Azure AD
Azure AD can be thought of primarily as a cloud-based centralized Identity Provider (IDP) and directory service for objects.
Azure AD is the foundation of granting access to resources through Identity and Access Management (IAM) for cloud and hybrid environments and providing authentication and authorization for users, apps, and devices.
Objects are stored in Azure AD with attributes; for user identities, the core attributes would be their sign-in name, known as their User Principal Name (UPN), password, location, assigned roles, group membership, devices, licenses, and authentication methods. The following diagram aims to visualize Azure AD as the centralized cloud IDP:
Figure 8.1 – Active AD
In addition to an organization’s user management, Azure AD provides the following:
- Device management
- Application management
- Business to Business (B2B) and Business to Customer (B2C) identity services
- SSO
- MFA and Conditional Access
An instance of Azure AD (referred to as a directory) is created for each Microsoft tenant that is created; that is, each <tenant>.onmicrosoft.com represents an instance of Azure AD.
You will only have one directory per <tenant>.onmicrosoft.com, and by creating a new <tenant>.onmicrosoft.com, you will be creating a new directory.
There are four editions of Azure AD. They are as follows:
- Free: This edition is included when you create a new tenant and is created with the provisioning of a Microsoft online service such as Microsoft 365, Dynamics 365, and Azure.
- Office 365 Apps: This edition is included with Microsoft 365. It includes a Service-Level Agreement (SLA) of 99.9% availability and additional functionality such as organization branding and two-way synchronization of objects between AD and Azure AD.
- Premium P1 and P2: These editions provide additional identity protection and identity governance functionality on top of the basic functionality included in the free and Microsoft 365 editions.
Azure AD has objects that are referred to as security principals that form the basis for identities. They can be one of the following types:
- User: An entity that Azure AD can manage; this user can be a member of the organization’s tenancy or a guest user that does not belong to your organization.
Azure AD supports guest users through a feature called B2B. This allows access to resources in your organization’s tenancy for users that are not part of your organization, such as business partners. Azure AD also supports B2C, allowing access to Azure AD resources via an external IDP account such as from Facebook or Google.
- Application service principal: An entity that represents an identity of a service or application in Azure.
- Managed identity service principal: An entity representing a special kind of service principal identity for a service or application to use in place of a user identity; there are system-assigned and user-assigned managed identities.
- Device: A physical entity: laptop, tablet, phone, virtual machine, and so on.
When is AD not AD? When it’s Azure AD.
Both AD and Azure AD are IDPs, and while they share AD in the name, they function very differently.
AD was introduced in 2000 as Microsoft’s directory service. It is a role that is installed as part of Windows Server, and servers running this role are referred to as Domain Controllers (DCs). It allows access to multiple resources that are stored as computer objects within the directory service, with identities stored as user objects.
AD is not a single function; it has several services that can be provided, the core services being AD Domain Services, AD Certificate Services, and AD Federation Services (ADFS). Many of these services are still required and will still be around for some years to come, and it should be noted that Azure AD cannot be considered a 100% replacement for AD; although it can modernize your IAM strategy and approach so these legacy services could be replaced and retired through phasing out, as you move to modern identity services. The following diagram aims to visualize this:
Figure 8.2 – AD and Azure AD
There is a misconception that Azure AD is the cloud equivalent of the traditional Windows Server-based AD; this is not the case, and it is important to understand that Azure AD is not cloud DCs and cannot replace the functionality provided by traditional implementations of Windows Server AD.
Unlike AD, there is nothing to install for Azure AD, and no DCs are required while still allowing devices to appear as objects in the directory; Microsoft provides Azure AD as a fully managed IDP platform provided as Software-as-a-Service (SaaS).
AD can be connected to Azure AD using Azure AD Connect, a free download tool to allow an organization to establish a hybrid identity. This tool synchronizes user identities, attributes, and objects between both IDPs.
A hybrid identity approach allows users to access resources in Azure AD using their AD identity; the same username and password are used to access resources accessed in both IDP environments.
More information on hybrid identities and Azure AD Connect can be found at this URL: https://docs.microsoft.com/azure/active-directory/hybrid/whatis-azure-ad-connect.
In this section, we looked at Azure AD. The following section looks at authentication and authorization.