For instance, we are a B2B software vendor in the banking space, and we have to survive all kinds of audits regarding the nature of our code & vendors. By keeping nearly all of our 3rd party items under the Microsoft umbrella, we can automagically skip over vast chunks of our due diligence process (according to the mutual trust equation).

None of our customers is F500 (so far), but we have yet to encounter one who didn't already have AAD, or a willingness to set this up. From a product development perspective, we really prefer having a few known-good ways to do things. Authentication & authorization is one area that I strongly dislike having a large variety of flavors on. Especially considering the nature of our business and ever-increasing demands for complex MFA flows (e.g. SAML). There's been so many fly-by-night operations in this space, and our customers do not have patience for trying new things.

83.4% of 500 is exactly 417. The article is also exact about these numbers. No need to add "around".

Edit: Why was the title editorialized to begin with?

Edit2: looks like the title was updated to the original. Thanks.

That is a big assumption though. A very well known big-four with two letters uses for instance [letters]gs.com ("Global Services") for instance.

85% of big businesses are on the one you don't support.

"Results for the Fortune 500 [to see who's on Azure AD using a] CSV with a list of all the Company Names for all 500 companies. Running it through this script, I find that 417, or 83.4% of companies have AAD, which is just a little off from Microsoft’s public claim of 85%."

https://www.shawntabrizi.com/aad/does-company-x-have-an-azur...

See also this top comment: https://news.ycombinator.com/item?id=33046968

It has similar functionality integrated for discovering if a domain has an associated Azure AD Tenant and enumerating information about users in the tenant, who the "Owner" is and their contact information. As with many Microsoft products there are many configuration options and plenty of them aren't secure by default.

[0] https://o365blog.com/aadinternals/ [1] https://o365blog.com/post/just-looking/

For Google Workspace, a similar URL is: https://www.google.com/a/example.com/ServiceLogin

Could an Okta have a claim against Microsoft similar to Netscape in the late 90's?

And much easier to script too. ;)

They have a commanding position in the enterprise. What’s keeping them from crossing those enterprise boundaries?

Some companies use a different domain for corporate use than their public domain name.

Like fb.com

Interesting (to me) is that the OpenID configuration endpoint provides the tenant ID for not only Commercial tenants but US Government (GCC & GCC-High) as well because the Azure AD portal has relatively new functionality to configure cross-tenant access settings by tenant ID or domain name but Gov tenants require you to obtain the tenant ID from the organization which is either security through obscurity or due to use of some Commercial-only Graph API call.

Here's the perspective from the outside: M$ has billions of lines of code, or more, and they just keep patching their software. They established their way of doing things years ago with DOS and have built on top of that since. That's how the entire industry has done it, but since M$ got so big they can't just refactor things and drop support without a billion people yelling at them, so they keep the old code and just keep patching.

They have so many people banging on their software that most of the failures are caught pretty quickly, but then there are the edge cases that don't fit into daily business activity and M$ gets pwned in that space. Their software is so vast that it doesn't cover their entire decision tree, so on the edges people begin to play around and find things not covered by testing. They might be complicated exploits that tie many things together, but it's not beyond the general public to find them with a little digging. This opens up a full exploit on M$ systems or infrastructure, then they get around to patching it a month or two later.

From the perspective of a CISO this is unacceptable. I prefer my auth software to be explicitly precise.

This might sound crazy to someone who is in an industry where "everyone is doing it", and there appears to be no other way to integrate but with M$. I'll let you know we both feel the same way because it's crazy to use (and pay for) such slovenly designed software.

sso integration when interacting with a fortune 500 will be a minuscule aspect of the arrangement should you get there. an f500 does not simply decide to use your product and do an sso integration et voila. they want a compliance regiment, a custom crafted legal arrangement, risk assessment, probably an onprem discussion, if you’re small enough a straight out purchase discussion. months if not years of negotiation. basically the sso button is the least of your concerns.

Sometimes even within one company, there are multiple 2FA protocols, e.g. using Oracle single sign on for ERP apps but Okta for Citrix and other external facing apps.

Absolutely nothing came of Microsoft bundling IE with Windows in the 90s in the US. There was never a day since IE came bundled with Windows that it wasn’t bundled with Windows . There was never s browser choice initiative - nothing.

Out of all of the anti trust allegations, bundling was the nothingburger. MS was forced to stop making OEMs pay for licenses for all of their PCs whether or not they came with Windows and they were forcing OEMs to not include Netscape, share APIS, and document file formats.

Microsoft Office (bundling) has been a thing since 1990 and today, every single major company bundles products together - Apple, Amazon (Prime), Microsoft, Google, Adobe, Salesforce (SFFC and Concur), etc.

Next up: no, “cable was not ad free when it was introduced”

I've gotten career advice several times to get a GMail instead, because Microsoft was considered out of date and backward (not so much anymore).

Facebook and Google provide "Sign-in with Facebook/Google account" not because they do it out of goodwill, to only make it "easier" or "smoother" to login -- it obviously cost resources on their end to enable such features -- it helps them better identify users and then serve ads. And Google can be really aggressive -- try reddit or Quora.

Apple, on the other hand, tries to sell "login with Apple account" with a different approach: they advertise the "privacy" part of it and how you can hide your email address by using it's sign-in service. And they have a term where login with Apple must be enabled on an app and website if a company has an app on the app store and it supports any other third-party login. In other words, if Reddit supports login with Google on iPhone, it must also support login with Apple ID. This helped the adoption a lot.

For Microsoft, they are relatively late and small in the ad business (for now) so I guess they don't really care about getting more of your information via sign-in services. And they are not on this privacy bandwagon as Apple does. So they really have no incentive for this.

One cannot get an e-mail address without a phone. One cannot get a phone without a credit check. A credit check requires a social security number.

There's actually a number of products under the Azure AD name, including:

* Azure AD, their employee/workforce solution. It's a directory, authentication and authorization system. Think Okta or AWS SSO. I imagine this is mostly what the survey was tracking.

* Azure AD B2C, their CIAM solution. Think Auth0, Cognito or FusionAuth (disclosure, I'm a FusionAuth employee).

* Azure AD EI, external identity management (users outside your org).

* Azure AD DS, domain services (older Windows focused services). This subsumes a lot of what Active Directory provided.

And they say AWS has a hard time with naming :).

You can learn more about each of these here: https://azure.microsoft.com/en-us/products/active-directory/ (click on the "AAD" dropdown).

Azure AD is just Microsoft's version of that directory. The thing is if you use for example Exchange Online, or even just like Microsoft Office licensing, you've now got Azure AD where the users have accounts. Then I see businesses spend a fortune to integrate Okta or similar products that don't actually add anything given how feature full Azure AD is at this point.

Azure Active Directory is the cloud version of Active Diretory. It has some extra features compared to on prem AD (MFA, SSO with 3rd paty apps...) but the whole endpoint management part was moved to another product (Microsoft Endpoint Manager).

The reason so many companies have an AAD tenant is it is set up automatically when you configure Microsoft 365.

[1] https://en.wikipedia.org/wiki/Lightweight_Directory_Access_P...