and their contact information. As with many Microsoft products there are many configuration options and plenty of them aren't secure by default.
[0] https://o365blog.com/aadinternals/ [1] https://o365blog.com/post/just-looking/
For Google Workspace, a similar URL is: https://www.google.com/a/example.com/ServiceLogin
Could an Okta have a claim against Microsoft similar to Netscape in the late 90's?
Sometimes even within one company, there are multiple 2FA protocols, e.g. using Oracle single sign on for ERP apps but Okta for Citrix and other external facing apps.
Clearly, authenticating via Azure and also Okta would not be single sign on.
Why would you do that?
Absolutely nothing came of Microsoft bundling IE with Windows in the 90s in the US. There was never a day since IE came bundled with Windows that it wasn’t bundled with Windows . There was never s browser choice initiative - nothing.
Out of all of the anti trust allegations, bundling was the nothingburger. MS was forced to stop making OEMs pay for licenses for all of their PCs whether or not they came with Windows and they were forcing OEMs to not include Netscape, share APIS, and document file formats.
Microsoft Office (bundling) has been a thing since 1990 and today, every single major company bundles products together - Apple, Amazon (Prime), Microsoft, Google, Adobe, Salesforce (SFFC and Concur), etc.
Next up: no, “cable was not ad free when it was introduced”
Add in the dominance of Office and Microsoft's presumed dominance of mobile once that became ubiquitous and a lot of people were looking for any lever to use against the company. All this activity probably made Microsoft back off a bit in some areas and likely tarnished its aura of inevitability a bit--but it's not entirely clear that it made much difference in the end. (And there were certainly people at the time arguing that the Microsoft winning over all narrative was deeply flawed.
Has anyone else sometimes avoided a cloud service because the pricing was opaque?
And much easier to script too. ;)
They have a commanding position in the enterprise. What’s keeping them from crossing those enterprise boundaries?
These days, a consumer + biz page login page can look like this:
https://www.xsplit.com/user/auth
There's almost no good reason to require emails/password rather than let users use their preferred IdP.
I think the reason it's less common is simply that indie devs assume everyone uses free Google Workspaces. This year we're seeing more Microsoft Logins. Perhaps one reason is that now Google Workspaces is no longer free and startups are realizing they can get actual Office with actual apps at the same per $6 to $12 per user cost. Then in turn, supporting that login.
I've gotten career advice several times to get a GMail instead, because Microsoft was considered out of date and backward (not so much anymore).
Plus, if this works as well as it does with the "corporate" AzureAD, it would be a better experience for users. Just "log on with your Windows account".
Not saying that's necessarily a good, thing, mind. Only that I expect support to broaden.
Microsoft is the only company I deal with where I cannot reliably authenticate. I wish they'd just stop trying to run consumer accounts.
Facebook and Google provide "Sign-in with Facebook/Google account" not because they do it out of goodwill, to only make it "easier" or "smoother" to login -- it obviously cost resources on their end to enable such features -- it helps them better identify users and then serve ads. And Google can be really aggressive -- try reddit or Quora.
Apple, on the other hand, tries to sell "login with Apple account" with a different approach: they advertise the "privacy" part of it and how you can hide your email address by using it's sign-in service. And they have a term where login with Apple must be enabled on an app and website if a company has an app on the app store and it supports any other third-party login. In other words, if Reddit supports login with Google on iPhone, it must also support login with Apple ID. This helped the adoption a lot.
For Microsoft, they are relatively late and small in the ad business (for now) so I guess they don't really care about getting more of your information via sign-in services. And they are not on this privacy bandwagon as Apple does. So they really have no incentive for this.
One cannot get an e-mail address without a phone. One cannot get a phone without a credit check. A credit check requires a social security number.
Well... https://techcommunity.microsoft.com/t5/azure-storage-blog/pu... :-)
Some companies use a different domain for corporate use than their public domain name.
Like fb.com
One thing to note about these results is that when we get a result that says the company has a tenant, we are nearly 100% correct in that fact. However, if we say that a company does not have a tenant, we are not necessarily correct. It is possible that the google result did not point to their actual domain name, or they are using a different domain name for their AAD Tenant.
If you wanted to do this really robustly, you would probably want to get a better source for your domain names than automated google search results. You might want to also look at other combinations like “companyname.onmicrosoft.com”, however we are doing just rough estimates here.
So if AD were to be compromised, that would be significant impact.
There are of course advantages to such a "single point of failure" such as concerted effort in one place. But one way to mitigate the spof is transparency, and I'm reminded of LastPass versus Bitwarden.
All 365 accounts get created in AAD. And your user has access to the portal even. https://aad.portal.azure.com/
There's actually a number of products under the Azure AD name, including:
* Azure AD, their employee/workforce solution. It's a directory, authentication and authorization system. Think Okta or AWS SSO. I imagine this is mostly what the survey was tracking.
* Azure AD B2C, their CIAM solution. Think Auth0, Cognito or FusionAuth (disclosure, I'm a FusionAuth employee).
* Azure AD EI, external identity management (users outside your org).
* Azure AD DS, domain services (older Windows focused services). This subsumes a lot of what Active Directory provided.
And they say AWS has a hard time with naming :).
You can learn more about each of these here: https://azure.microsoft.com/en-us/products/active-directory/ (click on the "AAD" dropdown).
honestly though, Azure's naming strategies do exactly what they say. AWS uses names that are adjacent or completely random (fargate?). i don't even think cognito is a word in english language[0]
Connecting git with an internal AD/LDAP allows for not requiring Azure AD.
Azure AD is just Microsoft's version of that directory. The thing is if you use for example Exchange Online, or even just like Microsoft Office licensing, you've now got Azure AD where the users have accounts. Then I see businesses spend a fortune to integrate Okta or similar products that don't actually add anything given how feature full Azure AD is at this point.
Azure Active Directory is the cloud version of Active Diretory. It has some extra features compared to on prem AD (MFA, SSO with 3rd paty apps...) but the whole endpoint management part was moved to another product (Microsoft Endpoint Manager).
The reason so many companies have an AAD tenant is it is set up automatically when you configure Microsoft 365.
[1] https://en.wikipedia.org/wiki/Lightweight_Directory_Access_P...
Interesting (to me) is that the OpenID configuration endpoint provides the tenant ID for not only Commercial tenants but US Government (GCC & GCC-High) as well because the Azure AD portal has relatively new functionality to configure cross-tenant access settings by tenant ID or domain name but Gov tenants require you to obtain the tenant ID from the organization which is either security through obscurity or due to use of some Commercial-only Graph API call.
Which is just something like (using slack.com as an example):
https://login.microsoftonline.com/slack.com/.well-known/open...
More urls here: https://o365blog.com/post/just-looking/
I bet some of this use is free promo credits.
https://learn.microsoft.com/en-us/azure/active-directory/fun...
Also, SAML as a spec is really complex precisely because it was created to satisfy a broad range of Enterprise-y requirements. I don't know if OpenID Connect is there yet. It certainly could be, the underlying spec (oauth2) could support a lot of variant complexity, and OIDC supports mobile and there are lot of extensions available or in progress. https://openid.net/developers/specs/
- Apple One
- Microsoft Office
- Amazon Prime
- Google GSuite
- Adobe Creative Cloud
- Salesforce bundling SFDC with Concur
So it's difficult (ask me how I know) for someone who knows way too much about this stuff and has implemented it themselves, to explain to "leadership" why they should change that default.
