This document is relevant to both Azure Active Directory B2C and Active Directory Federated Services (ADFS), as both of these Microsoft offerings provide authentication/authorization services to cloud applications.
Not Reinventing the Wheel
Whenever news breaks of security breaches, an examination of the underlying cause points to implementations that either utilized a flawed code library or were a reinvention of existing standards. I have always been of the opinion that reinventing the wheel is how a better wheel gets invented; but where security is concerned, going with the latest peer-reviewed systems is the way to go.
You are Paying for it Anyway
- Office 365
- If your organization is using Office 365, your organization is already an Azure Active Directory tenant. Single-sign-on (SSO) capability and re-use of existing Identity as a Service (IDaaS) infrastructure can be extended to your enterprise applications in the cloud.
- Microsoft Azure
- If your Azure-hosted cloud applications manage user identities internally, you are already paying for the weight of that subsystem; by delegating that functionality to Azure AD, your identity management costs will be separate from the rest of your cloud applications' operational costs.
- Other Hosting Providers
- Every hosting provider has costs associated with bandwidth-heavy subsystems; delegating that functionality to Azure AD can lighten that load, perhaps costing less, in the long run.
- Windows Server Active Directory
- If your enterprise already has on-premise WSAD infrastructure, extending it to the cloud (through ADFS) is possible. The power to instantly block users is preserved, along with the added security of password hashes never being stored in the cloud. Additionally, multi-factor authentication becomes an option.
Things go Wrong
"If anything can go wrong, it will go wrong"
Things go Right
What do you do if you don't get lemons? Millions of sign-ups. High customer retention. Low customer attrition."If life gives you lemons, make lemonade"
Everything Changes
Staying Lightweight
Staying Heavyweight
If your enterprise is (by necessity) locked-down and strictly on-premise, internal use of ADFS (to expose WSAD to your internal applications) allows you to develop those applications to use the standard interfaces (such as OAuth 2.0) that are already familiar in the cloud. This makes it possible to use existing code libraries/plugins that will both streamline development and make your internal applications function in a more familiar manner, and potentially cloud migrate-able.