Overview of Azure Active Directory
-
Definition: Azure AD is Microsoft’s multi-tenant, cloud-based identity and access management service.
-
Purpose for IT Admins: Provides secure Single Sign-On (SSO) to thousands of cloud SaaS apps like Office 365, Salesforce, Dropbox, and Concur.
-
Purpose for Developers: Simplifies integrating applications with a robust identity management system.
Benefits and Features
-
Single Sign-On (SSO): Secure access to cloud and on-premises apps from one portal.
-
Device Compatibility: Works across iOS, Mac OS X, Android, and Windows.
-
Secure Remote Access: Protects on-premises apps using MFA, conditional access, and group-based policies.
-
Hybrid Identity: Connects on-premises directories to Azure AD to maintain consistent users, passwords, groups, and devices.
-
Identity Protection: Detects suspicious sign-ins, vulnerabilities, and provides remediation recommendations.
-
Self-Service Capabilities: Password reset, group management delegated to users to reduce helpdesk load and enhance security.
-
Prevalence: If using Office 365, Azure, or Dynamics CRM Online, your organization already has an Azure AD tenant.
Reference: Azure AD Documentation
Key Concepts
-
Identity: An entity that can be authenticated (user, application, server).
-
Account: An identity with associated data.
-
Azure AD Account: Identity created in Azure AD or Microsoft cloud services (also called Work/School account).
-
Azure Subscription: Used to pay for Azure cloud services.
-
Azure Tenant: Dedicated instance of Azure AD created for your organization.
-
Azure AD Directory: Contains users, groups, and apps within a tenant.
AD DS vs Azure AD
| Feature | AD DS | Azure AD |
|---|---|---|
| Deployment | On-premises or VM | Cloud-native |
| Protocols | LDAP, Kerberos | HTTP/HTTPS (SAML, WS-Fed, OpenID Connect, OAuth) |
| Structure | Hierarchical (OUs, GPOs) | Flat (users, groups) |
| Management | Full infrastructure control | Managed service (users, groups, policies) |
| Primary Purpose | Directory service | Identity solution for cloud apps |
Azure AD Editions
| Edition | Key Features |
|---|---|
| Free | User/group management, SSO across Azure/Office365/SaaS |
| Office 365 Apps | Free features + IAM for O365, MFA, group access, branding |
| Premium P1 | Free + Hybrid identity, dynamic groups, self-service for on-prem users |
| Premium P2 | P1 + Identity Protection, Privileged Identity Management, advanced governance |
Reference: Azure AD Pricing
Azure AD Join
-
Purpose: Provides SSO to devices, apps, and services; allows Windows devices to join Azure AD.
-
Benefits:
-
Enterprise SSO to cloud apps
-
Roaming user settings
-
Access to Microsoft Store for Business
-
Windows Hello support
-
Conditional access based on device compliance
-
-
Device Connection Options:
-
Register: Provides a device identity for authentication.
-
Join: Adds all registration benefits + allows login with organizational account.
-
Reference: Introduction to device management
Azure Multi-Factor Authentication (MFA)
-
Purpose: Adds a second authentication factor to protect accounts.
-
Authentication Methods:
-
Something you know (password)
-
Something you have (trusted device)
-
Something you are (biometrics)
-
-
Implementation:
-
Phone call
-
Text message
-
Mobile app notification
-
Verification code from mobile app
-
-
Benefits:
-
Strong authentication
-
Threat detection and alerts
-
Integration with SaaS apps and Azure admin accounts
-
Reference: Azure MFA
Self-Service Password Reset (SSPR)
-
Allows users to reset passwords without helpdesk support.
-
Configuration:
-
Enable for specific groups or all users
-
Select number of authentication methods required
-
Methods: email, text/code, phone, security questions
-
-
Security tips: Administrators always retain reset capability; security questions can be less secure.
