Azure Active Directory (Azure AD) is Microsoft’s multi-tenant, cloud-based Identity and Access Management (IAM) service. It takes care of authentication and authorization of user and application identities. It’s the digital infrastructure that allows your employees to sign in and access external resources, such as those held in Microsoft 365 service, an ever-growing list of other SaaS applications, as well as those held on corporate networks.
When you sign up for any services offered by Microsoft Azure cloud, Microsoft automatically assigns a default directory, which is an instance of Azure AD. This directory holds the users and groups that will have access to each of the services the company has signed up for. This default directory is sometimes referred to as a tenant. For more information about creating a tenant for your organization, see Quickstart: Create a new tenant in Azure Active Directory. The Azure Active Directory tenant represents your organization. Each tenant might have 1 to N Azure Subscriptions. Azure Subscription is a group of cloud services that are billed together.
An Azure AD user account might be single-tenant (has access to resources of a single organization) or multi-tenant (two or more organizations). Every user, who needs access to Azure resources, needs an Azure user account. A user account contains all the information needed to authenticate the user during the sign-in process. Once authenticated, Azure AD builds an access token to authorize the user and determine what resources they can access and what they can do with those resources.
Typically, Azure AD defines users in three ways:
Cloud identities – These users exist only in Azure AD. Examples are administrator accounts and users that you manage yourself.
Directory-synchronized identities – These users exist in an on-premises Active Directory. A synchronization activity that occurs via Azure AD Connect software brings these users into Azure.
Guest users – These users exist outside Azure. Examples are accounts from other cloud providers and Microsoft accounts, such as an Xbox LIVE account. Their source is Invited User. This type of account is useful when external vendors or contractors need access to your Azure resources.
What is the difference between AD (Active Directory) and Azure AD?
You may be familiar with on-premises Active Directory concepts. On-Premises Active Directory is on servers called Domain Controllers (DC). Each DC contains a catalog of users and computers that are authorized to access resources on the network. Users authenticate to DCs via Kerberos or the NTLM protocol. Azure AD and On-Premises AD are both created by Microsoft, and they are both IAM systems, but that’s pretty much where the comparisons stop. The following table outlines the differences and similarities between Active Directory concepts and Azure Active Directory:
Concept | Active Directory (AD) | Azure Active Directory |
Users | ||
Provisioning – users | Organizations create internal users manually or use an in-house or automated provisioning system, such as the Microsoft Identity Manager to integrate with an HR system. | Existing AD organizations use Azure AD Connect to sync identities to the cloud. |
Provisioning – external identities | Organizations create external users manually as regular users in a dedicated external AD forest, resulting in administration overhead to manage the lifecycle of external identities (guest users). | Azure AD provides a special class of identity to support external identities. Azure AD B2B will manage the link to the external user identity to make sure they are valid. |
Entitlement management and groups | Administrators make users members of groups. App and resource owners then provide these groups with access to apps or resources. | Groups are also available in Azure AD and administrators can also use groups to grant permissions to resources. In Azure AD, administrators can assign membership to groups manually or use a query to dynamically include users to a group. |
Admin management | Organizations will use a combination of domains, organizational units, and groups in AD to delegate administrative rights to manage the directory and resources it controls. | Azure AD provides built-in roles with its Azure AD role-based access control (Azure AD RBAC) system, with limited support for creating custom roles to delegate privileged access to the identity system, the apps, and resources it controls. |
Credential management | Credentials in Active Directory are based on passwords, certificate authentication, and smartcard authentication. | Azure AD uses intelligent password protection for cloud and on-premises. Protection includes smart lockout plus blocking common and custom password phrases and substitutions. |
Applications | ||
Infrastructure applications | Active Directory forms the basis for many on-premises infrastructure components, for example, DNS, DHCP, IPSec, WiFi, NPS, and VPN access. | In a new cloud world, Azure AD is the new control plane for accessing apps versus relying on networking controls. When users authenticate, Conditional Access (CA) will control which users will have access to which apps under required conditions. |
Traditional and legacy applications | Most on-premises applications use LDAP, Windows-Integrated Authentication (NTLM and Kerberos), or Header-based authentication to control access to users. | Azure AD can provide access to these types of on-premises apps using Azure AD application proxy agents running on-premises. Using this method, Azure AD can authenticate Active Directory users on-premises using Kerberos while you migrate or need to coexist with legacy apps. |
SaaS applications | Active Directory doesn’t support SaaS applications natively and requires a federation system, such as AD FS. | SaaS apps supporting OAuth2, SAML, and WS-* authentication can be integrated to use Azure AD for authentication. |
Line of business (LoB) applications with modern authentication | Organizations can use AD FS with Active Directory to support LoB applications requiring modern authentication. | LoB applications requiring modern authentication can be configured to use Azure AD for authentication. |
Mid-tier/Daemon services | Services running in on-premises environments normally use AD service accounts or group Managed Service Accounts (gMSA) to run. These apps will then inherit the permissions of the service account. | Azure AD provides managed identities to run other workloads in the cloud. The lifecycle of these identities is managed by Azure AD and is tied to the resource provider can’t be used for other purposes to gain backdoor access. |
Devices | ||
Mobile | Active Directory doesn’t natively support mobile devices without third-party solutions. | Microsoft’s mobile device management solution, Microsoft Intune, is integrated with Azure AD. Microsoft Intune provides device state information to the identity system to evaluate during authentication. |
Windows desktops | Active Directory provides the ability to domain join Windows devices to manage them using Group Policy, System Center Configuration Manager, or other third-party solutions. | Windows devices can be joined to Azure AD. Conditional access can check whether a device is Azure AD, joined as part of the authentication process. |
Windows servers | Active Directory provides strong management capabilities for on-premises Windows servers using Group Policy or other management solutions. | Windows servers virtual machines in Azure can be managed with Azure AD Domain Services. Managed identities can be used when VMs need access to the identity system directory or resources. |
Linux/Unix workloads | Active Directory doesn’t natively support non-Windows without third-party solutions, although Linux machines can be configured to authenticate with Active Directory as a Kerberos realm. | Linux/Unix VMs can use managed identities to access the identity system or resources. Some organizations migrate these workloads to cloud container technologies, which can also use managed identities. |
Monitoring Azure Active Directory
When monitoring Azure AD, you will need tools that monitor logs, events, metrics, and traces both continually and historically to identify potential issues. In future blog posts, I’ll go into details on how to audit AD but to give an idea of what is possible, here are a few examples of what eG Enterprise covers:
- Monitor app registrations; track certificate errors
- Audit activities – add/delete/modify users, applications, service principals, groups, policies, members, etc.
- Monitor and audit different sign-in logs
What is Azure AD Connect?
Azure AD Connect is the Microsoft tool designed to be a bridge solution between On-premises Active Directory and Azure AD.
It enables IT admins to federate on-premises user identities to the Azure platform so that users can use the same credentials to access both on-premises applications and cloud services, such as Microsoft 365.
It is included for free with your Azure subscription. It offers multiple features, including synchronization, federation integration and health monitoring.
By default, the sync is one way: from on-premises AD to Azure AD. However, you can configure the writeback function to sync changes from Azure AD back to your on-premises AD. That way, for instance, if a user changes their password using the Azure AD self-service password management function, the password will be updated in the on-premises AD.
Azure AD Connect can synchronize the user accounts, groups, and credential hashes in your on-premises AD by a scheduler. Most attributes of the user accounts, such as the User Principal Name (UPN) and security identifier (SID), are synchronized.
However, the following objects and attributes are NOT synchronized:
Any objects and attributes you specifically exclude from the sync
SidHistory attributes for users and groups
Group Policy objects (GPOs)
The contents of the Sysvol folder
Computer objects for computers joined to the on-premises AD environment
Organization unit (OU) structures
By default, a sync task runs every 30 minutes. If the sync task is not running correctly, you may experience issues like:
Sync account issues – If you change the password for a user in On-premises AD, it does not sync on Azure AD, and thereby, the user is unable to access the resources.
Connectivity issues – Microsoft has a Azure AD Connectivity URL, which shows the list of URLs that need to work between AD Connect and Azure AD.
So, it is important to monitor the Azure AD Connect performance. eG Enterprise captures and reports the following metrics for Azure AD Connect:
It is very common for those with hybrid infrastructure mixing on-premises technologies, such as RDSH farms, Citrix, or VMware with cloud-hosted technologies, such as AVD Hostpools to be using both Azure AD and Active Directory and also Azure AD Connect.
Azure AD – Pricing and Licensing
Azure Active Directory comes in four editions:
Free
Office 365 apps
Premium P1
Premium P2
The Free edition is included with a subscription of a commercial online service e.g. Azure, Dynamics 365, Intune, and Power Platform.
Office 365 subscriptions include the Free edition, but Office 365 E1, E3, E5, F1, and F3 subscriptions also include additional features, see Microsoft’s pricing page for details.
SLA for Azure Active Directory
At the time of drafting this blog post, Microsoft guarantees 99.99% availability of the Azure Active Directory Basic and Premium services. The services are considered available in the following scenarios:
Users are able to login to the Azure Active Directory service.
Azure Active Directory successfully emits the authentication and authorization tokens required for users to log into applications connected to the service.
No SLA is offered for the Free edition of Azure Active Directory, and this should be a serious consideration within most enterprises when evaluating whether to migrate critical identity and access management.
Using Azure AD Connect is free and included in your Azure subscription. However, using Azure AD Connect Health requires an Azure AD Premium P1 license.