Time to get serious with Azure AD
For most people working with IT Infrastructure, Active Directory (AD) has been an essential part of supporting the business for many years. AD is the bedrock on which many end users, devices and services are built on. Over the last few years, Microsoft’s Cloud based Azure AD service has seen growth in its capabilities that complement on-premise AD. I think it’s now at a point where IT managers and their teams need to sit up and take notice. This is not to say that Azure AD is there to take over our AD, but there are some serious capabilities, especially regarding identity management that warrants serious analysis by all departments that utilise an on-premise Microsoft AD….
31 Jan 2018
Understanding Azure AD and its different editions
A free Azure AD environment is spun up every time a trial or live Microsoft Cloud environment is initiated. Most companies that are utilising Microsoft Cloud services such as Office365 or Azure, already have Azure AD implemented to some degree. For the rest of the us who are still in the early phases of these projects, it’s worthwhile to understand that there are free and paid editions of Azure AD. To compare the different editions of Azure AD, I highly recommend having a quick glance at this summarised table.
The “Free” edition of Azure AD is nothing to be scorned at! For starters, this free edition has over half a million-object capacity https://www.microsoft.com/en-gb/cloud-platform/azure-active-directory-features.htm. The “Basic” and “Premium” editions of Azure AD have an unlimited capacity for objects. Think of all the users, devices, groups, contacts that your AD has and the hardware required to support this. Now think of not having to manage the back-end of an AD that has the capability for unlimited objects!
You have full PowerShell access to the backend of Azure AD so you can script, automate and report extensively. You also get Business-to-Business (B2B) integration built in across all editions as well as Single Sign-On (SSO) allowing you to collaborate with other companies and share your apps.
The evolution of Azure AD Connect
The savvy IT person will quickly realise that “identity” is key for utilising Cloud Services. In the AD world, each user has a “User Principal Name” (UPN) that’s utilised for Microsoft Cloud services. The UPN format looks very much like the email format. So much so, I would strongly recommend IT departments start changing users UPNs to match their users primary email addresses to avoid confusion and make things simpler.
The tool used to align UPNs and synchronise your on-premise AD objects into Azure AD is called “Azure AD Connect”. This free tool has so many built in features that it’s worth the effort to understand its capabilities.
Originally called DirSync, this product originates from the old Microsoft Identity Integration Server (MIIS) days. Nowadays, it can do multi-forest sync, password sync and write-back, single-sign-on and even has the capability to install and configure your ADFS farm! With easy installation and failover, it allows IT Infrastructure teams to sync (and filter) on-premise AD objects into Azure AD with minimum fuss.
The installation has both express and custom setting options which are very well presented with easy to reference help; simply click on the question marks to understand the feature or capability. The product has evolved so much that it is literally your identity bridge that can sync from most identity sources, LDAP directories and of course AD.
Why it makes sense to pay for the premium edition of Azure AD
So, Identity being a key component of your Cloud strategy, it makes sense to ensure that we develop some strong services to wrap around this. Think about Multi-Factor Authentication (MFA), Self Service Password Reset and some type of Conditional Access. To utilise these features, you’ll need to purchase either a “Premium” license of Azure AD, or get it inside a bundle such as the Microsoft Enterprise Mobility and Security (EM+S) Suite.
Now most IT Infrastructure departments are delivering a mix of these services utilising 3rd party products already. But there lies the problem – each 3rd party product is another service to manage, another product to support with more complication, not to mention the purchase, maintenance and support costs for each individual component. There are many examples of customers that have easily cost justified a whole suite of Microsoft Cloud products simply by utilising Azure AD’s MFA alone!
When you analyse the features available in the premium editions of Azure AD, there is a very strong business case to drive operational efficiency and drive modern practices. Furthermore, as these features are already integrated into Azure AD and take minimal effort to pilot and test, the deployment lifecycle is greatly reduced. Finally, once you’re using these features, you can also take comfort in the knowledge that you have Microsoft support built right into the purchase price as well.
Components of Azure AD that can really help IT departments
I briefly mentioned password sync and write-back in the previous chapter. With the premium version of Azure AD, users can reset their own account passwords without engaging with IT support. This can be integrated so that 2 factors are used (e.g. text message to previously chosen phone). This alone is a great feature that can greatly benefit the business as it allows them to reset/change their own passwords with conditions that IT have pre-set.
Azure AD has the capability to publish enterprise applications to your end users, think of it as a web based app-store specific to your business. These applications can be internal (published via Azure App Proxy), external (such as Facebook, LinkedIn or Box) or custom developed. Utilising this feature has a number of benefits. Firstly, we can have staff sign-in to cloud based apps using their corporate credentials. When that user leaves the company, we simply disable their AD account. Secondly, we can have multiple users sign into a single account for a specific app (e.g. a marketing department social media account used by multiple users) using their own AD credentials rather than every staff member knowing the credentials of the app. Thirdly, we can wrap Conditional Access and MFA around these apps e.g. “the intranet is only available to domain joined PCs that have a trusted IP address”. Finally, it allows us to provide security logging and auditing that is quite difficult in traditional environments. We can easily report on usage such as “Which systems did Bob log into yesterday?”
Now there are many more features in Azure AD that would make this blog seem more like an essay! It’s satisfying to see IT Infrastructure teams discover specific features that they can benefit from just from having a quick play.
How to get started with Azure AD (demo)
Speaking of having a quick play, I’ve always felt that most people are visual learners. The quickest way to understand these features is to simply start a trial!
You can do this by clicking on the “Try now” button on the main homepage of Azure Active Directory.
In the coming weeks, I’ll be hosting a webinar where I’ll talk a lot more around these features of Azure AD and even demonstrate the business and IT values that I’ve discussed here – so stay tuned!
Summary and Next Steps
Microsoft’s Azure AD has come a long way. There are a lot of integrated features built into the free and premium editions of the product that all IT Infrastructure teams should start taking seriously. Utilising these features is quite straightforward and synchronising your on-premise AD has never been simpler.
With strong integration with Microsoft’s Cloud services such as Azure, Office365 and Intune there are a lot of synergies that can save IT time, effort and cost.
Understand Azure AD features and capabilities (click on the top right button “Try now” to start a trial)