What Is Azure Active Directory (and why you need It).

Andrew Kolyvas
Azure Active Directory

Discover what Azure Active Directory is, what it isn’t, and how your business will benefit from it.

Customers continue asking us to explain exactly what is Azure Active Directory. In this article we explain everything you need to know to understand the benefits, the differences of on-premise Active Directory Domain Services (AD DS), and how you business benefits by ensuring you have the best setup for your unique needs.

Introducing Azure Active Directory

Azure Active Directory (Azure AD) is Microsoft’s end to end identity and access management service. With Azure AD user are able to securely access resources including cloud resources such as Microsoft 365, on-premise resources like in-house applications hosted on your own servers, and a vast array of other SaaS applications. Azure Active Directory bridges the identity and access gap between cloud, on-premise, and 3rd party vendors to provide a unified Identity and Access solution.

Identity & Access Management

At it’s core Azure AD a unified Identity and Access management platform. However, as you will learn, it is also so much more. Azure Active Directory is intended for cloud administrators to manage identities and control their access to your apps and app resources.

These identities can exist in your own tenant, or, through the use of AAD B2C, you provide and control access for your customer to use your services. Additionally AAD B2B allows enterprise organisations to collaborate and securely share your organisations resources with guests from any other organisation.

This extensibility allows safe and secure collaboration with external partners even without their own Azure AD. Implementing these use cases can become complex and so it is advisable to consult an expert in managed Microsoft cloud solutions.

Azure Active Directory Compared to Active Directory

Microsoft states that “Azure Active Directory is the next evolution of identity and access management solutions for the cloud” and provides a concise document to compare active directory to azure active directory. Azure Active Directory is not a replacement for Active Directory as they each do quite different things.

The key difference: Active Directory manages traditional on-premise infrastructure, resources and objects, while Azure AD is a secure online authentication store with a flat structure, meaning there are no OU’s or Forests . One major benefit is the ability to have a pure-cloud set up with Azure AD and remove the requirement to maintain your on-premise infrastructure which can significantly reduce operational complexity and costs.

By far the greatest and most widely used approach is to hybridise your environment and use both platforms together. For example, by connecting Azure AD with Active Directory Domain Services you can add users and groups to your local Active Directory, apply group policies and distribute resources. Then you can synchronise these objects to Azure Active Directory to allow your users to authenticate to cloud applications, such as Office 365, from any location in the world all while still enforcing corporate governance protocols.

Deployment Options

As mentioned in the previous sections Azure AD can offers 2 deployment options: pure-cloud and hybrid.

Pure Cloud

The pure cloud deployment is relatively straight forward. This approach assumes that you have all of your resources in the cloud with no on-premises infrastructure to be migrated or synchronised. All users, groups, and other resource types and created and managed directly in the Azure AD portal. A typical scenario might be a start up business or perhaps an established business that has migrated all of the legacy controls from AD DS, such as group policies, to Intune (Microsoft Azure’s Endpoint Management suite).

Hybrid Identity

For most organisations you likely have an existing Active Directory and have established environment security and other protocols which must be maintained. Azure Active Directory synchronises with your on-premise infrastructure to security extend your technology capabilities to the cloud. This is accomplished with the sync agent Azure AD Connect and provides a number of different options for authentication, password management, and single sign-on.

Password Hash Sync

With password hash sync you enable users to use the same password they use to log on to your on-premise Active Directory. Passwords are not stored in the cloud and always remain on-premise. A hash value is a one-way algorithmic calculation of the users’ password stored in Active Directory and only the hash value is sent to Azure AD. When a user authenticates Azure AD compares the hash value from the entered password with the stored hash. If they match then the user is authenticated. Authentication is handled entirely by Azure Active Directory.

Courtesy: Microsoft

Passthrough Authentication

An alternative authentication method for hybrid users is Passthrough Authentication. PTA is commonly used when an organisation wants to enforce existing on-premise Active Directory password policies. As the name suggests, authentication to a cloud service or app is passed through to the on-premise Active Directory.

Federation with AD FS

This is the most complex type of hybrid deployment and is usually only found in large enterprise environments that have specific requirements around federated domains and identities. In the simplest terms Federation enables users to sign in to Azure AD services with their on-premises passwords and access on-premise resources without needing to re-enter their password. This scenario provides a true single sign-on experience. This deployment type now also allows for password hash sync providing a level of resiliency to your users. If your AD FS server is unavailable, the users can still authenticate via Azure Active Directory.

Licensing

Azure Active Directory Free

Azure Active Directory Premium P1

Azure Active Directory Premium P2

Security and Compliance with Azure Active Directory

Multifactor Authentication (MFA)

Privileged Access

Conditional Access

Governance and Compliance

Information Protection

Conclusion

Azure Active Directory is an easy to deploy, robust unified cloud identity and access solution that securely extends your existing on-premise infrastructure to the cloud and provides a seamless integration for your in-house applications and 3rd party SaaS platforms. Granular policy driven access controls ensure that access is granted only authorized identities, devices and from approved locations. Azure AD includes an array of security and compliance options to ensure your business governance is adhered to without impacting productivity. Premium licensing options allow you to extend these capabilities providing a holistic approach to governance and security.

If you’d like to learn the unique ways a Nuage Solutions Managed Azure Active Directory can benefit your business, get in touch with us today for a free consultation.