↑ Back to top
Managing identity is a big challenge in today’s heterogeneous IT infrastructure, where user can log on from anywhere, which includes corporate network, partner network, public cloud, private cloud etc. Also, users can use different types of devices to login which includes desktop, laptop , mobile to name a few. Without a central authentication and access management source, it is very difficult to manage who can login to what, and who can do what with these resources.
Azure Active Directory (AD) is the Microsoft’s way to encounter this challenge.
Azure Active Directory is the Identity and Access Management (IAM) solution offered by Microsoft.
Azure AD can authenticate accounts from different sources, which are as follows:
It is important to understand that Azure AD is not a replacement of on Premises Active Directory, which is shipped with Microsoft Windows Server. Let’s discuss some of the key differences between on Premises AD and Azure AD.
If an Azure subscription expires, access to all the resources associated with that subscription would also be blocked. However, there would be no impact in corresponding Azure AD to which the subscription was pointing to , and it can be re used by associating the same Azure AD directory with a new subscription.
For more details, please refer this article.
There are four different editions available for Azure AD, which are as follows:
Important points regarding Azure AD Editions:
The below image captures the features offered by different editions. However, as Microsoft keeps on adding new features , we recommend to refer this link for the up to date information.
While discussion Azure AD, it is worth covering the topic of Azure MFA.
Multi Factor Authentication (MFA) enhances the security, by enabling more than one verification method while authenticating user sign-in.
Typically, password verification is the most common way of authentication. However, it is recommended to use more than one authentication method rather than just relying on password verification. Using Azure MFA, we can deploy two step (or more) verification solution.
Additional Verification method includes:
Azure MFA (Full Version) can be deployed either in the cloud or on-premises.
Based on the requirement and deployment scenarios, there are different versions available for Azure MFA:
Azure AD B2B is an additional feature which is available in all Azure AD editions, including Free Edition. This feature allows an organization to invite users from other organizations to share application, documents and other resources. Also, developers can use Azure B2B APIs to develop applications which can be used in a collaborative way across multiple organizations.
For Example, Organization A is using an Azure AD Tenant A in Subscription A, and Organization B is using an Azure AD Tenant B or any other IAM solution. Now organization A has deployed an Application A , which is using Azure AD A for Authentication. Organization A wants that users from Organization B can access Application A ,using their existing accounts.
There are multiple advantages of Azure B2B, and the key advantages are as follows:
For more information on Azure B2B, please refer this article.
Azure AD B2C (Business to Consumer) is a separate service from Azure AD.
The main purpose of Azure AD B2C is to allow organizations to build a cloud identity directory for their customers. This means, customers can login using their existing email ID, or using their social media account. There are multiple advantages of this model, which are as follows:
For more information on Azure B2C, please refer this article.
As mentioned earlier, on premise AD is not mandatory for Azure AD deployment. However, organizations who already have on premises Active Directory implemented would like to integrate that with Azure AD.
The benefit of integrating on premises AD with Azure AD is, users / services can use their on premises credential to login to Azure AD / Office 365 or any other cloud based SaaS services which are getting authenticated to Azure AD.
Microsoft recommends to use Azure AD Connect tool , to integrate on premises Active Directory with Azure AD and Office 365. Previously, Microsoft released many other tools for this purpose which included DirSync and Azure AD Sync, however Microsoft strongly recommends to depreciate all those tools and upgrade to Azure AD Connect.
Azure AD connect is a free tool, and synchronizing users to Azure AD is a free feature which does not need any paid subscription.
There are three major components of Azure AD Connect, which are as follows:
Azure Active Directory Connect synchronization services is the main component of Azure AD Connect. This component is responsible for the synchronization between on premises and Azure AD.
The sync service consists of below two components:
On Premises: Azure AD Connect Sync (Sync Engine) Azure AD side: Azure AD Connect sync service
Azure AD Connect also offers a solution for federated login, using on premises ADFS. If an organization has already deployed ADFS, they can leverage this feature once they integrate on premise AD with Azure AD.
Azure AD Connect Health can monitor on premises Active Directory Domain Controllers, ADFS Servers and synchronization services. Please note that this service is different from Azure AD health Monitoring service.
To deploy Azure AD connect, we need to download the Azure AD connect software from Microsoft web site, and then we need to install it to a server, called as Azure AD Connect Sync Server. The Sync Server is typically installed on premises.
Azure AD Connect can be initially installed in Staging Mode, to assess the impact. In Staging Mode, it will import all credentials from on premises AD, but will not export to Azure AD.
For more information on staging mode deployment and Disaster Recovery, please refer this article.
To know the prerequisite of installing Azure AD Connect, please refer this article.
Please note that we cannot use more than one Azure AD Connect sync servers to connect to a single Azure AD tenant. Even if we need to connect multiple on premises AD Forests to a single Azure AD tenant, we need to use a single Azure AD Sync Server. If these forests are in different locations and different network, we may need to place the sync server in DMZ Network, so that all forests (and Azure AD) can access the sync server through required ports.
Azure AD connect supports many topologies, please refer to this Microsoft article for more details.
There are two different types of installation for Azure AD connect:
There are multiple ways to configure, how a synchronized on premise user signs in to Azure AD
These options can be configured using Azure AD Connect.
Password Hash Synchronization (PHA):
Pass-through authentication (PTA):
Federation with ADFS:
Do not configure:
For more information on Azure AD user sign in options, please refer this URL.
Azure AD Seamless SSO feature enables users to access cloud based resources from corporate network, without typing their credential.
If user is within corporate network, and trying to access some cloud based resources (Azure/O365/ other SaaS), they do not need to type their credential if this feature is enabled. However, if the same user would access the same resource outside corporate network, they need to type their credential.
Please note that seamless SSO feature is not applicable if we are using ADFS, as ADFS itself will provide the SSO feature. Azure AD seamless SSO is applicable for Password Hash Synchronization or Pass-through Authentication.
Seamless SSO feature can be enabled during Azure AD Connect installation, or after the installation. During installation, we need to check the option “Enable Single Sign-on” to enable this feature. If we want to enable it post installation, we need to go to “Change user sign-in” page and enabled seamless SSO.
For more details on seamless SSO please refer this link
Each Azure AD implementation comes with an initial domain name. The format of the initial domain name is domainname.onmicrosoft.com. By default, this is the primary domain name, which means all the user accounts are created with this domain name.
However, organizations typically have their corporate domain name which is globally registered, and which they want to use along with Azure AD. It is possible to add additional domain name to Azure AD, and make that domain name primary. While adding custom domain name, Azure will verify whether the domain name is owned by that organization. For the verification to be successful, we need to go to our DNS zone and update a DNS entry provided by Azure. Verification sometime takes time, and once the verification is successful, the domain status will be displayed as “Verified” in Azure AD portal.
Microsoft states that we can add up to a maximum of 900 managed domain names. If we are configuring all of these domains for federation on-premises with Active Directory, then we can add up to a maximum of 450 domain names in each directory.
Most organizations prefer to use non routable domain names (or internal domain names) which cannot be resolved outside the corporate network. If a company is using an internal domain name corp.org, then the UPN (user principle name) of user would be userid@corp.org.
This configuration is fine for internal use, but when we need to integrate with Azure AD, we need to use a routable domain name which can be resolved globally, and which Azure can verify. For example, we would like to use the domain example.com with Azure AD, although current UPN Suffix is userid@corp.org. Also, for many organizations, user UPN and their email addresses are different, due to the fact that AD Domain and Mail Domains are different.
By default, Azure AD connect uses the attribute “userPrincipalName” to very an on premise account, however it also gives us option to use any other attribute, for example “mail’ attribute. If the value of the userPrincipalName attribute doesn't match to any verified domain in Azure AD, then Azure AD replaces it with a default .onmicrosoft.com UPN suffix.
Some of the common solution includes
For more information on this topic, please refer this URL.
Password write back feature is available in Azure AD premium editions, and can be configured through Azure AD Connect.
With this feature, Azure AD can write backs passwords to on premises AD. User can update their password through self-service portal from Azure AD or O365, and the updated password is synced immediately to on premise AD. This feature is compatible with Password Hash Synchronization, Pass through authentication and ADFS.
Also, when a user resets password in Azure portal, password write back feature enforces that the new password complies with on premises password policy, in terms of password complexity, history, length , age and any other parameters which are defined in ADDS.
This feature is not supported for user accounts that exist within protected groups in on-premises Active Directory.
For more information on password write back, please refer this link.
With the advent of cloud computing and mobile devices, users would like to use the corporate infrastructure from any place, from any device and at any time. This poses a challenge to comply with security and protect the IT assets of the organization.
The best possible solution for this problem is to allow the users to access company resources from anywhere, through their devices (or through company provided devices), at the same time to have some control on those devices.
Azure AD offers two such features for device management
Registering a device to Azure AD creates an identity of the device in Azure AD. Once the device is registered in Azure AD, we can configure a feature called device based conditional access, which would allow login to Azure AD only through a trusted device.
Device Registration feature is suitable in the BOYD (Bring Your Own Device) scenarios, where users can log in using their personal device which is registered in Azure AD. Some of the key benefits of Azure AD Device Registration are :
It supports Windows, Android and IOS devices. We can also use MDM in conjunction with Device Registration feature to impose more control on managed devices.
Azure AD join offers all the features which are offered by Azure AD Device Registration, in addition there are few additional features. Azure AD join is primarily beneficial to manage and control corporate owned devices.
Azure AD join offers few additional features, which include:
Unlike Device registration which supports multiple platforms, Azure AD Join only supports Windows based devices.
This Microsoft Blog compares these two features in great detail.
In addition, we can refer this link for more information on Azure Device Registration.
Traditionally, when users need to access company resources from outside, they typically login to VPN and access those resources. However, nowadays users are not only accessing company resources from their laptop, but also from their mobile devices and from various other devices. In such a scenario, we need a solution which is easy to use and at the same time comply with organization security standard.
Azure Active Directory Application Proxy offers one such solution. It provides single sign-on (SSO) and secure remote access for web applications which are hosted on-premises. Once implemented, these applications are integrated with Azure AD and users can access these web applications from outside, the same way they access O365 and other SaaS based applications. We do not need to deploy VPN or any other complex infrastructure to facilitate this.
There are two components of Azure AD Application Proxy
For more information on Azure AD Application Proxy, please refer this link.
We discussed earlier that Azure AD does not support protocols like Kerberos, NTLM and LDAP. This can be a problem for legacy applications, which use these protocols for authentication and directory browsing.
In addition, some applications may have some additional requirement like Domain Joined and Group Policy, which are not available in Azure AD.
Migrating these applications from on premises Ad to Azure AD would be a challenge because of these compatibility issues. One possible solution is to provision Azure VMs, promote to Domain Controllers and integrate with on premises DCs through VPN or Express Route. However, that involves high cost and management overhead, and we will not be able to leverage Azure managed solution.
Azure Active Directory Domain Service is designed to solve this compatibility issue. Azure AD Domain Services offer all key features in the form of managed service, which are available in on premises AD. The features include Domain Join, Group Policy and support to protocols like Kerberos, NTLM and LDAP. This solves the “Lift and Shift” problem for those applications from on premises to Azure, which are depended on traditional AD features.
Unlike Domain Controller provisioning is Azure which is an IaaS solution, Azure AD Domain Service is a SaaS service, which means there is no management overhead involved for commissioning, patching and maintaining Domain Controllers in Azure.
Whether the Azure AD tenant is cloud only or hybrid (integrated with on premises AD), Azure AD Domain Service works in both the scenarios.
Few important points regarding Azure AD Domain Services:
For more information on Azure AD Domain Service, please refer this link.
In this article, we have covered all the key features of Azure Active Directory. We have compared different Azure AD Editions and discussed deployment scenarios. We have also covered Azure AD Domain Service.
Azure AD is a vast topic, which cannot be covered in a single article. However, this article could act as a starting point for exploring the vast world of Azure AD and different deployment scenarios.