Colleges and universities might think that knowledge will transfer readily to Azure Active Directory. Unfortunately, this is not the case. Other than the name, it has very little in common with traditional, on-premises Active Directory. Rather, it is a completely new set of technologies. Organizations should carefully evaluate their readiness prior to deployment. Existing knowledge of Active Directory and experience with it is not readily transferable, and existing tools for on-premises Active Directory may not support Azure Active Directory.

Microsoft supplies some basic tooling for managing users in Azure Active Directory. The most commonly-used tooling that Microsoft supplies for deploying users automatically to Azure Active Directory is based on synchronization from a single on-premises Active Directory forest. While this paradigm works well in corporate environments that are highly centralized, this may not be a good solution for higher education customers who have some needs that are different from corporate customers.

The out-of-the-box tools do not allow organizations to select what attributes are replicated to Azure Active Directory. Therefore, higher-ed organizations adopting Azure Active Directory will be replicating personally identifiable information from their private on-premises Active Directory into a public, internet-based directory. Decisions about what data is stored in Active Directory and where that data comes from may not be the good decisions when considering Active Directory. Higher-ed institutions should ensure that they have adequate governance mechanisms in place to ensure that none of the information that is replicated to the cloud is sensitive or violates any policies or legal restrictions.

Higher-ed organizations also tend to be much more decentralized and federated than private organizations. Colleges and universities tend to have several largely autonomous schools and departments. They may have their own self-contained Active Directory environments that may not be managed centrally. Microsoft’s tooling only supports synchronization with a single Active Directory forest. If there are existing environments that are in separate forests, they will need to be integrated with a single institutional forest to leverage the Microsoft tools.

Staying on top of higher-ed IT trends isn't always easy

In addition to the Microsoft tools, there are third-party tools available that are flexible, powerful, and support a wide variety of deployment scenarios. Organizations that are considering third party tools should look for the following features:
● Provisioning and de-provisioning of individual users or groups of users. This should support multiple domains and multiple Active Directory forests.
● Transformation and/or masking of attributes prior to provisioning to ensure usability while at the same time protecting sensitive data.
● Support for user repositories other than Active Directory. This could include third party databases, flat files, and other sources of user data.
● Support for constrained delegation of administration. This would allow individual schools or departments to manage their own users and user attributes
● Support for end user self-service and access request.
● Support for policy and templates. This ensures a consistency of information quality and formats.

Azure Active Directory offers new advantages and opportunities to higher education organizations. However, its management and support models differ significantly from traditional on-premises Active Directory. Organizations adopting Azure Active Directory should carefully consider their exiting Active Directory management, ensuring adequate governance is in place. Finally, organizations should strongly consider third-party management tools to augment the free tools available from Microsoft.

About the Author:

Todd Peterson is a long-standing security evangelist and currently manages product marketing for One Identity solutions. With more than 20 years of experience in security software, Todd has deep expertise developing go-to-market messages for security-, IAM- and compliance-related topics, including his authorship of numerous white papers, tech briefs and articles. Within One Identity and among customers, Todd is the “face of IAM” and is highly regarded for both his thought leadership and ability to make complex technical topics easy to understand for One Identity sales teams and prospective clients. Todd has a BA in Communications/Advertising from Brigham Young University.

Add your opinion to the discussion.