Code Library

Azure AD is a robust, secure, multitenant directory service that provides identity and access management in the cloud. In fact, Azure AD is the directory store for many of Microsoft’s premium cloud services, such as Microsoft Office 365, Microsoft Dynamics CRM Online, Windows Intune, and, of course, Microsoft Azure. Much like Windows Server Active Directory provides identity and access management for on-premises solutions, Azure AD does so as a service available in Azure. However, instead of you assuming the responsibility of provisioning and configuring the multiple servers necessary for on-premises Active Directory, Microsoft is responsible for managing the entirety of the Azure AD infrastructure (high availability, scalability, disaster recovery, and so on). As a consumer of the Azure AD service (directory as a service), you decide what users and which of their related information should reside in the directory, who can use the information, and what applications have access to the information.

Azure AD should not be considered a full replacement for Windows Server Active Directory. Instead, Azure AD is a complementary service. If you already have Active Directory on-premises, the users and groups can be synchronized to your Azure AD directory by using Azure AD Connect.

Azure AD can be associated with an on-premises Active Directory to support single sign-on (SSO). This can be either true SSO using Active Directory Federation Services (AD FS) to federate the on-premises identity to Azure AD or shared sign-on, in which Azure AD Connect is used to sync a password hash between Active Directory and Azure AD. Shared sign-on is simpler to configure at the cost of a small delay in the synchronization of password changes (synchronization is usually completed in a matter of minutes).

By enabling SSO with Azure AD, organizations are able to provide an easy way for employees (or other users) to access a wide range of software as a service (SaaS) applications such as Office365, Salesforce.com, Dropbox, and more. This topic will be discussed in more detail later in this chapter.
Azure AD is a multitenant directory service. Each tenant is a dedicated instance of Azure AD that you own when you sign up for a Microsoft cloud service (Azure, Office 365, and so on). Each tenant directory is isolated from the others in the service and designed to ensure user data is not accessible from other tenants, meaning others cannot access data in your directory unless an administrator grants explicit access.

It is important to note that Azure AD is not just for cloud or Azure-hosted solutions. Azure AD can be used by both cloud (hosted in Azure or elsewhere) and on-premises solutions. Instead of using technologies like Kerberos or Lightweight Directory Access Protocol (LDAP) to access Active Directory (as you would on-premises), Azure AD is accessible via a modern REST API. This allows a wide range of applications—on-premises, cloud, mobile, and so on—to access the rich information available in the Azure AD directory. For developers, this opens up a vast opportunity that previously, with on-premises solutions, either wasn’t possible or was difficult to achieve. By leveraging Azure AD and its Graph REST API, developers are able to easily establish SSO for cloud applications and to query and write (create, update, delete) against the directory data.

Azure AD serves as a key component for identity management in the Microsoft cloud. Azure AD include a wide range of capabilities, such as Multi-Factor Authentication, device registration, Role-Based Access Control (RBAC), application usage monitoring, security monitoring and alerting, self-service password management, and much more. All of these features are designed to help organizations provide security for cloud-based applications, including meeting required compliance targets, in an efficient and cost-effective manner. The list below provides a brief description of several important Azure AD features.

 Azure AD B2C (business to consumer) Azure AD B2C is a solution for enabling consumer-facing web and mobile applications to leverage existing social accounts (Facebook, Microsoft, Google, Amazon, LinkedIn) or custom local accounts. This is essentially the evolution of Azure AD Access Control Service (ACS). For more information, please see https://azure.microsoft.com/documentation/articles/active-directory-b2c-overview/.

 Azure AD B2B (business to business) Azure AD B2B is a solution that allows you to enable access to your organization’s applications from external business partner identities. Instead of creating (guest) accounts in your organization’s directory for business partners, Azure AD B2B allows your business partners to use their own authentication credentials. This enables you to focus on your application and not identity management of external users. For more information, please see https://azure.microsoft.com/documentation/articles/active-directory-b2b-collaboration-overview/.

 Azure AD Application Proxy Application Proxy enables users to leverage SSO to securely access on-premises web applications such as SharePoint sites and Outlook Web Access—without the need for building or maintaining a VPN or complicated network infrastructure. Application Proxy is available for the Basic and Premium editions of Azure AD. For more information, please see https://azure.microsoft.com/documentation/articles/active-directory-application-proxy-get-started/.

 Azure AD Directory Join Directory Join enables Windows 10 devices to connect with Azure AD, thus allowing users to sign in to Windows using Azure AD accounts. Doing so will enable SSO to Azure AD resources, access to the enterprise Windows Store, device access restrictions using group policy, and more. Directory Join is suitable for devices that cannot domain join. For more information, please see https://azure.microsoft.com/documentation/articles/active-directory-azureadjoin-windows10-devices-overview/.

 Azure AD Domain Services Domain Services provide fully managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM, and so on that are compatible with Windows Server Active Directory. This features enables you to use these services without the need to build and manage Azure virtual machines (VMs) running Windows Server Active Directory or maintain a site-to-site VPN connection between Azure and your on-premises directory infrastructure. For more information, please see https://azure.microsoft.com/documentation/articles/active-directory-ds-overview/.

 Azure AD Device Registration Azure AD Device Registration is an Azure AD feature that enables mobile devices (such as iOS, Android, and Windows devices) to be registered in Azure AD. The registered device, and thus attributes of the device, can be used to enable conditional access to on-premises or Office 365 applications. For more information, please see https://azure.microsoft.com/documentation/articles/active-directory-conditional-access-device-registration-overview/.

 Azure AD Cloud App Discovery Cloud App Discovery enables IT departments to discover cloud applications used in their organization, thus allowing the applications to be brought under IT control to help mitigate risk of potential data leakage or other security threats. Cloud App Discovery finds the applications being used (including various usage metrics), identifies users, and enables offline data analysis. Cloud App Discovery is a feature of Azure AD Premium. For more information, please see https://azure.microsoft.com/documentation/articles/active-directory-cloudappdiscovery-whatis/.

 Azure AD Connect Health Azure AD Connect Health enables you to monitor and gain insights into the overall health of the integration between your on-premises Windows Server Active Directory/Active Directory Federation Service and Azure AD (or Office 365). For more information, please see https://azure.microsoft.com/documentation/articles/active-directory-aadconnect-health/.

 Azure AD Identity Protection Azure AD Identity Protection is a security service that enables you to gain insights into potential security vulnerabilities affecting users in your organization (more specifically, their identities). For example, Identity Protection can use knowledge of leaked credentials or sign-ins from geographic locations to which it would be impossible to travel (that is, time between sign-ins is less than the time needed to travel to the different locations). Identity Protection leverages Azure Machine Learning and heuristics to detect potential risks. For more information, please see https://azure.microsoft.com/documentation/articles/active-directory-identityprotection/.

Source of Information : Microsoft Azure Essentials Fundamentals of Azure Second Edition