Azure Active Directory is Microsoft’s flagship cloud identity service. We cover its key features, explain how it works, and break down what it can provide for your organisation.
Cloud technology has significantly changed the way organisations operate. Offering new ways to conduct business, interact with customers, and manage your internal IT systems and employees.
Microsoft’s Azure platform is one of the heavy hitters operating in the Cloud arena. And it’s only getting bigger, hitting 251 million monthly users by the end of 2019 (Alex Simons, Corporate VP for Identity at Microsoft, October 2019).
This growth is largely powered by the Active Directory component at the heart of Azure. Azure Active Directory (Azure AD) provides an ever-expanding array of features and functionality for the management of identities and security.
But what exactly is Azure AD? What does it provide? How does it function? You’ll find these answers and much more below as we give you everything you need to know about Azure AD.
Azure Active Directory is Microsoft’s multi-tenant, cloud-based identity and access management service. It’s the digital infrastructure that allows your employees to sign in and access external resources held in Office 365 and an ever-growing list of other SaaS applications, as well as those held on a corporate network or intranet.
Azure AD’s strength lies in the flexibility afforded to it by being entirely cloud-based. This means that it can either act as an organisation’s only directory, or it can sync with an on-premises directory via Azure AD Connect.
Either way, it enables both on-premises and cloud-based users to access the same apps and resources, simultaneously benefitting from features such as single sign-on (SSO), multi-factor authentication (MFA), conditional access and more.
More importantly, it provides a single place from which to manage your identity, security and compliance controls across your entire IT estate.
"Because of the amazing progress in open standards for identity over the past decade, we can easily hook all of these things together and give you one central control plane." Corporate VP for Identity Microsoft
Azure AD provides different benefits depending on what you’re using it for.
For IT admins, it allows complete control over access to applications and resources utilising security controls like MFA and conditional access. They can also use Azure AD’s built-in governance controls to apply automated lifecycle management and privileged access limitations.
In addition to this, Azure AD also provides admins with the ability to automate provisioning between Windows Server Active Directory and cloud apps like Office 365.
For developers, Azure AD can be used as a standards-based approach to enabling features like SSO and for personalising the app experiences using existing organisation data through APIs.
If you’re a user or employee, Azure AD means quick and easy access to work resources, on a multitude of devices, from almost anywhere on the planet.
Azure AD, as the name suggests, is a directory – a container for your user names, credentials and access rights (typically to information-based resources).
Azure AD can be operated in ‘cloud-only’ mode, allowing your users to sign in to their Windows PCs using the cloud directory service. Alternatively, if you, like many organisations, are still tied to on-premise legacy infrastructure, Azure AD can use your local Active Directory as a master for account data and operate in a variety of hybrid modes.
Whether in cloud-only or hybrid mode, Azure AD effectively acts as your ‘front door’ for sign-ins. A key benefit of doing so allows you to take advantage of state-of-the-art security measures, such as assessing the threat level of the user attempting access and being able to mitigate that threat – for example, adding two-factor authentication.
One of the most attractive advantages of using Azure AD is its ability to enable single sign-on (SSO) and it supports third-party application integration to help achieve this.
Applications can connect using standard ‘modern auth’ protocols – SAML or OpenID Connect. Application and group assignments (including dynamic groups) in Azure AD determine who has access to what.
Single sign-on means that users will be able to access all of the applications they need by signing in only once using a single user account hosted in Azure AD. Once signed in, they can access those applications without being required to authenticate a second time.
Azure AD has been designed to enable easy integration with many of today’s popular SaaS applications, enabling users to either single sign-on to applications directly or discover and launch them from a portal, such as Office 365 or the Azure AD access panel.
Discover how Azure AD can secure your internal and external identities - and provide seamless access to all your applications and data. You'll learn how to:
Azure AD offers a plethora of incentives for adoption, hence why it’s used by 95% of the Fortune500.
Again, this is driven by its incredible flexibility. Whilst Azure AD is optimised for Microsoft applications, it is also highly compatible with apps developed outside the house that Bill built.
This open standards approach has allowed Azure AD to become the core mechanism by which an organisation can manage all of its different apps, devices and users across multiple tenants.
Azure AD’s key benefits largely fall into five categories:
Azure AD is the heart of your organisation’s IT, giving you one place to go for managing user identities and permissions. You can assign users to groups individually or using rules driven by attributes, and you can use groups to assign licences and application access. You have all the control in one place.
Whilst your users’ Azure AD identities are perfect for signing into Microsoft applications, it is also highly compatible with apps developed everywhere else. Of those 251 million monthly users mentioned earlier, 44 million of those use Azure AD to regularly access 3rd party applications, streamlining the process and increasing productivity.
Organisations want to protect their resources from malicious or accidental harm – and to protect their users from identity theft. Azure AD achieves these aims with a range of measures, including threat detection, conditional access, multi-factor authentication, privileged identity management (PIM), and more.
93% of organisations agree that bringing the various aspects of IAM under one solution would greatly benefit their overall security.Raconteur Cybersecurity Report 2020
Getting access to resources should be easy for end-users. Single sign-on, using the same sign in for Windows and all your applications, means less fuss with credentials, and fewer demands on the IT help desk.
Azure AD allows you to invite external (guest) users into your directory to assign access, while their credentials are managed by their organisation’s IT department.
This gives you immediate and easy collaboration options while not having to worry about user lifecycle.
Having all of your disparate environment united under Azure AD offers some significant functionality option and features:
Manage both cloud and on-premises apps, single sign-on, the MyApps portal, and any SaaS apps.
Whether this be providing self-service password reset, calibrating MFA requirements, or enabling smart lockout, you can get really granular with your authentication settings (especially when used in conjunction with conditional access) for increased security and control.
Manage guest users and partners, providing them the access you’re willing to allow.
Offer custom sign in and sign up experiences, allowing customers to manage their profiles within your applications.
Control how your network is accessed by on-premises and external devices, utilising Intune to keep data secure.
Most organisations aren’t ready to go cloud-only yet, but using Azure AD Connect allows you to take advantage of Azure AD’s features - even if you’re running some on-premise applications and some in the Cloud.
To ensure that your identity ecosystem remains healthy, Azure AD has some built-in governance features that allow you to manage identity and access lifecycles and set privileged access conditions.
These controls are designed to enable organisations to ensure that the correct users have the corresponding levels of access and monitor what they’re doing with it. One of the key benefits of good governance is being able to audit and verify the effectiveness of the applied controls.
Azure AD Identity Protection utilises security information drawn from across Microsoft’s digital empire to detect and remedy identity-based risks, automating a large part of the process of identifying and addressing security concerns.
These risks can then be further investigated through the Azure AD portal.
Azure AD also features monitoring and reporting capabilities to help you gain insights into your environment. You can run diagnostics and view logs which can then also be applied to third-party SIEM tools (or Microsoft’s own Azure Sentinel) to take a deeper dive into your data.
You may be wondering what Azure AD means for your Windows Server Active Directory (or ‘local Active Directory’). As mentioned earlier, your on-premise directory can be synchronised to Azure AD via Azure AD Connect. Azure AD doesn’t necessarily need to replace it – it can work as the cloud-based counterpart to your AD.
It’s a common misconception that ADFS has anything to do with syncing users, it doesn’t. ADFS can handle external single sign-on against your on-premises directory, while AAD Connect handles the synchronisation. They don’t talk to each other and they each have their own data source. ADFS has been largely superseded by Azure AD.
And Azure AD is not just ‘Active Directory in the Cloud’ either. Although it performs a lot of the same functions (authentication, user management, authorisation, directory query, etc.), it accomplishes these in a very different fashion.
Your local AD wasn’t designed to handle the thousands of web-based services that are now available and, in many cases, are crucial to an organisation’s day-to-day function. Azure AD uses an entirely different set of protocols to work with web apps such as Salesforce, Google, and Office 365.
As highlighted in the key features section, Azure AD has purpose-built functionality designed to support working with external users, but the specifics differ between whether those users are customers or partners.
Azure AD B2B allows businesses to securely share files and resources with partners and contractors for collaboration purposes. Azure AD handles the federation between the business and partner, so users can sign in to shared resources via an invite that can be sent to any email.
Azure AD’s B2C capabilities are first and foremost designed for use in customer-facing applications but can apply in a B2B scenario. Here, Azure AD acts as the identity system for the application whilst also allowing customers to sign in with a previously established identity, such as a Facebook or Gmail login.
For a more detailed explanation of the differences between Azure AD B2B and B2C, watch our on-demand webinar.
Thousands of organisations make use of the applications within Office 365, which means that they will automatically have access to Azure AD and all of its free features that come as standard.
There are four licensing options available to those interested in utilising Azure AD:
The standard Azure AD package comes with user and group management, synchronisation with your on-premises directory, self-service password reset, basic reporting capabilities and single sign-on across Azure, Office 365 and other SaaS apps (with more being regularly added).
On top of the base features, the P1 package provides hybrid users with access to both cloud and on-premises resources. You’ll also get more advanced admin capabilities, with dynamic groups, self-service group management and access to Microsoft Identity Manager (MIM) for on-premises IAM features.
The P2 licence builds on its predecessors by adding Azure AD Identity Protection into the mix, which provides advanced conditional access features for a risk-based approach to application access.
You’ll also get privileged identity management tools to identify, restrict and monitor admin access to ensure access privileges are applied accordingly and removed when redundant.
If you find yourself needing to take advantage of additional features such as Azure AD’s B2C abilities, Microsoft can tailor your subscription with any others you may need on top of the P2 licence.
Azure AD is quite a broad offering and, as part of your research, you’ll likely come across various competitors that address different areas of its functionality.
Here are some of the most familiar faces and what they offer:
Okta sits on top of Azure AD and offers ‘simplified single sign-on’, user lifecycle management (synchronisation between various user information sources including on-premise), Office365 license management, and adaptive MFA.
Ping Identity offers a single sign-on solution and adds an identity governance layer in addition to the usual MFA and security features you would expect.
Auth0 is a competitor to AAD B2C, and offers customisable user journeys for single sign-on, with protection against malicious logins, and a broad range of integrations for different platforms.
iWelcome is another AAD B2C competitor, offering a wide range of out-of-the-box user journeys and easy management tools.
Although Azure AD has the advantage of being an all-encompassing solution built for compatibility and flexibility to your needs, it’s worth being aware of what else is on offer and how they either add to or replicate the functionality found within Azure AD.
Submit your business email to join our mailing list. You'll get a handy E3 vs. E5 comparison guide, covering Office 365, Windows 10, and EMS.
Marcus Idle is our Head of Customer Identity and Access Management and IP Development at ThirdSpace. He is responsible for projects involving external identities. Expert in Microsoft’s Azure AD B2B...
READ AUTHOR'S FULL BIO
Send us your questions or feedback.
Friendly folks are standing by!
Eight-time winner of the Microsoft Partner of the Year Award for Identity Management, Enterprise Mobility, and Security and Compliance.
You are seeing this because you are using a browser that is not supported. The ThirdSpace website is built using modern technology and standards. We recommend upgrading your browser with one of the following to properly view our website:Windows
Please note that this is not an exhaustive list of browsers. We also do not intend to recommend a particular manufacturer's browser over another's; only to suggest upgrading to a browser version that is compliant with current standards to give you the best and most secure browsing experience.