Microsoft finally is starting to share publicly its high-level cloud-centric identity management plans, as my ZDNet blogging colleague John Fontana noted last week. That means the semi-mysterious Windows Azure Active Directory (WAAD) service is finally fair game for discussion.

I blogged about WAAD -- Microsoft's cloud version of its Active Directory directory service -- earlier this year. Although Microsoft had a public-facing page about WAAD on its Azure site (which it subsequently removed), officials declined to comment on the technology when I asked in February. And members of the Microsoft cloud community said they were not at liberty to share specifics because of non-disclosure agreements.

But Microsoft has decided now's the time to talk WAAD, possibly as one stage setter for its June 7 announcement of new Windows Azure features and functionality. TechEd North America, which kicks off on June 11, also will be a venue for more WAAD information, as I noted in February. (After I blogged about the WAAD sessions on the TechEd docket, Microsoft pulled the listings from their TechEd site, but I still believe there will be more information on the topic there.)

Last week's WAAD posts by Microsoft officials were the overviews. Talk of an identity management "reset" and "democratization" of identity management prevailed. One new thing I learned from last week's WAAD posts is that it's not just Office 365 that's already relying on WAAD. According to the Softies, WAAD also is enabling single sign-on for Dynamics CRM Online and the Microsoft Windows Intune PC management cloud wares. WAAD also already is being used by select third-party developers to provide single sign-on and identity-management for their Azure-hosted apps, Microsoft execs said.

Microsoft officials are playing up the "social" side of WAAD with promises of future blog posts on how WAAD will allow developers to create apps that connect the directory to other software-as-a-service apps, cloud platforms and social networks. And there will be a mobile angle to WAAD, as well, with promised support for apps running on mobile devices like the iPhone, Microsoft officials said.

At the same time, Microsoft isn't forgetting about the importance of connecting Azure Active Directory to its own on-premises servers.

"Microsoft makes it easy to 'connect' Windows Azure Active Directory with an existing directory. At the technical level, organizations can enable identity federation and directory synchronization between an existing Active Directory deployment and Windows Azure Active Directory," blogged John Shewchuk, a Microsoft technical fellow working in the identity space.

The grand plan sounds good. But there are plenty of questions about Microsoft's latest identity-management reset.

It sounds like Kerberos support is non-existent. How does existing Windows group policy fit in --or does it? One Gartner analyst said Microsoft's identity and access-management story for mobile is not very robust at present. Maybe Windows Intune 3 and/or the coming management client for Windows on ARM devices, which may be built around Exchange ActiveSync, will help Microsoft shore up its identity management strategy for the bring-your-own-device crowd?