New Azure AD Admin Experience
This post will discuss the recent launch of a preview Azure AD administration experience in the Azure Portal.
Azure AD — Not What You Think It Is
Based on my day-to-day dealings with potential customers of Microsoft cloud services, few people understand what Azure AD is. Most people hear the name and assume that Azure AD is a cloud alternative to running on-premises domain controllers; they think that they can join Windows 7 PCs to this domain and get Group Policy. Sorry; but that’s not what Azure AD is.
Azure AD is a cloud extension of Active Directory for SaaS applications. For example, Azure AD is the username & password hash store for signing into all of Microsoft’s SaaS applications, including Office 365 and EMS, and is used for authenticating and authorizing usage of an Azure subscription. We can also use Azure AD for enabling single sign-on into third-party clouds, such as Google Apps and AWS.
What is “Inside Microsoft Teams”?
“Inside Microsoft Teams” is a webcast series, now in Season 4 for IT pros hosted by Microsoft Product Manager, Stephen Rose. Stephen & his guests comprised of customers, partners, and real-world experts share best practices of planning, deploying, adopting, managing, and securing Teams. You can watch any episode at your convenience, find resources, blogs, reviews of accessories certified for Teams, bonus clips, and information regarding upcoming live broadcasts.
Microsoft has grown Azure AD to offer more on top of on-premises AD; if you want self-service sign-in, self-service group management, proxied access to IIS-based internal applications, auditing, and more, then Azure AD (probably one of the per-user licensed Premium SKU upgrades) is the path to take.
Those of us working with newer Microsoft cloud systems have had a problem with Azure AD. Microsoft has 2 UIs for managing Azure. The first is the older Management Portal; this portal, which is no longer being developed, includes the original experience for managing Azure AD. The second Azure UI is the newer Azure Portal, which is evolving on a daily basis; up until recently the only trace of Azure AD in this portal was a hyperlink that launched the older Management Portal in a new browser tab.
OK, so I need to use two portals, but that’s not a big issue … unless you have use the Cloud Solutions Provider (CSP) channel to acquire Microsoft cloud services. This channel does not support Azure Service Management (ASM), and therefore does not support the older Management Portal. If we wanted to manage Azure AD for a customer that subscribed to Office 365 or Azure via CSP, then we had these options:
- Use the MSOL PowerShell module
- Use basic user/group management via the Office 365 portal
- Sign into another non-CSP Azure subscription with a Microsoft Account with global admin rights and import the CSP customer’s Azure AD directory
The New Azure AD Experience
Microsoft finally announced a preview of Azure AD administration in the Azure Portal. This is a preview and displays many of the traits of cloud development. The UI works pretty well in my usage — there are some bugs and it is incomplete. Microsoft is focusing on getting core tasks operational and working well; other tasks will be added over time.
The Azure AD experience uses a graphical implementation of the blade system used in the Azure Portal. You are greeted by a big bright overview screen when you open the tool, full of useful links and quick start tasks. If you want to learn about Azure AD Connect (and you should), then it’s there. If you want to brand the end-user experience with company art and logos, then the link is there. If you want to add/find a user/group, then there are handy quick links.
There are some bugs and it is incomplete (now), but I have already switched to using this experience by default instead of the Management Portal, for a few reasons:
- The Management Portal is the past and I try to use only PowerShell and the Azure Portal
- I work for a CSP Tier 2 distributor, so my customers cannot use the Management Portal
- The new experience is pretty good — it makes delegation of admin rights to users in external directories much easier to deploy than the older interface. You no longer need to import a CSV file full of account details from an external directory; you just type in the UPN of the external user account in Add User.
If the past is anything to go by, then I’m sure that the Azure AD blades will be very different by the time the feature reaches general availability — with customer feedback and added tasks shaping the administration experience. My advice is that you start using it where you can and give feedback to shape the tool to fit your needs.