Tag Archives: active directory

Microsoft CEO Satya Nadella introduces Microsoft Office for iPad, talks up Azure Active Directory and Office 365 development

New Microsoft CEO Satya Nadella has announced Office for iPad at an event in San Francisco. Office General Manager Julie White gave a demo of Word, Excel and Powerpoint on Apple’s tablet.


White made a point of the fidelity of Office documents in Microsoft’s app, as opposed to third party viewers.


Excel looks good with a special numeric input tool.


Office will be available immediately – well, from 11.00 Pacific Time today – and will be free for viewing, but require an Office 365 subscription for editing. I am not clear yet how that works out for someone who wants full Office for iPad, but does not want to use Office 365; perhaps they will have to create an account just for that purpose.

There was also a focus on Office 365 single sign-on from any device. This is Azure Active Directory, which has several key characteristics:

1. It is used by every Office 365 account.

2. It can be synchronised and/or federated with Active Directory on-premise. Active Directory handles identity and authentication for a large proportion of businesses, small and large, so this is a big deal.

3. Developers can write apps that use Azure Active Directory for authentication. These can be integrated with SharePoint in Office 365, or hosted on Azure as a separate web destination.

While this is not new, it seems to me significant since new cloud applications can integrate seamlessly with the directory already used by the business.

Microsoft already has some support for this in Visual Studio and elsewhere – check out Cloud Business Apps, for example – but it could do more to surface this and make it easy for developers. Nadella talked about SDK support for iOS and other devices.

Microsoft hardly mentioned Android at the event, even though it has a larger market share than iOS. That may be because of the iPad’s popularity in the enterprise, or does it show reluctance to support the platform of a bitter competitor?

Microsoft is late with Office for iPad; it should perhaps have done this two years ago, but was held back by wanting to keep Office as an exclusive for Windows tablets like Surface, as well as arguments with Apple over whether it should share subscription income (I do not know how that has been resolved).

There was also a brief introduction to the Enterprise Mobility Suite, which builds on existing products including Azure Active Directory, InTune (for device management) and Azure Rights Management to form a complete mobility management suite.

Nadella made a confident performance, Office for iPad looks good.

What is coming up at Build, Microsoft’s developer conference next week? Nadella said that we will hear about innovations in Windows, among other things. Following the difficulties Microsoft has had in marketing Windows 8, this will be watched with interest.

New features in Windows Azure, including web site backup, .NET mobile services

Microsoft has announced new features in Windows Azure, its cloud platform, described by VP Scott Guthrie on his blog.

Aside: I agree with this comment to his post:

Thank you Scott for update. I wish dozens of MS folks and MS representatives would have a clue about Azure roadmap to help businesses plan their release schedules / migration plans. Till that happens, this blog will remain the main source of updates and a hint of roadmap.

The changes are significant. ExpressRoute offers connectivity to Azure without going through the public internet. Currently you have to use an Equinix datacentre, Level 3 cloud connect, or an AT&T MPLS (Multiprotocol Label Switching) VPN. For enterprises that can meet the requirements and who are wary about data passing through the internet, or who want better connectivity, it is an interesting option.

Next up is backup and restore for Azure web sites. Azure web sites are a way of deploying web applications, ranging from free to multi-instance with automatic scaling. You need at least a Standard site for serious use, as I explained here.

Now you can set up scheduled backup for both the web site and a supporting database. The feature is in preview but you can try it now using the Azure web management portal.


I noticed a couple of things. One is that the storage account used must be in the same subscription as the web site. I also spotted this warning:


which states that “frequent backups can increase you database costs by up to 100%”. Still, it is a handy feature.

Azure mobile services, designed to supply data to mobile apps, has been extended to support .NET code (previously you had to use Javascript). If you download the code, notes Guthrie, you find that it is  “simply an ASP.NET Web API project with additional Mobile Service NuGet packages included.”

Mobile Services also have new support for notification hubs and for PhoneGap (a way of building mobile apps using HTML and JavaScript).

Another feature that caught my eye is easy linking of third-party apps to Azure Active Directory (which is also used by Office 365). For example, if you are struggling with SharePoint and its poor clients for Windows, iOS and Android, you might consider using Dropbox for business instead. Now you can integrate Dropbox for Business with your Office 365 user directory by selecting  it from the Azure management portal.


Microsoft opens up Office 365 and Azure single sign-on for developers

Remember Passport and Hailstorm? Well here it comes again, kind-of, but in corporate-friendly form. It is called Windows Azure Active Directory, and is currently in Developer Preview:

Windows Azure AD provides software developers with a user centric cloud service for storing and managing user identities, coupled with a world class, secure & standards based authorization and authentication system. With support for .Net, Java, & PHP it can be used on all the major devices and platforms software developers use today.

The clearest explanation I can find is in John Shewchuk’s post on Reimagining Active Directory for the Social Enterprise. He makes the point that every Office 365 user is signing on to Microsoft’s cloud-hosted Active Directory. And here is the big deal:

The Windows Azure Active Directory SSO capability can be used by any application, from Microsoft or a third party running on any technology base. So if a user is signed in to one application and moves to another, the user doesn’t have to sign in again.

Organisations with on-premise Active Directory can use federation and synchronisation (Shewchuk fudges the distinction) so that you can get a single point of management as well as single sign-on between cloud and internal network.

Is this really new? I posted about Single sign-on from Active Directory to Windows Azure back in December 2010, and in fact I even got this working using my own on-premise AD to sign into an Azure app.

It seems though that Microsoft is working on both simplifying the programming, and adding integration with social networks. Here is where it gets to sound even more Hailstorm-like:

… we will look at enhancements to Windows Azure Active Directory and the programming model that enable developers to more easily create applications that work with consumer-oriented identities, integrate with social networks, and incorporate information in the directory into new application experiences.

Hailstorm failed because few trusted Microsoft to be the identity provider for the Internet. It is curious though: I am not sure that Facebook or Google are more well-trusted today, yet they are both used as identity providers by many third parties, especially Facebook. Spotify, for example, requires Facebook sign-in to create an account (an ugly feature).

Perhaps the key lesson is this. Once people are already hooked into a service, it is relatively easy to get them to extend it to third-parties. It is harder to get people to sign up for an all-encompassing internet identity service from scratch.

This is why Azure Active Directory will work where Hailstorm failed, though within a more limited context since nobody expects Microsoft to dominate today in the way it might have done back in 2001.

Restoring an old Small Business Server 2008 backup: beware expired Active Directory

Seemingly tricky problems sometimes have simple solutions – but you have to find them first.

So it was with this one. I was asked to recover some emails from Small Business Server, from a backup that was about six months old. This SBS runs on Hyper-V using a proven backup system and I decided to restore onto a test system just to recover the emails. All went well until the first boot. The restored SBS went into a reboot cycle. Trying safe mode revealed the error:

STOP: c00002e2 Directory Services could not start because of the following error: A device attached to the system is not functioning. Error Status: 0xc0000001

The suggested fix for this is to boot into Directory Services Restore Mode. In my case this was not possible, because after the first failure the VM booted into Windows Error Recovery mode which does not offer Directory Services Restore Mode. Rather than try to get round this, I simply restored the server again, and took a snapshot before the first boot so I would not have to do so again.

I could now get into Directory Services Restore Mode, though note that you need to log on as .\administrator using the password set when SBS 2008 was installed. I tried some of the steps here with little success. The suggested ntdsutil commands did not work. I had to activate an instance, which by the way is ntds, and then got a message saying the operation failed because the system was in Directory Services Restore Mode and to try rebooting. I knew what the result would be.

In other words, I was getting nowhere. Then I found a user with a similar problem. The reason: Active Directory will not restore if it is older than the “tombstone lifetime”. This is nicely explained here. It is to do replication. Active Directory is designed to replicate between domain controllers, which means it has to keep a record of deleted items. If a particular instance is older than the tombstone lifetime, it could not replicate safely, hence the error message.

Well, kind-of. Note that the error message says, “A device attached to the system is not functioning”. If only it could have said, “Active Directory is too old”, that would have saved some time. Note also that SBS is often the sole domain controller, making the problem irrelevant. Note further that in my case I did not care a jot about replication, since all I needed was some emails.

Still, it gave me an easy solution. Just set the date back in Hyper-V and reboot. Everything worked fine.

In the end it did not cost me too much time, and doing this stuff in Hyper-V while getting on with your work during the slow bits is a lot more fun than when using real systems.

I do find it interesting though how these simple problems can surface as bewildering errors that lead you through a maze of obscure technical documents before you find the simple solution.

Single sign-on from Active Directory to Windows Azure: big feature, still challenging

Microsoft has posted a white paper setting out what you need to do in order to have users who are signed on to a local Windows domain seamlessly use an Azure-hosted application, without having to sign in again.

I think this is a huge feature. Maintaining a single user directory is more secure and more robust than efforts to synchronise a local directory with a cloud-hosted directory, and this is a point of friction when it comes to adopting services such as Google Apps or Salesforce.com. Single sign-on with federated directory services takes that away. As an application developer, you can write code that looks the same as it would for a locally deployed application, but host it on Azure.

There is also a usability issue. Users hate having to sign in multiple times, and hate it even more if they have to maintain separate username/password combinations for different applications (though we all do).

The white paper explains how to use Active Directory Federation Services (ADFS) and Windows Identity Foundation (WIF, part of the .NET Framework) to achieve both single sign-on and access to user data across local network and cloud.


The snag? It is a complex process. The white paper has a walk-through, though to complete it you also need this guide on setting up ADFS and WIF. There are numerous steps, some of which are not obvious. Did you know that “.NET 4.0 has new behavior that, by default, will cause an error condition on a page request that contains a WS-Federation authentication token”?

Of course dealing with complexity is part of the job of a developer or system administrator. Then again, complexity also means more to remember and more to troubleshoot, and less incentive to try it out.

One of the reasons I am enthusiastic about Windows Small Business Server Essentials (codename Aurora) is that it promises to do single sign-on to the cloud in a truly user-friendly manner. According to a briefing I had from SBS technical product manager Michael Leworthy, cloud application vendors will supply “cloud integration modules,” connectors that you install into your SBS to get instant single sign-on integration.

SBS Essentials does run ADFS under the covers, but you will not need a 35-page guide to get it working, or so we are promised. I admit, I have not been able to test this feature yet, and aside from Microsoft’s BPOS/Office 365 I do not know how many online applications will support it.

Still, this is the kind of thing that will get single sign-on with Active Directory widely adopted.

Consider FaceBook Connect. Register your app with Facebook; write a few lines of JavaScript and PHP; and you can achieve the same results: single sign-on and access to user account information. Facebook knows that to get wide adoption for its identity platform it has to be easy to implement.

On Microsoft’s platform, another option is to join your Azure instance to the local domain. This is a feature of Azure Connect, currently in beta.

Are you using ADFS, with Azure or another platform? I would be interested to hear how it is going.