Azure Active Directory (AD) is the heart of everything inside of Microsoft Azure. All Azure services are depending on it and using it for Identity Management in the Microsoft Cloud. Office 365, Intune, Exchange Online, and Enterprise Mobility Suite are all examples of Azure Services that depend on Azure AD for both security and identity management. When implemented correctly, all of your custom applications, which are hosted in Azure or somehow integrated with Azure services, are using Azure AD as well.
That is why Azure AD is high on the agenda of Microsoft and it is constantly evolving. In this article, I want to give an overview of the different flavors of Azure AD and where it stands currently. What once started as a basic user directory, has now become something much more than that.
Azure Active Directory
As pointed out before, Azure AD is the heart of everything inside of Azure. Plain Azure AD, is the root service, where you create the user accounts for your organization. It can also be used for application access management. It is designed for a single tenant, so it is designed for a single organization. This does not mean that it does not support a multi-domain environment but there are differences and restrictions. Azure AD has been set up using a different architecture as the Windows Server AD was set up many years ago.
Customers that are using Office 365, Intune, or Dynamics CRM online are not always aware of the fact that they are using Azure AD. It can easily be integrated with an existing Windows Server AD using AAD Connect. The on-premises identity investments that are already made by organizations, can be leveraged in the cloud as well.
Azure AD also consists of a full suite of enterprise identity management capabilities, which are now available for the smaller companies as well for a fair cost. It includes Multi-Factor Authentication, device registration, self-service password management, self-service group management, privileged account management, role based access control, application usage monitoring, rich auditing, security monitoring, and alerting. Whether these features are included depends on the Azure AD edition being used. There are three editions, Azure Active Directory Basic, Premium P1, and Premium P2. You can refer to the following article on what is included in these different editions.
Azure Active Directory Business-to-Business
Azure AD Business-to-Business (B2B) is a fairly new service, which offers collaboration capabilities for organizations that are using Azure AD. With Azure AD B2B, you can work safely and securely with users from other organizations.
With the use of this service, organizations can provide access to documents, resources, and applications to its partners, while maintaining complete control over its own corporate data. Developers can use the Azure AD B2B API’s to write applications that bring two organizations together.
Partners can use their own credentials to sign in and there is no requirement for having an Azure AD tenant of their own. This means that you do not have to manage external accounts anymore.
Corporate data is protected using policies, which can be added at the tenant level, the application level, and user level.
This sounds very promising. I really hope this can replace the external sharing feature of Office 365, as this is not an enterprise-ready sharing mechanism, in my opinion.
You can watch this Youtube video for more information on Azure B2B.
Azure Active Directory Business-to-Consumer
Azure AD Business-to-Consumer (B2C) is a cloud identity-management solution for mobile and web applications. It is highly-available and it can scale to hundreds of millions of identities. Azure AD B2C is not Azure AD. It is a developer feature, which can be leveraged in custom applications.
With minimal configuration, Azure AD B2C offers the following authentication providers:
- Social Accounts: Facebook, Google, LinkedIn, etc
- Enterprise Accounts: Using open standards protocols, like OpenID Connect or SAML
- Local Accounts: Accounts using email address/username and password
Besides these authentication providers, additional ones can be added as well through the Azure Portal. New authentication providers are constantly added by Microsoft. If your application uses some other authentication provider, there is a big chance you can add this one to Azure B2C in the Azure portal.
In Azure B2C, you cannot use the employee identities, which are stored in Azure AD. It is a separate product and cannot be integrated with Azure AD. So, you cannot use the features that are offered for Azure AD inside of Azure B2C. It does offer MFA, sign-in reports, usage reports, and audit reports.
Azure AD Directory Services
Azure AD Directory Services (AADDS) is an extension of Azure AD. It provides managed domain services, such as domain join, group policy, LDAP, and Kerberos/NTLM authentication that are fully compatible with Windows Server AD.
Legacy applications often depend on LDAP or Windows Integrated Authentication (NTLM or Kerberos) to authenticate users. To migrate those applications to the cloud, these dependencies on the corporate identity infrastructure need to be resolved.
So, instead of having to deploy VMs with domain controllers in the cloud or deploy a site-to-site VPN connection, organizations can use AADDS for authenticating users in hybrid scenarios.
For more information, you can refer to the following site.
Azure AD has a ton to offer these days. Additional features can help organizations to overcome the flaws in the original architecture, as it was designed in the early Azure days. You are not held to that one Azure AD tenant anymore.
Also, in hybrid scenarios, Azure AD has even more to offer. Migrating to the cloud is much easier using these features and it is possible to keep a part of your applications on-premises.
Hopefully, you have more understanding of the different services and features after reading this article. And more hopefully, you are going to use them for your organization and applications in the near future.
Ps. I have big expectations of Azure AD B2B myself. If anyone is already using this in conjunction with Office 365, please let me know. I am really curious if this is working as expected.