bob1029 2 months ago

I know how we feel about the Microsoft Death Star consuming all in its path, but there are some upsides to statistics like this.

For instance, we are a B2B software vendor in the banking space, and we have to survive all kinds of audits regarding the nature of our code & vendors. By keeping nearly all of our 3rd party items under the Microsoft umbrella, we can automagically skip over vast chunks of our due diligence process (according to the mutual trust equation).

None of our customers is F500 (so far), but we have yet to encounter one who didn't already have AAD, or a willingness to set this up. From a product development perspective, we really prefer having a few known-good ways to do things. Authentication & authorization is one area that I strongly dislike having a large variety of flavors on. Especially considering the nature of our business and ever-increasing demands for complex MFA flows (e.g. SAML). There's been so many fly-by-night operations in this space, and our customers do not have patience for trying new things.

  • ocdtrekkie 2 months ago
    • rwalle 2 months ago

      Sorry your comment is not helping. You could be working alone or in a 5-people startup and totally have not used anything Microsoft (and your comment does not clarify that), in which case nobody cares whether you want to set up AAD.

    • joebob42 2 months ago

      What makes you think you're a potential customer for them?

    • SgtBastard 2 months ago

      Are you in the banking space?

      If not, you aren’t a potential customer.

ascar 2 months ago

Why was that title editorialized as "around 83.4%"?

83.4% of 500 is exactly 417. The article is also exact about these numbers. No need to add "around".

Edit: Why was the title editorialized to begin with?

Edit2: looks like the title was updated to the original. Thanks.

  • graiz 2 months ago

    The article says that there may be other domains that it didn't catch because it wasn't the first result in google or the company has the server on a different domain, so it's likely a slight undercount.

    • ascar 2 months ago

      So "at least" would still have been a more accurate wording.

  • Retric 2 months ago

    That 417 is probably low. It’s hard to prove that nobody in a giant organization is using some tool, but conversely that undercuts the such statistics. If say 0.01% of Walmart’s employees are using X because of a recent acquisition then that’s hardly an endorsement of X by Walmart.

  • darkstar_16 2 months ago

    Nit picking much, are we ?

    • ascar 2 months ago

      HN Guidelines:

      "If the title contains a gratuitous number or number + adjective, we'd appreciate it if you'd crop it. E.g. translate "10 Ways To Do X" to "How To Do X," and "14 Amazing Ys" to "Ys." Exception: when the number is meaningful, e.g. "The 5 Platonic Solids."

      Otherwise please use the original title, unless it is misleading or linkbait; don't editorialize."

      This is directly against the guidelines and how article titles should be submitted. Editorialization of titles is heavily discouraged and here it even says something the article doesn't. Not at all a nitpick imho.

    • kzrdude 2 months ago

      The article could use significant figures better at least. No reason to not say 83% or even "at least 80%" (would be my pick, to reflect the roundness of the number).

sebazzz 2 months ago

> We assume the first result is the homepage of that company, and the domain they would use for their tenant.

That is a big assumption though. A very well known big-four with two letters uses for instance [letters]gs.com ("Global Services") for instance.

  • imron 2 months ago

    > However, if we say that a company does not have a tenant, we are not necessarily correct. It is possible that the google result did not point to their actual domain name, or they are using a different domain name for their AAD Tenant

Terretta 2 months ago

For the HN B2B startups here supporting Google Workspace SSO and not Microsoft Azure SSO, or offering Sign in with Google and not Sign in with Microsoft... why?

85% of big businesses are on the one you don't support.

"Results for the Fortune 500 [to see who's on Azure AD using a] CSV with a list of all the Company Names for all 500 companies. Running it through this script, I find that 417, or 83.4% of companies have AAD, which is just a little off from Microsoft’s public claim of 85%."

https://www.shawntabrizi.com/aad/does-company-x-have-an-azur...

See also this top comment: https://news.ycombinator.com/item?id=33046968

  • netsectoday 2 months ago

    There are legions of people who swore off anything M$ years ago when they found alternatives that worked better for them, and they stuck to it.

    Here's the perspective from the outside: M$ has billions of lines of code, or more, and they just keep patching their software. They established their way of doing things years ago with DOS and have built on top of that since. That's how the entire industry has done it, but since M$ got so big they can't just refactor things and drop support without a billion people yelling at them, so they keep the old code and just keep patching.

    They have so many people banging on their software that most of the failures are caught pretty quickly, but then there are the edge cases that don't fit into daily business activity and M$ gets pwned in that space. Their software is so vast that it doesn't cover their entire decision tree, so on the edges people begin to play around and find things not covered by testing. They might be complicated exploits that tie many things together, but it's not beyond the general public to find them with a little digging. This opens up a full exploit on M$ systems or infrastructure, then they get around to patching it a month or two later.

    From the perspective of a CISO this is unacceptable. I prefer my auth software to be explicitly precise.

    This might sound crazy to someone who is in an industry where "everyone is doing it", and there appears to be no other way to integrate but with M$. I'll let you know we both feel the same way because it's crazy to use (and pay for) such slovenly designed software.

  • matthewaveryusa 2 months ago

    azure AD presence does not imply they use msft sso as their sso.

    sso integration when interacting with a fortune 500 will be a minuscule aspect of the arrangement should you get there. an f500 does not simply decide to use your product and do an sso integration et voila. they want a compliance regiment, a custom crafted legal arrangement, risk assessment, probably an onprem discussion, if you’re small enough a straight out purchase discussion. months if not years of negotiation. basically the sso button is the least of your concerns.

    • psidebot 2 months ago

      Even if they don't use Azure AD as their primary SSO you can often federate indirectly via Azure. For many large corporations, an auth against Azure redirects to Microsoft, then to whatever enterprise SAML2 service they're running, then back to Microsoft to pick up an OIDC token or SAML transformation, then back to your app. Instead of supporting however many SAML 2 providers with custom claim mappings you get Azure's reasonably straightforward token. You can also pick up Azure group membership (which many companies maintain or sync from on-prem AD) which is nice for mapping application roles.

    • Godel_unicode 2 months ago

      I hope others listen to this and continue to believe that growing through being a great shadow IT option isn’t viable. Makes my life much easier!

      If you want to be used by business users in a hurry, be under their p-card limit and support their SSO out of the box.

      • yowlingcat 2 months ago

        It sounds like this is exactly a path you have taken with B2B PLG. Mind throwing the rest of us a bone and giving a sense of what your seats/month and/or growth in seats/month looks like?

  • dustymcp 2 months ago

    The hate is very big and developers will convince their bosses something is superiour without understanding business needs.

  • robertlagrant 2 months ago

    I don't know much about GW SSO but AAD is a per-tenant thing, and IT departments may have to add your application to it before it works?

haxxorfreak 2 months ago

AADInternals[0] is an excellent set of PowerShell modules for pentesting and performing recon against Azure AD as both an outsider[1] and for someone who has been invited to a tenant.

It has similar functionality integrated for discovering if a domain has an associated Azure AD Tenant and enumerating information about users in the tenant, who the "Owner" is and their contact information. As with many Microsoft products there are many configuration options and plenty of them aren't secure by default.

[0] https://o365blog.com/aadinternals/ [1] https://o365blog.com/post/just-looking/

fweimer 2 months ago

Doesn't the end point show up once you have SSO with your own identity provider enabled for any Microsoft services? Maybe technically this means that you have an Active Directory tenant as well, but it doesn't necessarily imply that you are using those Active Directory services for anything beyond that SSO capability.

For Google Workspace, a similar URL is: https://www.google.com/a/example.com/ServiceLogin

  • hirsin 2 months ago

    Yes, it means that you have a tenant in AAD that's usable for signing into SaaS products and Office. May not have many or any users in it, but it exists.

PaulWaldman 2 months ago

Microsoft is traditionally great at bundling their products. This is reminiscent of bundling Internet Explorer with Windows.

Could an Okta have a claim against Microsoft similar to Netscape in the late 90's?

  • ab_testing 2 months ago

    Having Azure AD does not prevent clients from also having Okta or any other 2FA provider for 2 factor authentication. In fact, I have worked with at least 10 clients in the last 2 years that used Azure AD for authentication but then something else for 2-factor depending on the type of apps.

    Sometimes even within one company, there are multiple 2FA protocols, e.g. using Oracle single sign on for ERP apps but Okta for Citrix and other external facing apps.

    • hedora 2 months ago

      Okta is a single sign on provider though.

      Clearly, authenticating via Azure and also Okta would not be single sign on.

      • trevorishere 2 months ago

        I've actually created this setup (in order to ditch Okta as it is far more expensive than AAD P1 if you want MFA).

        You federate AAD and Okta. Sign in to Okta and it's smooth sailing into AAD-based resources like M365.

        Okta puts on a good dog and pony show for execs. From a technical perspective, they're no better for corps (at least in first party auth or B2B -- I don't get into the B2C space). We found, for the apps we used, AAD as of ~4 years ago had better SCIM support (!) than Okta.

        On top of getting O365 E5 + Ent Sec (I think they're just now called M365 E5) which gave us AAD P2 licenses, overall it was much cheaper than Okta. The goal was to just get MFA, which Microsoft gives away for free (with limited toggles) or in P1 licenses (with more toggles) where-as Okta wanted $6/user/month _just for_ MFA.

        Microsoft puts on a terrible sales pitch, though. We were fortunate enough to have an _awesome_ Principal Program Manager spend days with us in-person answering all of our questions and explaining AAD to our IT management.

      • abruzzi 2 months ago

        I don’t know the specific setup, but the app passes you to AAD which passes you to a SAML source (Okta in this instance, but we use Cisco Duo). The SAML provider authenticates you, sets a cookie, then sends you back to AAD, which sets its own cookie, then passes you back to the App. (Or something like that.) if the next app you sign into is an AAD app, you pass through quickly, but if the next app you sign into uses SAML directly you have a cookie set for that as well.

        We use AAD for O365 and the few apps that won’t use generic SAML, but everything else uses Duo directly. The reason for this is at our O365 license level we don’t get the ability to restrict access to applications by AD group—everyone or we have to manually manage access account by account.

      • cratermoon 2 months ago

        Identity federation can be pretty complex to set up and administer, but once the trust relationship is configured and the identity mapping set up, it's pretty transparent to use. Source: I do this for a living.

    • pid-1 2 months ago

      > also having Okta or any other 2FA provider for 2 factor authentication

      Why would you do that?

    • RajT88 2 months ago

      Confirmed. I work with clients who use Ping and Okta for 2FA on top of AAD.

  • rejectfinite 2 months ago

    Signing up for Office 365 gets the company in AzureAD as it is used for logging into 365 on the back end. And all the user accounts etc. You can have another identity solution and also Azure AD. Its just why would you when everyone needs an email and they are already in AAD

  • scarface74 2 months ago

    Will this meme ever die?

    Absolutely nothing came of Microsoft bundling IE with Windows in the 90s in the US. There was never a day since IE came bundled with Windows that it wasn’t bundled with Windows . There was never s browser choice initiative - nothing.

    Out of all of the anti trust allegations, bundling was the nothingburger. MS was forced to stop making OEMs pay for licenses for all of their PCs whether or not they came with Windows and they were forcing OEMs to not include Netscape, share APIS, and document file formats.

    Microsoft Office (bundling) has been a thing since 1990 and today, every single major company bundles products together - Apple, Amazon (Prime), Microsoft, Google, Adobe, Salesforce (SFFC and Concur), etc.

    Next up: no, “cable was not ad free when it was introduced”

    • ghaff 2 months ago

      The whole Windows/IE bundling fracas has to be looked at in the context of Microsoft not only having a lot of unsavory business practices--as did it's welded together at the hip partner Intel--but also it was seen in the eyes of a lot of people as on the way to utterly dominate computing once Unix got pushed out of the way.

      Add in the dominance of Office and Microsoft's presumed dominance of mobile once that became ubiquitous and a lot of people were looking for any lever to use against the company. All this activity probably made Microsoft back off a bit in some areas and likely tarnished its aura of inevitability a bit--but it's not entirely clear that it made much difference in the end. (And there were certainly people at the time arguing that the Microsoft winning over all narrative was deeply flawed.

    • jonhohle 2 months ago

      The nuance that you’re missing is that Microsoft was a monopoly found guilty of antitrust violations. Bundling has different consequence for them than non-monopolies or monopolies that that have not had antitrust convictions.

      • scarface74 2 months ago

        “Bundling” had no consequences for them in the US, that’s just the point.

        The consent decree never required them to change anything about IE in the US.

    • yardie 2 months ago

      Yes, there was a version of Windows that did come unbundled, Windows N <level> that was targeted for EU users to comply with EU antitrust agreements. And there was a browser choice selection during OOTB configuration with the top 4 or 5 browsers in the marketplace.

      • scarface74 2 months ago

        That’s why I was careful to repeatedly say “in the US”.

curiousmindz 2 months ago

This is based on a 2017 script that looks up if their domain names are attached to an Azure Active Directory Tenant.

  • cassianoleal 2 months ago

    But also, what does it say about anything?

    • arkitaip 2 months ago

      Microsoft absolutely dominates corporate IT. Their Office 360 delivers to much values at a low cost that the corps suffer from mediocre MS products because it's all there through a single subscription.

      • mc32 2 months ago

        Same for the Google options; except the Google options tend to make non-backward compatible changes and often only go 90% of the way to meet the competition in terms of features. Even their spam detection is not where postini had it years ago.

        • jmathai 2 months ago

          I worked in Google Workspace.

          A CIO needs to see significant upside in choosing a non Microsoft solution to take the risk of not going with on-prem /cloud AD.

          Very few enterprises, this is an understatement, use Workspace exclusively.

          They need Active Directory Domain Services (on-prem AD) regardless and it is their source of truth (typically syncing to Workdpace for users/roles). The tooling and expertise is in AD. Azure AD will always have a better on-prem to cloud story than Workspace (or any competitor). Plus their licensing makes it a no brainer. It’s a very strong moat.

      • rchaud 2 months ago

        With AD we have SSO integration with a whole universe of mediocre apps, Jira for instance

        • hulitu 2 months ago

          I need to always give a password in Jira.

          • sofixa 2 months ago

            Jira, and the whole of Atlassian Cloud services, bundle SSO as a separate service you pay for. It's called Atlassian Access and it costs $4-$2 depending on number of users, so many companies skip it because it easily doubles your Jira/Confluece costs.

            sso.tax

            • realityking 2 months ago

              Jira’s cheapest license is $7.5, Atlassian Access as its most expensive is $4 a month. It will never double your Jira bill.

vinay_ys 2 months ago

The way Microsoft does enterprise price bundling, this is not surprising at all.

  • SOLAR_FIELDS 2 months ago

    They are insanely good at onboarding people onto it as well. I have a small startup just me and a cofounder right now and we pay $12 a month for 365 which includes all of Azure AD. Can start doing full integrations right away to lock us in.

    • eastbound 2 months ago

      This is awesome! I went 6 times to Microsoft AD’s pricing page and I could never figure out how much it would be! Then I remembered it would be bundled with Azure, which, like any cloud, has the “It’s 0.0062$ per unit of consumption, so sometimes it’s 2€ per month, sometimes it’s 647€, we never know ourselves, good luck!” effect.

      Has anyone else sometimes avoided a cloud service because the pricing was opaque?

      • vinay_ys 2 months ago

        They are much nicer in recent years and are quite transparent with pricing – https://www.microsoft.com/en-us/microsoft-365/compare-micros... See full pdf for all plans: https://go.microsoft.com/fwlink/p/?linkid=2139145

        Basically if you have a Microsoft Office 365 Enterprise license (E3 or E5 license – which you need if have business people in your company who can't live without Excel on desktop), you get Azure AD Premium (P1 or P2) bundled for free.

        As I was writing this comment I just went looking at their AD page and found they have launched a new thing called Entra which includes Decentralized ID. And there's a white paper – interesting.

        • logifail 2 months ago

          > you get Azure AD Premium (P1 or P2) bundled for free

          Last time I checked what was included with Azure AD the activity logging data was where it looked like things could get expensive. Exporting your authentication logs and/or keeping them for more than a week was a premium add-on.

          • pid-1 2 months ago

            M365 Business Premium includes P1 and costs 22 USD per user. You also get MDM (Intune) and other security related stuff.

rootsudo 2 months ago

This is assuming the domain has it, but it's even easier actually - you can just DIG DNS records and see if what they run as MX, cnames, etc, if there is teams DNS records and the MX record points to *.onmicrosoft.com or $tenantname.mail.protection.outlook.com there you go, even easier than "querying" google and seeing what's index.

And much easier to script too. ;)

wsjeffro 2 months ago

What I can’t understand is why Azure AD doesn’t have a stronger position in the consumer space. Authentication via Google, Apple, and even still Facebook are nearly always supported on customer-facing logins. I rarely see an option for Microsoft.

They have a commanding position in the enterprise. What’s keeping them from crossing those enterprise boundaries?

  • andylynch 2 months ago

    They were an early mover in this area twenty years ago with the original Hailstorm / .Net Passport which was skeptically received and wasn’t helped by some spectacular outages. Google and Facebook leveraged their apps and especially GMail - Apple had the leverage from their App Store to force everyone that mattered to at their service too.

    • Terretta 2 months ago

      Incidentally, a Microsoft Passport login still works on any site with today's "Login with Microsoft" ... and there are starting to be more along side "Login with Google" or "Login with Apple".

      These days, a consumer + biz page login page can look like this:

      https://www.xsplit.com/user/auth

      There's almost no good reason to require emails/password rather than let users use their preferred IdP.

      I think the reason it's less common is simply that indie devs assume everyone uses free Google Workspaces. This year we're seeing more Microsoft Logins. Perhaps one reason is that now Google Workspaces is no longer free and startups are realizing they can get actual Office with actual apps at the same per $6 to $12 per user cost. Then in turn, supporting that login.

  • MattGaiser 2 months ago

    Do enough people still use consumer Microsoft accounts? Except for myself, it has been a long time since I have encountered a hotmail address or live address or outlook address in the wild.

    I've gotten career advice several times to get a GMail instead, because Microsoft was considered out of date and backward (not so much anymore).

    • daveoc64 2 months ago

      There are lots of very popular Microsoft services for consumers including Xbox and Office 365. Combined, these have hundreds of millions of paid subscribers.

      • ekianjo 2 months ago

        minecraft too

    • vladvasiliu 2 months ago

      I'd expect this to grow now that Windows pushes more aggressively to use an MS account to login.

      Plus, if this works as well as it does with the "corporate" AzureAD, it would be a better experience for users. Just "log on with your Windows account".

      Not saying that's necessarily a good, thing, mind. Only that I expect support to broaden.

    • hedora 2 months ago

      Anyone that uses Minecraft (edit: or Xbox) I'm sure it is only a matter of time until some middle manager stakes their promotion on merging it with github and/or linkedin.

      Microsoft is the only company I deal with where I cannot reliably authenticate. I wish they'd just stop trying to run consumer accounts.

      • easrng 2 months ago

        You can link your GitHub account to a Microsoft account and log in to Microsoft with your GitHub account, not sure if you can log in to GitHub with your Microsoft account tho.

    • faeriechangling 2 months ago

      How times have changed, I mostly hear Google being called backwards now for its view that customers are just beta testers you dispose of when your latest moonshot project doesn’t hit orbit.

    • quickthrower2 2 months ago

      You can have a ms account but never use or know or share the ms email address associated with it

  • candiddevmike 2 months ago

    Microsoft's support for multiple accounts is atrocious. I can easily have 5+ Google accounts that I switch between, moving between MS accounts is awful. Additionally MS's free consumer offerings are not competitive with Gmail/Drive IMO.

    • yellow_postit 2 months ago

      I'm not a fan of Google's solution either. With a device with multiple G accounts it’s always a guessing game when opening up a google doc which account it’ll choose.

    • GordonS 2 months ago

      It's even worse if you have personal and business accounts tied to the same email address - you never know which one you're using, or which you need.

      • logifail 2 months ago

        > It's even worse if you have personal and business accounts tied to the same email address - you never know which one you're using, or which you need

        I have a friend who managed to do get into this mess, and he's still not sure how he did it.

        firstname.lastname@companybizname.TLD is apparently linked to two separate identities at Microsoft, one is a business account, one is a "personal" account.

        Every time he experiences any kind of login issue, this bites him :/

        • trevorishere 2 months ago

          This is a legacy setup that can no longer be created. Microsoft removed the option to use a custom domain for Microsoft accounts many years ago, but hasn't forced people to change.

          However, your friend can get out of this scenario by following the instructions on this site:

          https://support.microsoft.com/en-us/account-billing/change-t...

          They'll end up with <whatever_they_can_find>@outlook.com for their Microsoft account. When using Org services via a browser, you'll automatically use your Org account. When using consumer services, you'll automatically use your Microsoft account (assuming you've selected stay sign-in for both).

          • logifail 2 months ago

            > This is a legacy setup that can no longer be created

            Thank goodness for that!

            > However, your friend can get out of this scenario by following the instructions on this site

            Thanks for the tip, will try and walk him through this next time I'm with him.

            > hey'll end up with <whatever_they_can_find>@outlook.com for their Microsoft account

            I doubt they actually need/want access to the Microsoft account. They don't use this work email address for any consumer services, as far as I'm aware -although how could one tell what services it could be associated with?

        • magicalhippo 2 months ago

          I read an explanation from some Microsoft page or rep. that it had to do with making personal purchases in the Windows Store when you're signed in using your business account. IIRC the rationale was that the personal account could persist beyond your employment, so you wouldn't lose any purchases if you switched jobs.

          If I indeed recall correctly, then that doesn't really make sense. Just force people to make a different, actual personal account, and have them use that.

          • logifail 2 months ago

            > IIRC the rationale was that the personal account could persist beyond your employment, so you wouldn't lose any purchases if you switched jobs

            Except if you lose access to the work email address by switching jobs, surely you're one forgotten password away from permantently losing access to the personal account too? It's linked to your _work_ email (only)...

            • magicalhippo 2 months ago

              Yeah... all I can recall was it never made much sense to me.

      • magicalhippo 2 months ago

        Indeed. I've never understood this distinction. Either it's a business account, or it's a personal account. It's bad enough that people use their business mail to sign up for personal stuff, we don't need Microsoft to make it even worse.

        • trevorishere 2 months ago

          > we don't need Microsoft to make it even worse.

          Microsoft made it better by preventing the scenario from occurring beginning 3 - 5 years ago.

      • nine_k 2 months ago

        This is a terrible idea to begin with.

  • rwalle 2 months ago

    There is an obvious reason.

    Facebook and Google provide "Sign-in with Facebook/Google account" not because they do it out of goodwill, to only make it "easier" or "smoother" to login -- it obviously cost resources on their end to enable such features -- it helps them better identify users and then serve ads. And Google can be really aggressive -- try reddit or Quora.

    Apple, on the other hand, tries to sell "login with Apple account" with a different approach: they advertise the "privacy" part of it and how you can hide your email address by using it's sign-in service. And they have a term where login with Apple must be enabled on an app and website if a company has an app on the app store and it supports any other third-party login. In other words, if Reddit supports login with Google on iPhone, it must also support login with Apple ID. This helped the adoption a lot.

    For Microsoft, they are relatively late and small in the ad business (for now) so I guess they don't really care about getting more of your information via sign-in services. And they are not on this privacy bandwagon as Apple does. So they really have no incentive for this.

  • pid-1 2 months ago

    Only very recently Windows started requiring a MS account. I'd guess most people who don't own a Xbox don't have a MS account.

    • rejectfinite 2 months ago

      Every hotmail and outlook email is an MS account...

    • quickthrower2 2 months ago

      I was forced to use one to set up my new laptop

  • thakoppno 2 months ago

    In the US at least it seems like we’re at the stage where every new account created is essentially tied back to a social security number.

    One cannot get an e-mail address without a phone. One cannot get a phone without a credit check. A credit check requires a social security number.

    • DanAtC 2 months ago

      Prepaid phones are readily available in the US, no ID or SSN required.

      • Gh0stRAT 2 months ago

        Prepaid phones all-too-often can't be used for SMS/phone authentication. Banks in particular seem to dislike them.

        (when it doesn't work, you'll usually get an error message about the number not being supported or words to that effect)

  • aflag 2 months ago

    Isn't every github account also a microsoft account? There are plenty sites there integrating with github login.

tluyben2 2 months ago

I thought it would be 100%; everyone switched to AD after Novell. What are the 16.6% using is the interesting part?

  • flatiron 2 months ago

    Good question. I’ve worked at apple and google and both like to cook their own implementation. It was AD there.

    • connordoner 2 months ago

      Where?

      • flatiron 2 months ago

        I guess everywhere. I’ve worked at a ton of “big” companies. All AD. Even the company’s that bake everything themselves. (I’m looking at you apple)

  • gw99 2 months ago

    NetIQ eDirectory tends to be the other big one. Although I am seeing a rise in companies not having an SSO solution recently at all. In fact some of the SMEs I've seen recently are running most of their stuff entirely via basic Microsoft O365 accounts or iCloud.

    • mooreds 2 months ago

      A lot of startups or smaller companies I've worked with are entirely on the Google stack (gmail, google drive). I imagine there's a scale when that option breaks, but I think it'd be fine until 50-100 employees.

    • roflyear 2 months ago

      I wouldn't think SSO is the primary use for AD. Definitely one big use, though!

      • connordoner 2 months ago

        What do you think the primary use is?

        • roflyear 2 months ago

          User and resource management, I'd say.

  • detaro 2 months ago

    Azure Active Directory. On-prem isn't counted. (Also assumptions about the domain used, which might not hold for all)

  • Spooky23 2 months ago

    Everyone with O365 has Azure AD. But a smaller number has Azure AD Premium.

    That’s growing as salespeople get canned if they don’t sell it.

    • roflyear 2 months ago

      MS is so bad with this stuff. It's difficult to determine what value you get from premium. If I knew maybe I'd buy it!

      • pid-1 2 months ago

        You get Intune (which is called Microsoft Endpoint Manager now) and AAD P1 for all users.

        The base use cases are "I want my users to be able to login in MS 365 from company managed devices". and "I want to manage my company's devices".

      • Spooky23 2 months ago

        The service is good, but really expensive and the sales tactics are sleazy. They want you paying $40/mo/head.

        • m348e912 2 months ago

          Azure AD Premium is $480/year per user???? What in the world do you get for that price point?

          • realityking 2 months ago

            It’s not. Azure Ad P1 is $6/user/month, P2 is $9/user/month. Cheaper than Okta.

            OP was probably thinking of Microsoft 365 E3 which does cost $36/user/month. That however includes a bunch of other stuff besides Azure AD P1.

          • Spooky23 2 months ago

            I’m talking total subscription relationship.

            It’s hard to buy Azure AD alone, they push the EMS suite and O365 E5 to solve the security issues in O365 E3.

            • roflyear 2 months ago

              What security issues in E3?

mberning 2 months ago

They have it in some capacity. Most places still have a very significant on-prem or self hosted instance of AD.

  • rejectfinite 2 months ago

    This, a company/person just needs to sign up for Office 365 and then an Azure AD tenant "exists" for them as the Office 365 are in there.

unreal37 2 months ago

Assuming the #1 Google result on page 1 of search is the companies public domain is a flaw.

Some companies use a different domain for corporate use than their public domain name.

Like fb.com

  • homero 2 months ago

    They said that

    One thing to note about these results is that when we get a result that says the company has a tenant, we are nearly 100% correct in that fact. However, if we say that a company does not have a tenant, we are not necessarily correct. It is possible that the google result did not point to their actual domain name, or they are using a different domain name for their AAD Tenant.

    If you wanted to do this really robustly, you would probably want to get a better source for your domain names than automated google search results. You might want to also look at other combinations like “companyname.onmicrosoft.com”, however we are doing just rough estimates here.

  • Eleison23 2 months ago

    Well, you can also spot Facebook when their IPv6 addresses contain :face:b00c:

  • ldjb 2 months ago

    The script also seems to assume that the company's domain name is of the form (foo.bar), which may be a reasonable assumption for the US-based Fortune 500, but won't work so well if trying to replicate this with international companies (which often have domain names like example.co.uk or example.co.jp).

OrvalWintermute 2 months ago

And still, in 2022, we don't have Azure AD replicating the full functionality of an on-premise AD.

  • techwizard81 2 months ago

    That's because the goal of AzureAD isn't to replicate on-premise AD

  • dmarlow 2 months ago

    What about coupling AAD with AADDS?

pid-1 2 months ago

Which products are used by large companies that don't have a AAD / AD structure?

  • kube-system 2 months ago

    On prem AD?

    • jeffmcjunkin 2 months ago

      In contrast, the vast majority of companies with Azure AD also have on-prem AD (full name: "Active Directory: Domain Services") with some type of synchronization between them. Usually this amounts to having an on-prem service that shleps password hashes (technically salted, stretched hashed versions of the on-prem hashes) to Azure.

chayesfss 2 months ago

I’d bet 100% have tenants but only some with names you know? Why wouldn’t they have a tenant, assess the technology and decide how to incorporate?

  • rlv-dan 2 months ago

    Exactly. I know one myself, one of the biggest companies in the world, who's tenant name has no resemblance to their company name. Security by obscurity is not a security feature but it is a barrier...

idiocrat 2 months ago

So many eggs in a basket!

  • mrweasel 2 months ago

    That’s kinda the point isn’t it. Central management of access to everything.

    • benrow 2 months ago

      I initially had the same thought as the parent. From the perspective of so many companies relying on the security of one authentication provider (rather than any one company using AD for all their authentication needs).

      So if AD were to be compromised, that would be significant impact.

      There are of course advantages to such a "single point of failure" such as concerted effort in one place. But one way to mitigate the spof is transparency, and I'm reminded of LastPass versus Bitwarden.

  • x86_64Ubuntu 2 months ago

    They can still have On-Prem failover for domain controllers if Azure has downtime.

petercooper 2 months ago

I know next to nothing about AD, but my company appears to match against this merely because we have an Office 365 account (from which we do nothing except download Word and Excel every now and then) so it doesn't necessarily mean you're using whatever it is much.

  • flumpcakes 2 months ago

    If you have Office 365 you have AAD. If you use pretty much any cloud hosted Microsoft business services, (E# licenses) you are using AAD. If you are using Azure, you are using AAD.

ocdtrekkie 2 months ago

So, I don't see anyone pointing it out here: This doesn't mean they use Azure AD! If you use any Microsoft cloud services at all, you get a "shadow tenant". One employee signs into Teams for a meeting once and there you have Azure AD.

kn8 2 months ago

What is Azure AD used for?

  • mooreds 2 months ago

    It is a directory with a lot of functionality.

    There's actually a number of products under the Azure AD name, including:

    * Azure AD, their employee/workforce solution. It's a directory, authentication and authorization system. Think Okta or AWS SSO. I imagine this is mostly what the survey was tracking.

    * Azure AD B2C, their CIAM solution. Think Auth0, Cognito or FusionAuth (disclosure, I'm a FusionAuth employee).

    * Azure AD EI, external identity management (users outside your org).

    * Azure AD DS, domain services (older Windows focused services). This subsumes a lot of what Active Directory provided.

    And they say AWS has a hard time with naming :).

    You can learn more about each of these here: https://azure.microsoft.com/en-us/products/active-directory/ (click on the "AAD" dropdown).

    • abledon 2 months ago

      > And they say AWS has a hard time with naming :)

      honestly though, Azure's naming strategies do exactly what they say. AWS uses names that are adjacent or completely random (fargate?). i don't even think cognito is a word in english language[0]

      [0] https://www.merriam-webster.com/dictionary/cognito

      • victor106 2 months ago

        But we prefer a random name than the very closely related confusing technical names that Microsoft throws out.

        • mooreds 2 months ago

          Agreed. Much easier to search Cognito than Azure AD EI :)

  • mrweasel 2 months ago

    Authorization and authentication. Like it or not Microsoft Active Ditectory or Azure AD (basically the cloud version) works with everything and it’s kinda the only single-signon/shared login solution for enterprises. You can build something yourself with LDAP, Kerberos and maybe Keycloak, but why bother when you more or less need AD for Windows and Exchange anyway.

    • Eduard 2 months ago

      Self-hosted Gitlab instances also can act as authentication services.

      Connecting git with an internal AD/LDAP allows for not requiring Azure AD.

      • jmathai 2 months ago

        This isn’t a solution for enterprises, however.

        • eastbound 2 months ago

          For juniors: Enterprises and even small startups need to comply with their industry’s security certification (PCI, ISO, whatever) which requires traceability of logins (and central revocation when employees quit and provably complex passwords and inability to retry 100 times, etc.)

    • aaronharnly 2 months ago

      We use Okta, currently with on-prem AD, but are whittling away at the use cases for the latter and hope to be AD-free once we solve for RADIUS (suggestions welcome :)

  • technion 2 months ago

    Well if you're familiar with Google Workspace.. you know once you've got email accounts in there then there's a whole lot of user admin you can do?

    Azure AD is just Microsoft's version of that directory. The thing is if you use for example Exchange Online, or even just like Microsoft Office licensing, you've now got Azure AD where the users have accounts. Then I see businesses spend a fortune to integrate Okta or similar products that don't actually add anything given how feature full Azure AD is at this point.

  • SOLAR_FIELDS 2 months ago

    It does a lot of things, but broadly the thing people know it most for is handling roles, permissions and groups for your organization. It’s often the source of truth for things like access and provisioning. Pretty core part of the organization.

  • pid-1 2 months ago

    Active Directory is Microsoft's LDAP[1] server offering. Eventually it got more features and is used by firms to enforce company wide (or group wide) rules like "Every computer must lock after 5min of inactivity" or "Adobe Acrobat must be installed in all computers".

    Azure Active Directory is the cloud version of Active Diretory. It has some extra features compared to on prem AD (MFA, SSO with 3rd paty apps...) but the whole endpoint management part was moved to another product (Microsoft Endpoint Manager).

    The reason so many companies have an AAD tenant is it is set up automatically when you configure Microsoft 365.

    [1] https://en.wikipedia.org/wiki/Lightweight_Directory_Access_P...

    • cratermoon 2 months ago

      on-prem AD has SSO, it's called Active Directory Federation Services. Compared to Azure AD, the on-prem Federation Services has more features. To give one example, Azure AD does SAML, but it's not full compliant. We ran into an issue with at my last employer when a partner moved from AD-FS to Azure Active directory and broke the SAML integration. It required us to go back and re-do the federation model from scratch.

  • discordance 2 months ago

    Identity management for companies - SSO for office 365 and your apps/services, multifactor auth, RBAC for whatever company resources etc

dan000892 2 months ago

Presumably this is the same thing whatismytenantid.com does under the hood.

Interesting (to me) is that the OpenID configuration endpoint provides the tenant ID for not only Commercial tenants but US Government (GCC & GCC-High) as well because the Azure AD portal has relatively new functionality to configure cross-tenant access settings by tenant ID or domain name but Gov tenants require you to obtain the tenant ID from the organization which is either security through obscurity or due to use of some Commercial-only Graph API call.

ZiiS 2 months ago

Bet nearly 100% have a fax machine too.

  • bbarnett 2 months ago

    Indeed. And a large corp can be using Azure AD, in one little tiny department, spending 100 bucks a month, and it is on list.

    I bet some of this use is free promo credits.

simonw 2 months ago

I never thought about how the "I'm Feeling Lucky" button on Google can double as an API to return the URL of the first search result before. That's pretty neat.

cloudking 2 months ago

I wrote a similar script once that took company domain names and then looked up their MX records to see if they were using Google Workspace.

computerfriend 2 months ago

I genuinely don't know what AD is used for. If you need SSO, why not just use a SSO/SAML IdP?

  • dmarlow 2 months ago

    What's the source of data and truth for your SSO?

  • mnd999 2 months ago

    OpenID Connect seems like the current popular flavour. SAML seems to be increasingly considered legacy.

    • cratermoon 2 months ago

      Indeed legacy, but you know how Fortune 500 companies are about new technology not directly relevant to their line of business.

      Also, SAML as a spec is really complex precisely because it was created to satisfy a broad range of Enterprise-y requirements. I don't know if OpenID Connect is there yet. It certainly could be, the underlying spec (oauth2) could support a lot of variant complexity, and OIDC supports mobile and there are lot of extensions available or in progress. https://openid.net/developers/specs/

vondur 2 months ago

I’m assuming if you were a heavy user of on prem AD, the moving to Azure AD is a logical choice.

parkingrift 2 months ago

Bundling is anticompetitive and illegal. The MS ecosystem deserves close antitrust scrutiny.

  • scarface74 2 months ago

    So in that case are the following “illegal”

    - Apple One

    - Microsoft Office

    - Amazon Prime

    - Google GSuite

    - Adobe Creative Cloud

    - Salesforce bundling SFDC with Concur

    • azalemeth 2 months ago

      Honestly, I think the regulators should look at basically all of those things. Here in Europe scrutiny is building and a lot of those organisations do party hard and play loose with the rules. Microsoft is famously anticompetitive, but Adobe, Google and Apple can't be far behind in their respective areas.

      • scarface74 2 months ago

        Really? So you really think companies shouldn’t be able to sell software that works together bundled together? Why stop there? Phones and computers shouldn’t be “bundled” with operating systems? Computers shouldn’t be “bundled” with sound hardware? Where does it stop?

        • cratermoon 2 months ago

          Bundling is fine. Bundling by a company that is a monopoly in the space is (or rather, used to be) a violation of antitrust law. But see Amazon’s Antitrust Paradox, especially sections IIA and IIIB: https://www.yalelawjournal.org/note/amazons-antitrust-parado...

          • scarface74 2 months ago

            So in that case, every cable company is a local monopoly and shouldn’t be allowed to bundle channels. Doesn’t anyone see how silly this sounds in 2022?

            Disney is by far the largest entertainment conglomerate. Should they not be allowed to bundle Hulu, Disney and ESPN?

            Intel has over 80% of the PC market, how much hardware should they be able to bundle on their motherboard?

            And HN has a habit of calling any big company a “monopoly”. Amazon only has 56% share of e-commerce and a tiny share of all commerce in the US

            But getting back to MS Office, I have three “office suites” right now on my phone - all three made by companies worth 1 trillion dollars - Google, Microsoft, and Apple.

            There is no “monopoly” in the IDP space.

            • cratermoon 2 months ago

              > every cable company is a local monopoly

              A regulated monopoly. Key difference. Although of course today "regulated" is largely a legal fiction. Nevertheless, it's not so simple as pointing out who has the most market share. It's a pretty messy area of the law, and the field is heavily tilted by money, even more so than most areas of the law.

              • scarface74 2 months ago

                It’s not a “messy” area at all. It’s just a misunderstanding of the law. If what you’re saying is truly “illegal”, no court of law has found it so since Office was introduced over 30 years ago.

                What’s more likely, that “bundling” as you define it is illegal and has never been prosecuted in over 3 decades or that you don’t understand the law?

                • cratermoon 2 months ago

                  It's far more likely I don't understand the law, but the discussion had turned from bundling to monopoly and antitrust questions, and I stand by my statements, as confirmed in the source I linked.

    • parkingrift 2 months ago

      They all deserve some scrutiny to determine their legality, yes.

sabujp 2 months ago

even apple's business manager is compatible with AD

  • parkerhiggins 2 months ago

    Apple Business Manager added (beta) support for Google Workspace a few months ago.

not_enoch_wise 2 months ago

This is the answer to the question “why can’t we get rid of passwords?”

  • psanford 2 months ago

    Nah. Azure AD is one of the few IdPs that already supports FIDO2 Discoverable Credentials. You can use Passkeys with it today. You can go passwordless with it today.

    • tialaramex 2 months ago

      Unfortunately, unless this changed too recently for me to know about it, that feature is default off and labelled "Experimental" or something.

      So it's difficult (ask me how I know) for someone who knows way too much about this stuff and has implemented it themselves, to explain to "leadership" why they should change that default.

      • psanford 2 months ago

        I don't know the details except that we've been using it since early this year. The docs don't make it seem like there's anything particularly complicated with enabling it[0][1].

        [0]: https://learn.microsoft.com/en-us/azure/active-directory/aut... [1]: https://learn.microsoft.com/en-us/azure/active-directory/aut...

        • tialaramex 2 months ago

          It isn't complicated it's just one push button - but it isn't the default and so you're going to need to persuade somebody they should turn it on.

          • psanford 2 months ago

            I'm not sure I really follow. In an enterprise setting, giving people the option to opt into fido fine and good, but it isn't going to meaningfully help lower the risk of phishing for the organization as a whole. To address phishing, organizations need to mandate fido and disable all the weaker forms of authn. That means you're still going to have to convince your leadership to buy into the change anyway. You'll also need a decent sized communication and training campaign to move everyone over to the fido auth flow.

            The technology is the easy part for rolling out fido in the enterprise. The hard part is all the people stuff. (Although this too is getting easier, since a lot of orgs can now roll out fido with existing hardware via platform authenticators.)

  • wil421 2 months ago

    Or you could do the opposite and be like the company I work for. Force everyone to enter an RSA token on every SSO login.

    • cratermoon 2 months ago

      Unless your company is in a high-risk security-sensitive business, they shouldn't. Most companies can accept the low risk of only requiring a second factor sometimes. Usually time-based, but also looking at location and device fingerprint. For example, if you normally log in from your laptop at work in one state and then it sees you trying to log in from a computer in another state (maybe you're visiting family?) it should definitely challenge you.

    • Aperocky 2 months ago

      It doesn't have to be that manual, yubikey etc can just plug and press.

      • wil421 2 months ago

        The company I work for has around 250k employees. I’m sure software RSA is going to be drastically less expensive than yubikey.

        The people making the policies don’t care at all. They are just dotting is and crossing ts.