Azure Active Directory - A Quick Overview
Azure AD is a cloud based directory and identity management service. You can think of it as an IDaaS (Identity as a Service) solution. All Microsoft Online business services rely on Azure AD. If you have subscribed to Office 365 or Microsoft Azure, you already have the free version. A total of 4 versions are available for Azure AD... Free, Basic, P1 & P2. For version comparison, please click here.
The most important aspects of Azure AD are listed below.
Highly reliable directory services
It is a multi-tenanted, geo-distributed and highly available solution that you can absolutely rely on. It runs out of 28 data centers across the world with automated failover. You'll be happy to know that even if a data center goes down, copies of your directory data will stay alive in at least two more regionally separate data centers and will be always available.
Identity management and governance
With Azure AD, the enterprise administrators can ensure user and administrator accountability like never before. It is easy to configure, and can provide a bunch of benefits like:
- Easy integration with on-premises Active Directory.
- Synchronization of on-premises AD user data with Azure AD.
- Multi-factor authentication for added security.
- Lower help desk costs due to self-service password reset.
- Reduced admin overhead due to self-service group & application management.
- Privileged identity management to allow just-in-time & just-enough-administrator access.
Application Access Management
Put simply, single sign-on means being able to access all of your applications using a single user account. Once signed in, you can access all your registered applications without authenticating again. It increases productivity and there are thousands of applications like SalesForce, AWS, Office 365, Cisco Webex, and Docusign that can use single sign-on out of the box. You can add your own applications too. With Azure Application Proxy, you can allow remote access to your on-premises applications without the need of a reverse proxy or a fancy firewall!
Standards based access control for Developers
As a developer, you can focus on building application quickly, without worrying about complications related to identity management. The application can have robust access control mechanisms in place that can be controlled via centralized policies and rules. It's possible to query Azure AD, but instead of using LDAP you must use a REST API called Microsoft Graph. Earlier you could have used Azure AD Graph API, but of late, Microsoft has been concentrating more on Microsoft Graph and it makes more sense to use Microsoft Graph than the older version of the Azure Graph API. Using the API, you can easily do things like:
- Create a new user in the Directory.
- Get detailed properties of the objects.
- Update user's properties, like location, phone number, etc.
- Disable the user's account.
- Make changes on Groups and Applications.
- Use JWT tokens to authenticate users.
- Provide role based access control (RBAC) using Security Groups.
- Check for changes in directory using Differential Queries.
- Extend your directory so that more attributes could be added for consistent use across organization.
- Get real time updates on rescheduling based on meeting responses.
- Notify users about file modifications.
- And many interesting and productive workflows..
Frequently Asked Questions
How to synchronize On-Premises AD Users with Azure AD?
You can use Azure AD Connect to connect & synchronize your on-premises AD to Azure AD.
What is the relationship between Azure subscriptions and Azure AD?
Every Azure subscription has a trust relationship with Azure AD instance. Multiple subscriptions can trust the same directory, but a subscription trusts ONLY ONE directory. Read more
What is the relationship between Azure AD, Office 365, and Azure?
Azure AD provides you the common identity and access capabilities to Office 365, Azure, Intune, Dynamics, and other Microsoft SaaS solutions. Azure AD comes free if you already have Office 365, Azure Subscription or Microsoft Dynamics 365. There are a total of 4 flavours of Azure AD.
How difficult is implementing SSO between different systems?
Not very! A lot of fairly modern systems provide an out-of-the-box solution for SSO and the developer APIs help achieve the rest.
We are not comfortable synching passwords to Azure AD. Is it possible to integrate without synching passwords?
Yes. You do not need to synchronize your AD passwords to Azure AD. In a federated environment, Azure AD SSO relies on the on-premises directory to authenticate a user.
What can Attosol do for you?
With our vast experience in Identity & Security space, we can help put in place an end-to-end solution based on Azure AD. Few things we'd like to call out are:
- Setup AAD Connect to synchronize users from on-premises AD to Azure AD, with password write back.
- Setup Azure Multi-Factor authentication & conditional access policies for critical applications.
- Setup automated provisioning to SaaS applications from both Microsoft & other vendors.
- Roll out Self-Service capabilities for password reset, groups & application management.
- Setup Azure Application Proxy for providing SSO to internal web applications.
- Publish applications to MyApps portal for seamless access.
Also, don't forget to check out our services for your software and consultancy requirements.
Well, stay tuned for upcoming articles. You may contact us at firstname.lastname@example.org for your software and consultancy requirements.