Windows Azure: Active Directory Release, New Backup Service + Web Site Monitoring and Log Improvements

Today we released some great enhancements to Windows Azure. These new capabilities include:

  • Active Directory: General Availability release of Windows Azure AD – it is now ready for production use!
  • Backup Service: New Service that enables secure offsite backups of Windows Servers in the cloud
  • Web Sites: Monitoring and Diagnostic Enhancements

All of these improvements are now available to start using immediately (note: some services are still in preview). Below are more details on them:

Active Directory: Announcing the General Availability release

I’m excited to announce the General Availability (GA) release of Windows Azure Active Directory!  This means it is ready for production use.

All Windows Azure customers can now easily create and use a Windows Azure Active Directory to manage identities and security for their apps and organizations.  Best of all, this support is available for free (there is no charge to create a directory, populate it with users, or write apps against it).

Creating a New Active Directory

All Windows Azure customers (including those that manage their Windows Azure accounts using Microsoft ID) can now create a new directory by clicking the “Active Directory” tab on the left hand side of the Windows Azure Management Portal, and then by clicking the “Create your directory” link within it:


Clicking the “Create Your Directory” link above will prompt you to specify a few directory settings – including a temporary domain name to use for your directory (you can then later DNS map any custom domain you want to it – for example:


When you click the “Ok” button, Windows Azure will provision a new Active Directory for you in the cloud.  Within a few seconds you’ll then have a cloud-hosted Directory deployed that you can use to manage identities and security permissions for your apps and organization:


Managing Users within the Directory

Once a directory is created, you can drill into it to manage and populate new users:


You can choose to maintain a “cloud only” directory that lives and is managed entirely within Windows Azure.  Alternatively, if you already have a Windows Server Active Directory deployment in your on-premises environment you can set it up to federate or directory sync with a Windows Azure Active Directory you are hosting in the cloud.  Once you do this, anytime you add or remove a user within your on-premises Active Directory deployment, the change is immediately reflected as well in the cloud.  This is really great for enterprises and organizations that want to have a single place to manage user security.

Clicking the “Directory Integration” tab within the Windows Azure Management Portal provides instructions and steps on how to enable this:


Enabling Apps

Starting with today’s release, we are also greatly simplifying the workflow involved to grant and revoke directory access permissions to applications.  This makes it much easier to build secure web or mobile applications that are deployed in the cloud, and which support single-sign-on (SSO) with your enterprise Active Directory.

You can enable an app to have SSO and/or richer directory permissions by clicking the new “Integrated Apps” tab within a directory you manage:


Clicking the “Add an App” link will then walk you through a quick wizard that you can use to enable SSO and/or grant directory permissions to an app:


Programmatic Integration

Windows Azure Active Directory supports several of the most widely used authentication and authorization protocols.  You can find more details about the protocols we support here.

Today’s general availability release includes production support for SAML 2.0 – which can be used to enable Single Sign-On/Sign-out support from any web or mobile application to Windows Azure Active Directory.  SAML is particularly popular with enterprise applications and is an open standard supported by all languages + operating systems + frameworks. 

Today’s release of Windows Azure Active Directory also includes production support of the Windows Azure Active Directory Graph – which provides programmatic access to a directory using REST API endpoints.  You can learn more about how to use the Windows Azure Active Directory Graph here.

In the next few days we are also going to enable a preview of OAuth 2.0/OpenID support which will also enable Single Sign-On/Sign-out support from any web or mobile application to Windows Azure Active Directory.

For a more detailed discussion of the new Active Directory support released today, read Alex Simons’ post on the Active Directory blog.  Also review the Windows Azure Active Directory documentation on MSDN and the following tutorials on the website.

Windows Azure Backup: Enables secure offsite backups of Windows Servers in the cloud

Today’s Windows Azure update also includes the preview of some great new services that make it really easy to enable backup and recovery protection with Windows Server.

With the new Windows Azure Backup service, we are adding support to enable offsite backup protection for Windows Server 2008 R2 SP1 and Windows Server 2012, Windows Server 2012 Essentials, and System Center Data Protection Manager 2012 SP1 to Windows Azure. You can manage cloud backups using the familiar backup tools that administrators already use on these servers - and these tools now provide similar experiences for configuring, monitoring, and recovering backups be it to local disk or Windows Azure Storage. After data is backed up to the cloud, authorized users can easily recover backups to any server. And because incremental backups are supported, only changes to files are transferred to the cloud. This helps ensure efficient use of storage, reduced bandwidth consumption, and point-in-time recovery of multiple versions of the data. Configurable data retention policies, data compression, encryption and data transfer throttling also offer you added flexibility and help boost efficiency.

Managing your Backups in the Cloud

To get started, you first need to sign up for the Windows Azure Backup preview.

Then login to the Windows Azure Management Portal, click the New button, choose the Recovery Services category and then create a Backup Vault:


Once the backup vault is created you’ll be presented with a simple tutorial that will help guide you on how to register your Windows Servers with it:


Once the servers are registered, you can use the appropriate local management interface (such as the Microsoft Management Console snap-in, System Center Data Protection Manager Console, or Windows Server Essentials Dashboard) to configure the scheduled backups and to optionally initiate recoveries. You can follow these tutorials for these:

Within the Windows Azure Management Portal, you can drill into a backup value and click the SERVERS tab to see which Windows Servers have been configured to use it.  You can also click the PROTECTED ITEMS tab to view the items that have been backed up from the servers,

Web Sites: Monitoring and Diagnostics Improvements

Today’s Windows Azure update also includes a bunch of new monitoring and diagnostic capabilities for Windows Azure Web Sites.  This includes the ability to easily turn on/off tracing and store trace + log information in log files that can be easily retrieved via FTP or streamed to developer machines (enabling developers to see it in real-time – which can be super useful when you are trying to debug an issue and the app is deployed remotely).  The streaming support allows you to monitor the “tail” of your log files – so that you only retrieve content appended to them – which makes it especially useful when you clicking want to check something out without having to download the full set of logs.

The new tracing support integrates very nicely with .NET’s System.Diagnostics library as well as ASP.NET’s built-in tracing functionality.  It also works with other languages and frameworks.  The real-time streaming tools are cross platform and work with Windows, Mac and Linux dev machines.


Read Scott Hanselman’s awesome tutorial and blog post that covers how to take advantage of this new functionality.  It is very, very slick.

Other Cool Things

In addition to the features above, there are several other really nice improvements added with today’s release. These include:

  • HDInsight: We launched our new HDInsight Hadoop Service 3 weeks ago.  Today’s update adds the ability to see diagnostic metrics for your HDInsight services in the Windows Azure Management Portal (they are surfaced in the dashboard view now – just like every other service).  This makes it really easy to monitor the number of active map and reduce tasks your service currently is processing.
  • Operation Logs: The Windows Azure operation audit logs (which you can view by clicking the “Settings” tab on the left of the Windows Azure Management Portal) now shows the user account name who performed each operation on the account.  This makes it much easier to track who did what on your services.
  • Media Services: You can now choose from a wider variety of presets when encoding video content with the portal. 
  • Virtual Machines: We have increased the default OS disk size for new VMs that are created, and now allow you to specify the default user name for the VM.


The above features are now available to start using immediately (note: some of the services are still in preview).  If you don’t already have a Windows Azure account, you can sign-up for a free trial and start using them today.  Visit the Windows Azure Developer Center to learn more about how to build apps with it!

Hope this helps,


P.S. In addition to blogging, I am also now using Twitter for quick updates and to share links. Follow me at:


  • Scott,

    Thanks for the knowledge sharing and screen shots!

  • Great news!
    I have an AD linked to my Office 365 subscription. I have an Azure application which uses that AD for access control. Office 365 and Azure are completely separate accounts (due to their age, both were separate sign ups).
    Is there some way to amalgamate the two accounts, so I can use a single sign on for both (at the moment it's Org Id for 365 and Microsoft Account for Azure)? Similarly, persuading the Office 365 AD to be visible in the Azure management portal would be a bonus.
    Can it be done?

  • Hi Steve,

    Great to see the platform develop so rapidly.
    Could you say something about the pricing model of the online backup possibility of azure VM? Furthermore a GA date for azure VM would be great. thanks.

    Keep up the good work.

  • Super cool.

    P.S. I really really really want SSL certs for azure websites.

  • Why is Azure backup so much more expensive than just Azure Storage?

  • This is a great update.
    Super excited about Windows Azure AD. Great work on getting here.

    FYI: I wonder if all WA announcements can be channeled via a single WA blog? For all WA, I currently monitor

  • So every time I try and create a Directory, I get an error "Please try again. If the problem persists, contact support." has this been turned live?

  • Great to see the speed at which you guys are adding features however gotta say I am also a bit disappointed with the backup pricing. Think I'll be going back to S3 at this rate.

  • @NickLocke: Yes, this works today. First, log out of Azure. Then go to and click "portal" to log in. On the left hand side of the login screen you should see text that says "Office 365 users: sign in with your organizational account" - click on that link and use the admin credentials for your Office365 tenant to log into Azure. You will probably have to sign up for a free Azure subscription at that point - but you won't be charged for it - it's just the way to get a subscription associated with the Azure AD tenant you created in Office. Once you do that, you should arrive in the Azure management portal and your Azure AD tenant with all your Office users will be there already. You can then add existing users to your tenant who use LiveID's to access Azure. We don't currently have a way to match up a LiveID user with an existing OrgID user - we'll add that capability in a coming release.

  • Gotta say. I was really really excited to hear about azure backup. As a SMB I've been looking for a good backup solution for years to backup our projects drive. (1.5 tb) When I saw the pricing that excitement went away. Pricing makes it useless for my scenario.

  • I'm ving the fast frequency of great new features being added to Azure

  • Is there any facility to have backup data read in to Azure Backup from a hard drive that is sent by courier to Microsoft, or indeed to have data restored to a hard drive and sent by courier to the end user?

  • Hi Scott,
    thanks for the announcement - I've a question: Is any plan available for new backup services with websites ? (including sql server databases)

    Thanks in advance

  • Great news! :-)
    With this functionality in place, has work begun on enabling Windows Authentication for Team Foundation Service?
    What would be a realistic timeline for seing Windows Authentication available for Team Foundation Service?
    Thanks in advance :-)


  • Yep I have the same thoughts. Great new needed Backup service, pricing is just not in-line with competitors.

  • The pricing is ridiculously high. 1000$ a month for 2TB @ 0.50$ of backup data... Why not just let us backup to azure storage @ $.095 per GB or geo redundant storage?

    Our current offsite backup solution (online offsite) is 1/8 of that price, including bandwidth.

  • @runxc1, Thanks for your post! Azure AD is definitely live so this should be working. We looked into your issue yesterday afternoon after I saw your post. It turns out that your LiveID/Microsoft Account does not have a first name and last name. We didn't know it was possible to create a LiveID like that! 11 other customers also had similar issues to yours yesterday as well. So last night we propped a fix for the issue to live site and now you should be good to go.


  • Do you know if a Windows Azure Virtual Machine can be joined to the domain of a Windows Azure Active Directory?

    I am running SharePoint farms on Windows Azure VMs, and I have domain controller instances in Azure that are connected to on-premises AD via a site-to-site VPN connection.

    I am wondering if I use Windows Azure Active Directory synced with my On-Premises AD, if that would eliminate the need to run my domain controller instances, and my SharePoint farm could simply join the Windows Azure Active Directory domain?

  • With the rate of new services popping up all the time it would be great to have a clear map of which features are tied to which. For example, can I use Windows Azure AD together with IaaS instances so that I wouldn't need to create any VMs to host a traditional AD or is it just for using with PaaS apps?

    Azure is a great set of building blocks and many can be combined in surprising ways but a clearer picture of the services is needed. Your use of existing and familiar names describing services that cannot match the features of current products is VERY confusing. Don't call an Azure based user directory an Active Directory if it can't handle everything an AD can (i.e. I can't use it with IaaS instances).

  • When we started this, we were going by the assumption that the storage is $0.095 per gig. Now that it's $0.50 per gig, we just aren't able to pay for this. This is also like a bait and switch.

    Anyone has another cloud storage solution?

  • @AlexSimons - I would echo @NickLocke's thoughts on better OrgId support and the ability to link accounts. Really this seems like an issue that should be addressed Microsoft-wide, and shouldn't be something each individual service needs to deal with. Any Microsoft service should support both types of accounts, and existing accounts should support merging or at least linking.

    In our case, we have BizSpark (which includes Azure hours). Our email is Office 365. For a new employee, do you know if I can create an MSDN subscription using an OrgId/Office 365 account and then use that in Azure to get the benefits? Or do I have to create a separate LiveId account and wait for this eventual linking process?

  • Scott, I hope you hear the cry's of us small developers. Is it ever going to be possible for Independent Developers like me to "play" with these types of services without spending bazillion dollars and then decide to integrate them into our products or not? a One Month or so trial i snot enough and half the services are not covered. BizTalk is for companies but no equivalent program for small independent developers like me with very few dollars to invest and burn (OK I admit my revenue is a few hundred dollars a month ;-)

  • The new backup feature is fantastic! I have it working on my development Server 2008 r2 now. And you only get billed for the storage, not the data transfer, bandwith etc. Thanks, fantastic job. Looking forward to SSL on Azure websites.

  • Great stuff, Scott. I am very impressed at the speed with which you are adding these cloud services. And you are adding things people are already doing in the data center - making it easier to migrate existing system.

  • Can I use Active Directory and provide the login and identity in a system that we provide to our customers. Approximately 100,000 customers?

  • Hi Scott,

    Thanks for the great overview of Azure Active Directory. It was short, yet I had a better understanding after reading it than a lot of articles I've read about the technology.

  • How do you delete an active directory from your Azure account? Or perhaps rename it, I created one for testing and everything is now a bit broken!

  • What would be a realistic timeline for seing Windows Authentication available for Team Foundation Service?

Comments have been disabled for this content.