Skip to main content
Microsoft 365
Subscribe
4 min read

How organizations are connecting their on-premises identities to Azure AD

By

Howdy folks,

If you follow the blog, you know that we support a wide array of options for connecting an on-premises directory or IAM solution to Azure AD. In fact no one in the industry gives customers as many options as we do.

So it’s not surprising that one of the questions customers ask me the most is which one I would recommend. I’m always a bit hesitant to give an answer. Over the last 6+ years working in the identity industry, I’ve learned that every organization is different and has different goals and requirements in terms of speed of deployment, security posture, ability to invest, network architecture, corporate culture, compliance requirements and work environment. That’s one of the reasons why we’ve invested in giving you options, so you can choose the one that best suits your needs. (That doesn’t mean I don’t have an opinion of course – if it was my organization, I’d definitely want to use our new Pass Through Authentication capabilities and Azure AD Connect Sync.  They are both fast to deploy and low cost to maintain. But hey, that’s just one person’s opinion!)

Rather than spend a bunch of time worrying about what I or anyone else would recommend, how about we just look at what customers are actually using? That strikes me as the best place to start.

Azure AD Momentum

I want to start by sharing some numbers about the overall use of Azure AD so you have the context for the deeper numbers below. For Azure AD overall, we continue to see strong growth in organizations using our basic cloud-based identity services and accelerating growth of Azure AD Premium.

The trend I’m the most excited about is the incredible growth in the use of Azure AD with third-party applications. With over 300k third-party applications in use every month, we’re seeing tons of organizations turn to Azure AD as their preferred cloud identity platform.

Synching users to Azure AD

Most Azure AD tenants are small organizations that don’t synchronize an on-premises AD to Azure AD. Larger organizations almost always sync, and those that do represent >50% of the 950M user accounts in Azure AD.

Here’s the latest data on how organizations synchronize users to Azure AD:

  • >180K tenants sync their on-premises Windows Server Active Directory to Azure AD .
  • >170K tenants use Azure AD Connect to do so.
  • A small number of customers use other solutions:
    • 7% use our legacy DirSync or Azure AD Sync tools.
    • 1.9% use Microsoft Identity Manager or Forefront Identity Manager.
    • <1% use a custom or third-party solution.
How organizations sync users into Azure AD

Fig 1: How organizations sync users into Azure AD

Authenticating with Azure AD

The last time I blogged about authentications, the data I shared was based on authentication volumes. Your feedback to me was that this made the numbers difficult to put in context and that you were more interested in active user numbers. So, for this update I’ll share numbers based on Monthly Active Users (MAU).

As of Oct 31, there were just over 152M Monthly Active Users of Azure AD. Of those active users:

  • 55% authenticated using a federation product or service.
  • 24% authenticate with Password Hash Sync.
  • 21% are cloud only users.
  • Azure AD Pass-Through Authentication, which went GA only one month ago, already has over half a million Monthly Active Users and that number is growing at 50% per month!

Diving deeper, here’s some more interesting data:

  • 46% of all active users are authenticating with AD Federation Services.
  • Just over 2% of all active users are authenticating using Ping Federate. Ping is the fastest growing and most popular third-party option.
  • 2% of all active users are authenticating using a third-party IDaaS service like Centrify, Okta or OneAuth.
  • 1% of all active users are authenticating using a third-party Federation Server other than Ping Federate.
Breakdown of monthly authentication

Fig 2: Breakdown of monthly authentication

Key Conclusions

This is some pretty interesting data and highlights a few trends:

  1. Azure AD Connect has become the standard way to synchronize between Windows Server AD and Azure AD. Over 90 percent of synching tenants now use it.
  2. Azure AD Password Hash Sync has become a very popular option for our customers with tens of millions of monthly active users.
  3. As larger and larger enterprises have started using Azure AD, Ping Federate has become an increasingly popular option. Our partnership with Ping has really paid off for these large customers.
  4. Despite all the press coverage and market hype, other IDaaS vendors remain a very small part of the Azure AD/Office365 business.
  5. Our new Pass Through Authentication option, which only GA’d a month ago is off to a good start with >500,000 MAU already! If current trends hold, sometime in the next six months to a year, it will be used by more unique users than all the other IDaaS vendors combined.

Summary

Just like last time, these numbers tell a pretty clear story. We’ve designed Azure AD to be open and standards-based so our customers can use a wide variety of third-party options. However, the majority of customers find that our “off the shelf” identity solutions meet their needs. And this number continues to grow.

Additionally, the data also shows that the level of simplicity we’ve delivered with Azure AD Connect is having a big impact. The solution is being widely adopted and is far and away the fastest growing option for connecting Windows Server AD and Azure AD/Office 365.

Hopefully you found this blog post interesting and useful! As always, we’d love to receive any feedback or suggestions you have.

Best regards,

Alex Simons (Twitter: @Alex_A_Simons)

Director of Program Management

Microsoft Identity Division

Related Posts