By Narvesh Jaunky, MCT
To understand the concept of Azure AD, you need first understand what is identity. In brief, Identity is the combination of two concerns, first is authentication : Are you who you say you are? The second part of identity is authorization : Do you have permission to perform this task?
The thing which is important to understand is that authentication is “who you are” and authorization is “what you can do” are independent concerns.
For e.g: I can authenticate, is that you established what you are who you say you are, without giving you a permission. In another word, I can establish who you are but that doesn’t require to grant you a permission. For e.g having a State ID card doesn’t make it legal for a 17 year old to buy liquor in Mauritius.
In short, we can also combine authentication and authorization into a single task, which is in information Security we called it a claims-aware identity.
e.g A driver’s license asserts who you are and your permission to operate some, or all motors vehicles with a without conditions.
What is Azure Active Directory?
Azure AD or Azure Active Directory is primary tool to manage identity specifically we can use Azure AD to authenticate individual users, additionally we can organize users into groups which simplify the process of the role based authorization [eases role-based permissions].
It is Microsoft’s multi-tenant cloud-based directory and identity management service for IT Admins, Azure AD provides an affordable, easy to use solution to give employees and business partners single sign-on ( SSO ) access to thousands of cloud SAAS application like Microsoft 365, Salesforce, Dynamic 365, Dropbox, etc.
We can also collect many data about individual users, such as their names, departments, email addresses,physical addresses, etc.
Azure Active Directory also allows to authenticate third party services through applications, for instance software as a service, Office 365 and Dynamic 365 but can be any third party applications that properly constructed to use delegated permissions from Azure Active Directory.
We can also use Azure Active Directory to authenticate users for my own web and desktop applications. Azure AD gives the flexibility to access your on-premises web applications from everywhere and protect with Multi-factor authentication,conditional access policies, and group-based access management.
Azure AD supports identity federation and single sign-on. We can trust some other identities store to authenticate users as though it’s an Azure AD user/Application. Azure Active Directory provides secure single sign-on to cloud and on-premises Active Directory, others identity stores (Via SAML and WS-Federation) and Social Media (Facebook, twitter, google, etc)
If you are a Microsoft 365, Azure or Dynamics CRM online customer, you might not realize that you are already using Azure Ad. Every Microsoft 365, Azure and Dynamics CRM tenant is already an Azure Ad tenant. You can start using that tenant anytime to manage access to thousands of other cloud applications azure ad integrates with.
Azure Active Directory Editions
Azure Active Directory comes in four Editions – Free, Microsoft 365 Apps, Premium P1 and Premium P2. The Free edition is included with an Azure subscription. The premium editions are available through a Microsoft Enterprise Agreement, the Open Volume License Program, and the Cloud Solution Providers program. Azure and Microsoft 365 subcribers can also buy Azure Active Directory Premium P1 and P2 online.
Azure Active Directory Free
Provides user and group management, on-premises directory synchronization, basic reports and single sign-on across Azure, Microsoft 365 and many popular SaaS apps.
Azure Active Directory Microsoft 365 Apps
This edition is included with O365. In addition to the Free features, this edition provides Identity & Access Management for Microsoft 365 apps including branding, MFA, group access management, and self-service password reset for cloud users.
Azure Active Directory Premium P1
In addition to the free features, P1 also lets your hybrid users access both on-premises and cloud resources. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager (an on-premises identity and access management suite) and cloud write-back capabilities, which allow self-service password reset for your on-premises users.
Azure Active Directory Premium P2
In addition to the free and P1 features, P2 also offers Azure Active Directory identity Protection to help provide risk-based Conditional Access to yours apps and critical company data and Privileged identity Management to help discover, restrict and monitor administrators and their access to resources and to provide just-in-time access when needed.
Probably the best benefits of Azure Active Directory is from a practical view it integrates well with on-premises Active Directory Services. To keep Azure Active Directory tenants and on-premises AD, we used a toll Azure AD connect, using this tools, we can create a consistent state between on-premises, office 365 and Azure AD instances.AD connect supports Federated identities and single sign-on.
AD connect supports Federation identities and single sign on. It is replacement of DirSync and Azure AD Sync, two previous tools to manage hybrid identities in Azure. You can use AD connect integrates with multiple on-premises AD, this includes the ability to work multiple on-prem Exchange organisation and the ability to select with filters attributes with an organisation when synced with AZURE AD.
AD CONNECT supports sync customers-defined attributes of objects (i.e Customer User Properties) It also supports for write back from Azure AD to on-Premises for Devices, attributes, groups and passwords (Premium Feature).
Narvesh Jaunky, MCT, is a Microsoft Certified Trainer, IT Consultant, Solution Architect and Technical Trainer