Any time that someone from Microsoft does a presentation on Windows Server or Azure, you’ll see the same image over and again; there’s a picture of a cloud that’s divided into three components that symbolize what a customer can do on-premises, what a hosting partner can offer, and what Microsoft produces from public clouds such as Intune, Azure and Office 365.
While the common denominator between the three parts of the Cloud OS is Hyper-V, the glue that holds the entire solution together is also the unique selling point that only Microsoft can offer, which is Active Directory. In this article, I’ll explain the power of Azure Active Directory (Azure AD) and how it can extend your on-premises legacy Active Directory to change how your business handles identity.
What is Azure Active Directory?
When one first hears about Azure AD, one might think “Oh! Domain controllers in the cloud.” It’s not that — yet. Microsoft recently launched a preview of Azure AD Domain Services in North American and European regions. To put it simply, Azure AD is an identity store and performs the key feature of AD in the cloud. It allows people to authenticate and authorize against cloud services.
The first of these cloud services that most businesses implement is Office 365. Even if you use one of the very simple Exchange Online plans, creating, synchronizing (using DirSync, or the replacement, Azure AD Sync), or federating (using ADFS) user accounts and passwords into these services uses Azure AD under the covers. You’ve proven by using DNS that your company owns the DNS domain of your AD, such as joeelway.com, and then you’ve made the usernames and passwords of your users available to sign into and use those cloud services.
Then you might decide, let’s use Intune or CRM Online, or any of a number of Microsoft’s enterprise cloud services. You’ll find that the user names and passwords are already there — all thanks to one identity store, a logical AD that is made up of your on-premises AD and Azure AD.
But that’s just the start. Many small-to-medium enterprises are discovering, thanks to replacing Exchange or Small Business Server with Office 365, that there is a real possibility of removing lots of other servers, such as CRM, accounting, and so on, with software-as-a-service (SaaS) applications from other vendors. The old way of dealing with this was to set up new user accounts and passwords for users in each of those services. If you talk to the owner of such a business, one of their biggest fears is if an employee leaves the company and takes access to cloud services and information to a competitor.
The solution is something that was once only possible with lots of consulting for large enterprises and educational institutions, but is now distilled into little more than a wizard: single sign-on. Azure AD makes it possible by using industry standard protocols to federate identity into over 2,500 SaaS applications, including offerings from Citrix, AWS, Google, SalesForce, and DropBox. As a result:
- IT gets control over “shadow IT”
- Employees only have to remember a single username and password
- Employers can revoke access to everything by disabling or removing a user account
Single sign-on is the core reason why I think that Azure AD is so valuable, and it amazes me how few understand this power or try to implement it. Microsoft obviously understands the potential and that’s why they offer three versions of the product, each with a different price point and set of features.
Azure Active Directory Free
The free version of Azure AD is what you get when you sign up for any of Microsoft’s cloud services. As a free product, it gives you a sample of some of the power of the future of Active Directory. I say a sample because it will make you want more, especially when you start to realize the power and the value of identity in the cloud era.
The features of Azure AD Free are:
- Directory scale: Up to 500,000 objects are supported, but note that this is not a limit for Office 365, Microsoft Intune, or any other Microsoft cloud service that will use Azure AD.
- UI and PowerShell: All versions of Azure AD offer UI (the web portals) and PowerShell (dedicated MSOL cmdlets) administration.
- Device registration: A device, such as a Windows 10 tablet or PC, can register in Azure AD, enabling it to be used against domain authenticated services. This is not like a domain join; it’s intended for work-at-home or BYOD users.
- Single sign-on: A user can see up to 10 federated cloud services in an access panel.
- Azure AD Connect: All versions of Azure AD support Azure AD Connect.
- Standard security reports: A basic set of reports allows you to monitor Azure AD.
Azure Active Directory Basic
Some features of Azure AD Free are alluring. What can we do with device registration? If users are relying on one user then that thing is starting to become valuable. And now the business is beginning to rely on Azure AD. If you start to value the features of Azure AD, then it’s time to step up the licensing (per user, through volume licensing) to get the features of Azure AD Basic, which are a superset of Azure AD Free:
- No object limit: There is no restriction on how big your domain can be in Azure AD.
- Service level agreement (SLA): Microsoft offers an SLA of 99.9% on Azure AD once you step up to Basic licensing or higher.
- Groups: You can start to assign access to applications using groups in Azure AD.
- Customization/skinning: You can put a company logo and color scheme the login screen and access panel pages.
- Self-service password reset: Bye-bye Monday morning hell. Helpdesk admins of the world can rejoice that this once-big-business-only feature can come to all cloud-enabled users.
- Application proxy: An incredible feature of Windows Server 2012 is made easier in the cloud. Remote and roaming users can sign into on-premises or in-Azure web applications using their AD credentials.
Azure Active Directory Premium
Identity is now an asset of the company, and it’s time to bring the full weight of Azure AD to support this asset. You can step up by buying Azure AD Premium by itself, or take complete control of devices, applications, content, and identity with the Enterprise Mobility Suite (EMS). Azure AD Premium adds the following features to Azure AD Free and Azure AD Basic:
- Advanced application usage reporting: Track how single sign-on is being used.
- Self-service group management: Enable power users in the business to manage group membership (application usage).
- Self-service password reset with write-back: Keep on-premises AD in sync with passwords that are reset by users in the cloud.
- Microsoft Identity Manager (MIM) user licenses: Free licensing for on-premises identity and access management.
- Advanced reports: Based on machine learning, these reports help you spot identity anomalies.
- Cloud App Discovery: Find out what SaaS applications your company is using (Shadow IT) and bring them under the control of Azure AD (single sign-on).
- Multi-factor authentication: Set policies so that knowing a username and password is not enough; force users to prove their identity using a smartphone.
- Monitor Azure AD Connectivity: Use Azure Active Directory Connect Health, in preview at this time, to monitor the health of the connection between AD and Azure AD.
Microsoft has also enabled support for System for Cross-domain Identity Management (SCIM 2) in the Premium edition to further enable the provisioning of users across cloud services. This should make it easier for Microsoft, and IT pros/developers, to federate with more SaaS applications.
Thoughts on Azure Active Directory
In my opinion, knowing Azure AD will be as essential as knowing on-premises AD, and might even replace that skill set in many cases with the eventual release of Azure AD Directory Services. When you read through what even the free Azure AD product can offer, it’s hard to fight the momentum of this hybrid cloud solution. Even more functionality is on the way, turning Azure AD into a partnering solution (Azure B2B) and a profit-making or marketing platform (Azure B2C).
For those IT pros that are scared of the cloud — folks; here’s a new skill set, a new point of management, and a business asset that you will be responsible for managing, thus ensuring your future employability if you keep your skills up to date.