Azure Active Directory (AD) is Microsoft’s cloud-based identity and access management (IAM) cloud service. Azure AD is generally seen as a move from on-premises IAM to the cloud. Learn more about Azure AD here.
Microsoft Azure Active Directory (Azure AD, AAD, Entra ID, etc.) is a cloud IAM (Identity Access Management) service that allows administrators to manage end-user accounts, identities, and devices, among other entities. Several main services make up the core service – access management, directory, and access identity protection.
Azure AD is generally described as ‘Active Directory in the cloud’. Each company has its own tenant to administer users and resources. Resources and employees are automatically protected from outside attacks via default security settings. If this is your focus, I plan to write another article solely based on Azure AD security. Watch for it.
Security has been one of the main focuses of Azure AD over the past ten years or so. Microsoft announced and released several security measures including secure sign-in, and multifactor authentication (MFA) to protect your users.
Every customer of Microsoft 365 uses Azure AD inherently. It is the backbone of all identity and authentication services across the M365 stack of applications and services.
One important aspect of Azure AD is its ‘Platform as a Service’ (PaaS) benefits. Microsoft handles all the infrastructure instead of that responsibility being on you as a business owner or IT Pro. I’ll cover more on this subject next.
The biggest difference between the two is that Windows Server Active Directory requires you to build and support servers to host the Active Directory Domain Services (AD DS) role. IT Pros need to manage the security, patching, lifecycle of software and hardware, etc. Azure AD, being a cloud-based service, runs on its own. Microsoft takes much of the responsibility for management and security.
Although the two services handle similar functions – managing users, authentication, and application management – the underlying technologies are rather disparate. They use completely different protocols and code bases.
Here are the key differences:
If you’re interested in the possibility of ‘upgrading’ from Windows Server AD to AAD, there are many reasons this is not feasible.
The Active Directory Certificate Services (ADCS) role in Windows Server does not have a counterpart service in Azure AD. However, if your company uses client authentication certificates to access, for example, corporate WiFi, you can look into other options. For instance, if you use Cisco ISE, you can use that to directly integrate with MS Intune to handle the enrollment and compliance processes.
Always working to make transitions easier for their customers, Microsoft has recently announced a few related services in public preview. For example, certificate-based authentication (CBA) is an authentication method that allows users to log in directly with X.509 certificates against their Microsoft Entra ID (Azure AD) identities.
In addition, Microsoft Intune has certificate services in preview form. This enables users to authenticate and secure access to VPN, WiFi, or other email profiles using certificates.
Because these features are at the ‘public preview’ stage, it is a very good sign that Microsoft is trying to close the ‘feature gap’ between all things Windows Server AD and AAD.
This one is a little more nuanced. Active Directory Federation Services (ADFS) offers single sign-on services in your on-premises environment. But it solely works inside your network (LAN). Azure AD handles similar functions in the cloud.
Let me mention a few features in Azure AD that replace some functionality in ADFS:
No, Azure AD doesn’t natively support Kerberos authentication. However, you do have a clear option – Azure Active Directory Domain Services (Azure AD DS).
So how does this web-based cloud service tick? Let’s find out. I’ll go into greater detail here on the most important features and services it offers.
In terms of Azure AD’s identity and access management (IAM) features, it is a secure online store for users and groups. When one of your users logs into Office 365 via office.com, Azure AD provides the authorization and authentication engineering behind that interaction.
Azure AD Groups offer similar functionality to AD Groups – security-based application access and distribution list-based email delivery.
Note – you can synchronize your users and groups from AD to Azure AD using Azure AD Connect or Azure AD Connect cloud sync. I’ll show you more details later.
As I just mentioned, Azure AD offers authentication and authorization to allow your users to access Platform as a Service (PaaS) examples like Word Online, Excel Online, Sharepoint Online, etc. Through SSO, Conditional Access Policies, and multifactor authentication, your users can securely and safely log into your tenant to avail themselves of all your tenant’s vast resources of gold and fortune.
This is a feature that allows your users to reset their Azure AD passwords themselves. Through a series of ‘checks and balances’, users verify who they are via security methods that are initially set up before the feature is enabled.
This service provides a range of benefits including a reduction of help desk calls and loss of productivity when your users are locked out.
Once you taste how wonderful this is after initial testing, you’ll never go back. Your users are blessed with the ability to use a single set of credentials to log into on-premises AD and Azure AD / Office 365 apps and services. When you utilize Azure AD Connect, their AD password ‘passes through’ to their Azure AD user account, automatically. When they change their on-premises password, it is also updated (kept in sync) in Azure AD.
Interestingly, this article does a very good job of describing what a hybrid Active Directory deployment is. Let me offer you some bullet points that help explain the ‘hybrid’ aspect of this scenario.
This is vital. Every organization should have this enabled, including yours. This is not hyperbole. If a threat actor or hacker retains one of your user’s login credentials, they have free reign to hack into the account. Often, passwords are not created as securely as you would hope.
This is where multifactor authentication comes in. This offers a second factor users use to sign into Azure AD and Office 365 services. Users can use push notifications to the Microsoft Authenticator app on their mobile devices, and receive a phone call or text to their mobile devices, among other authentication methods. This should be one of the first things you implement when setting up a new Azure AD tenant.
This is also at the top of my ‘you need to use this feature’ list. Instead of allowing almost any password for your users, you can use Password Protection’s feature list to secure your user’s login events.
Azure AD offers passwordless authentication, a feature that allows your users to use other forms of authentication like biometrics, security keys, or mobile devices.
You can utilize these features to achieve passwordless authentication.
Azure AD offers a robust and efficient module for reporting on security and usage from your users. Activity Logs, Sign-In Logs, and Audit Logs all offer a ‘paper trail’ for all of your users’ activity online in Azure AD and Office 365.
The Usage and Insights report provides an application-centric view of your sign-in data and includes a report on authentication methods. With this data, you can find answers to questions like: What are your top applications used in your org? What users have the most failed sign-ins? What applications haven’t had a successful log-in for 30 days or more? These can all be answered quickly and securely to assist your IT Pros with managing the lifecycle of applications and onboarding/offboarding efforts.
Azure AD Join is ‘essentially’ the counterpart to joining a computer to an Active Directory domain. When you join a device to Azure AD, you gain the following benefits:
Another similar method to ‘joining’ a device to Azure AD is what’s called ‘Azure AD Registration.’ This process registers a device in Azure AD and sets it up for ‘light management.’ Azure AD Join is typically designed for corporate-owned devices and Azure AD Register is for Bring Your Own Device (BYOD)-type device and does not offer all the management features in Azure AD/Intune.
I mentioned this briefly earlier. Azure AD Domain Services provides a fully managed domain built on Active Directory Domain Services (AD DS). This offers organizations the ability to use Active Directory in a trial or robust environment in the cloud.
Azure AD DS seamlessly integrates with Azure AD, allowing enterprises to leverage their existing Azure AD identities and passwords. Group Policy support is included. LDAP and Kerberos authentication are also offered.
The biggest perk is offering organizations applications or services that depend on Active Directory without needing to build and support an on-premises AD environment. You can let Microsoft manage all of your domain controllers, DNS servers, etc.
Azure AD Business to Business allows your organization to securely and efficiently communicate with external parties and guests. Applications and resources can be shared through intricate and granular controls to allow for more flexible communications between your users and guests.
One idea I want to get across here – Azure AD B2B is not a replacement or a transition from AD FS or other federation technologies from on-premises to the cloud. This is a secure method of bridging your users with approved and trusted guests, and external parties, to communicate seamlessly amongst your user groups.
Azure AD B2B simplifies collaboration and shared resource access by allowing external users to log in with their credentials. In addition, external guests can use single sign-on to access their native resources and your organization’s shared resources.
There are four pricing tiers related to Azure AD. Free, Basic, Premium P1, and Premium P2. Here are some high-level details of each.
Pricing Level | Features | Pricing |
---|---|---|
Free | Up to 50,000 user accounts, Single sign-on (SSO) for up to 10 apps, user provisioning, and basic reports. Ideal for SMBs and very small companies. MFA and Azure AD Connect are available. | Free |
Basic | SSO for unlimited apps, self-service password reset, and group access management. B2B collaboration. | $1 per user per month |
Premium P1 | All Basic features, conditional access, identity protection, and advanced reports | $6 per user per month |
Premium P2 | All Premium P1 features, Azure AD Identity Protection, and Privileged Identity Management | $9 per user per month |
Please note – this is a high-level summary and the pricing will vary due to the nature of your company’s agreement with Microsoft.
In conclusion, Azure AD, transitioning to Microsoft Entra ID in name only, is a comprehensive and secure cloud-based identity and access management service provided by Microsoft Azure. Azure AD facilitates secure authentication, seamless single sign-on experiences, and efficient management of user identities across a variety of applications and services.
There are many features and corresponding services that help assist you in your overall path from on-premises Active Directory to Azure AD. Azure AD Connect cloud sync is a perfect example that helps to securely provide an easier end-user experience to get their jobs done.
Please feel free to leave a comment or question below. Thank you for reading!