As the modern employee becomes more mobile than ever before, so does the need to securely manage identity. Enter Azure Active Directory – Microsoft’s cloud identity solution for managing access to internet services and web-accessible enterprise assets.
*Ahem* Welcome to Azure Active Directory for Bozos™, my clearly-not-a-For-Dummies-Knockoff explanation of the Microsoft Azure Active Directory platform. “This is what I’ve been waiting for”, you might think, “All the power of the cloud poured deep into the soul of Active Directory! I feel like Whoopi Goldberg winning her first Academy Award!”
Despite the shared nomenclature, it’s a mistake to confuse Azure AD as a direct successor to traditional on-premise AD. In actuality, Azure is a completely different product – which works effectively alongside an on-premise AD environment, but ultimately serves a different purpose.
Without getting overly technical or complicated, here’s the skinny: On-Premise AD organizes directory objects – users, computers, etc – into a hierarchical structure easily read and accessed not just for internal identity management, but also for integration with applications and file access. A single form of authentication is used – Kerberos – and machines are controlled by adding them to the domain.
Azure AD, meanwhile, is less about building an organizational hierarchy of users and computers and more about regulating user identity across the internet – most heavily used for granting identity verification and authentication with third-party applications like Office 365 or even Facebook. Azure AD access can be administered from a centralized control panel which, when integrated properly, can basically be a one-stop shop for provisioning or deprovisioning users within cloud applications in real time.
The licensing model for Azure AD is simple, and becoming more simple as Microsoft eliminates the Basic tier – leaving only Free, P1, and P2 licensure:
1. Free – This model is included with a 365/Azure subscription and is really just for testing purposes and laying the groundwork for a future AAD integration. It lacks most of the tools for leveraging control over cloud app access and has very little in the way of security analytics – so not very suitable for real business use.
2. Premium 1 (P1) – At $6 per user/month, this licensing level will generally provide the most bang for your buck. The full power of Azure AD integration is unleashed for cloud applications as well as further user security controls, like enforced multi-factor authentication policies across an organization (the free model, in contrast, requires setting up MFA for each user individually). In addition, a wide variety of security and usage analytics become available to administrators, increasing visibility of how and when your tools are being used.
3. Premium 2 (P2) – Includes everything from P1 with the addition of even more powerful security analytics and tools, as well as allowing for granular application of Azure / 365 admin rights – allowing designated users certain levels of control without selling the entire farm. This tier is $9 per user/month and best used where tight security and high visibility over identity management is needed – typically for your most sensitive and/or high-ranking personnel.
Note: These are not the only methods by which Azure AD licenses are sold. The above licenses – or various aspects of the above licenses – are incorporated into a few other license models as well, such as the Microsoft 365 or Enterprise Mobility + Security plans. But the Azure P1/P2 license model is the foundation on which the Azure-included licenses are built, so know the above details is the best place to start.
The most complete and efficient deployment of Azure AD integrates with your On-Premise AD – synchronizing the user accounts in each and providing all the internal user/computer account control of traditional AD while leveraging the identity management capabilities over cloud access offered by Azure – federating your third-party cloud applications back into the on-premise AD and allowing the quick, simple provisioning/deprovisioning of users mentioned earlier in the article by modifying the on-premise AD account.
Azure AD is an extremely useful tool and will be indispensable to enterprise productivity and security when deployed properly. But is Azure AD the only product of it’s kind? Absolutely not – the identity management space is getting increasingly competitive with a lot of other great products, like Okta or OneLogin. More information on Azure AD competitors can be found here. Happy Managing!
Categories: Products
Austin Thomé - Cloud & DevOps Engineer 