
Azure AD is a cloud-based identity and access management solution that helps organizations manage user identities and access to their resources. It's a crucial component of Microsoft's Azure platform.
Azure AD works by providing a centralized location for managing user identities, which includes storing user credentials and permissions. This allows organizations to easily grant or revoke access to their resources.
At its core, Azure AD is built around the concept of directories, which are essentially collections of user and group objects. A directory in Azure AD is essentially a container that holds all the user and group information.
Azure AD also supports multiple types of user identities, including cloud-only identities, synchronized identities, and federated identities.
On a similar theme: Get Azure Ad User
Azure AD Components
Azure AD Components are responsible for facilitating secure user authentication and access management. They work behind the scenes to ensure seamless interactions between users, applications, and identity providers.
Azure Active Directory (Azure AD) acts as both an identity provider and a service provider. As an identity provider, it authenticates users and provides authentication tokens to service providers, verifying their authenticity. This is a crucial aspect of Azure AD's functionality, enabling secure communication between users and applications.
Azure AD Components include the Service Provider and Identity Provider roles. The Service Provider is responsible for communication between the user and the identity provider, while the Identity Provider authenticates users and provides authentication tokens.
For another approach, see: Jwt Azure Ad Authentication
Windows vs Azure AD
Windows Active Directory, launched by Microsoft in 2000, is the predecessor to Azure Active Directory. Unlike Azure Active Directory, Windows Active Directory uses Lightweight Directory Access Protocol (LDAP) to connect with other web-based applications.
Azure Active Directory, on the other hand, uses Representational State Transfer (REST) API interfaces to provide web-based applications, making it ideal for cloud contexts.
Group Policies (GPOs) are usually used to govern desktops and servers connected to Windows Active Directory. This is in contrast to Azure Active Directory, which uses Azure Policy.
Azure Active Directory does not support NTLM, Kerberos, or LDAP protocols, whereas Windows Active Directory does.
A fresh viewpoint: Azure Ad Ldaps
Authentication Components
Azure Active Directory (AAD) has two main components: Service Provider and Identity Provider. The Service Provider is responsible for communications between the user and the identity provider, which in this case is Azure AD. This is similar to how an application could be a Service Provider, communicating with Azure AD as the identity provider.
For more insights, see: Azure Ad Sync Service
Azure AD is an identity provider that authenticates the user and provides an authentication token to the service provider. This token verifies the authenticity of the user, allowing them to access the application.
Azure AD also has a feature called Pass Through Authentication (PTA) that allows users to sign in to both on-prem and cloud-based applications using the same password. This is achieved through an agent that connects to Azure AD and validates the user's credentials against the on-prem Active Directory.
Here are the key differences between Password Hash Synchronization (PHS) and Pass Through Authentication (PTA):
Azure AD's PHS feature ensures a smooth end-user experience by synchronizing passwords between on-prem and cloud-based environments. This reduces the need for IT helpdesk tasks related to password resets and forgotten passwords.
Azure AD Features
Azure AD offers four different licensing tiers: free, Office 365 Apps, Premium P1, and Premium P2. The free tier has a 500,000-object limit for directory objects and includes features like unlimited single sign-on, user provisioning, and multifactor authentication.
Worth a look: Is Azure Active Directory Free
The free tier also includes device registration, cloud authentication, and Azure AD Join. Azure AD Join allows for desktop SSO and administrator BitLocker recovery.
Here are the features included in the free tier, listed out for reference:
- Unlimited single sign-on
- User provisioning
- Federated Authentication (Active Directory Federation Services or third-party identity provider)
- Users and group management
- Device registration
- Cloud authentication (Pass-Through Authentication, Password Hash synchronization, Seamless SSO)
- Azure AD Connect sync, which extends an organization's on-premises directories to Azure AD
- Self-service password change
- Azure AD Join (desktop SSO and administrator BitLocker recovery)
- Password protection
- Multifactor authentication
- Basic reporting for security and usage
- Azure AD features for guest users
The Office 365 Apps tier has no directory object limit and includes all the features of the free tier, plus identity and access management for Office 365 apps. This tier includes features like customized company branding of access panels and logon/logout pages, as well as a service-level agreement (SLA).
A different take: Azure Ad and Office 365
Microsoft Entra ID
Microsoft Entra ID is a comprehensive identity management solution that helps you manage all your identities and access to applications in a central location, whether they're in the cloud or on-premises, to improve visibility and control.
With Microsoft Entra ID P2, you get advanced identity and access management capabilities, including identity protection, privileged identity management, and self-service entitlement management for users.
Microsoft Entra ID P1 provides the fundamentals of identity and access management, including single sign-on, multifactor authentication, passwordless, Conditional Access, and other features.
You can explore Microsoft Entra for secure access for any identity, from anywhere, to any resource across clouds and on-premises.
Microsoft Entra ID offers robust identity protection, which is a key component of Microsoft Entra P2.
Microsoft Entra ID P1 includes multifactor authentication, which adds an extra layer of security to the sign-in process.
Microsoft Entra ID is designed to work seamlessly with various applications and resources across clouds and on-premises, providing secure access from anywhere.
Hybrid Identity
Hybrid Identity is a key concept in Azure AD that allows users to access both on-premises and cloud-based resources with a single identity. This is achieved through the synchronization of identity data from on-premises Active Directory to Azure Active Directory using tools like Azure AD Connect.
With Hybrid Identity, users can log in from different locations and access multiple resources securely. This is made possible by creating a common user identity that can be used across various authentication and authorization methods.
Expand your knowledge: Azure Ad Directory Roles
To set up Hybrid Identity, you need to install Azure Active Directory Connect with either express settings or custom settings. This will allow you to sync identity data from your on-premises Active Directory to Azure Active Directory.
As your organization grows and evolves, managing Hybrid Identity can become complex. However, with the right methods and tools, it can be managed effectively.
Some key things to consider when implementing Hybrid Identity include:
- Cloud-only user accounts, such as B2B and B2C accounts, which are necessary for external users.
- Cloud-only attributes, such as license type, which determine what features users are entitled to use.
These are just a few examples of the considerations you'll need to take into account when implementing Hybrid Identity. By understanding these complexities, you can set up a robust and secure identity management system for your organization.
How Is Azure AD Structured?
Azure AD is structured around a tenant, which is a dedicated instance of Azure AD for a particular company. You create a tenant by signing up for a Microsoft cloud service like Office 365 and providing some basic details.
Your initial domain name will be the name you specify plus ".onmicrosoft.com". You can't change or delete this initial domain name, but you can add custom domain names to your tenant.
Each Azure tenant has its own dedicated and trusted Azure AD directory, which includes the tenant's users, groups, and apps. This directory performs identity and access management functions for the tenant's resources.
Azure AD does not have the same structures as on-prem AD, such as forests and organizational units (OUs). This means your Azure AD setup will be different from a traditional AD setup.
Related reading: New Name for Azure Ad
Security and Features
Azure AD offers robust security features to protect your digital assets.
Azure AD contains a number of features to secure and protect organizational data, including multifactor authentication (MFA), single sign-on (SSO) for cloud-based SaaS applications, and context-based adaptive policies.
Security Defaults in Azure AD is a feature that blocks legacy authentication protocols, requires MFA for administrators and users, and requires MFA for valuable organizational resources. This feature is designed to better secure digital assets and prevent common types of attacks such as phishing, password spray, and session replay.
Explore further: Mfa Completed in Azure Ad
Azure AD has four different licensing tiers, including free, Office 365 Apps, Premium P1, and Premium P2. The free tier includes features such as unlimited single sign-on, user provisioning, and multifactor authentication.
Here's a breakdown of the features included in each tier:
Azure AD also offers advanced security and usage reports, which can help you monitor and analyze your organization's security posture.
Frequently Asked Questions
What is Azure AD Connect and how does it work?
Azure AD Connect is a tool that connects on-premises identity infrastructure to Azure Active Directory, enabling identity management across hybrid environments. It synchronizes identities between public cloud and on-premises resources, streamlining access and management.
Featured Images: pexels.com


