What is Azure Active Directory? A Simple Walkthrough

  • Post author:
  • Post category:Main
  • Post last modified:September 10, 2023
  • Reading time:10 mins read

Azure Active Directory is Microsoft’s Enterprise Cloud-based directory service used for identity and access management. It is used to give users their own identity on Microsoft’s Azure cloud platform and provide access to resources such as the Azure Portal, software as a service applications and the Microsoft 365 system. 

Not to be confused with traditional on-premise Active Directory Domain Services which was introduced by Microsoft in Windows 2000, Azure Active Directory is built on Microsoft’s Azure infrastructure and is their own Identity as a service solutions (IDaas). Often you will find they work very close together however.

Azure Active Directory can also be used to provide a unified sign-on experience for other 3rd party applicate via a method called single sign on. This allow the administrator of your organisation to enable user to sign on to other applications using the username and password for their Azure Active Directory account.

What is the difference between Active Directory and Azure Active Directory?

Traditional Active Directory

Lets start with your traditional on-premise Active Directory. Active Directory is self hosted, meaning you build your server or install your Windows Server operating system, install the Active Directory role, then design it how you want. It is built on protocols such as NTLM, LDAP and Kerberos to provide identity and authentication services for your on-premise infrastructure.

With traditional active directory you are able to create different objects such as users, computers and groups and organise these into folders called Organisation Units. Designing your Organisation Units in such a way allows you to utilise the group policy services to apply direct policies and govern your users, devices and applications across your systems.

Azure Active Directory

Unlike the name suggests, Azure Active Directory is not just a cloud copy of your traditional Active Directory. Not only that, it does not use the same protocols such as NTLM, LDAP and Kerberos, does not utilise organisation units for structuring and does not provide the use of group policies. Azure Active Directory is truly a unique Microsoft product providing the next generation of identity and access management which will allow you to secure your data and applications in ways you have never been able to before.

Action

Azure Active Directory (AAD)

Active Directory

Creating users

Creating user accounts in Azure AD is done in the cloud through the management portal or PowerShell.

Users are created on your on-premise domain controller running Active Directory services.

Object management

Objects are placed into organisational units which can be used to apply policies.

Objects are not physically grouped into units or folders similar to on-premise AD.

Admin management

Admins can be delegated rights to manage resources through delegation, groups and OU’s.

Azure AD users role-based access control (RBAC) to delegate privileges to resources, apps and systems.

User Credentials/Logon

Users can logon with traditional passwords, certificate based authentication and hardware keys. Fine-grained passwords policies can be user to define password complexity.

Azure AD uses modern authentication methods as well as secure password-less logon to provide an easy and secure sign-on experience. Multi-factor authentication is built in.

Can you link on premise Active Directory to Azure Active Directory?

The simple answer is yes you can! but there is a little more to it. As we mentioned above the traditional and Azure Active directories are fundamentally different, but with many businesses it is common to have your on-premise directory and a cloud based email solution for communications. It is just as common for businesses to want a synchronised identity between these platforms, and any other cloud platform for that matter. This is where Azure AD Sync comes into play!

What is Azure AD Sync and how does it work?

Azure AD sync allows you to synchronise your on-premise Active Directory identities to Azure Active Directory. It works by installing the Azure AD Connect tool on one of your on Premise Domain controllers, which then creates a one (or two way) sync between your users accounts on-premise and in the Azure Cloud.

Azure Active Directory

For example, you have an on-premise Active Directory user named James Green, with the username [email protected]. He also has an email account in Office 365 with the username [email protected]. As the usernames are the same, we can utilise Azure AD Connect to sync their passwords (and identities) to be the same. So when one changes, so does the other. 

Do I still need my on-premise Active Directory?

So if you are asking this question you should start to evaluate your current environment, some basic things you need to know are:

How much data do I have? what type of data is it? and how is it accessed?

Your on premise Active Directory will likely be providing local authentication and access to company files saved on your local file server. Removing your on-premise Active Directory in many cases will require you to move these files to either SharePoint online or Azure Files. Both of these options will come will alternate methods of access and increased latency. It is import to understand how this change will affect how your employees access shared data. Here is some additional reading on Azure files: here

What operating systems are my workstations running?

It is important to know that there are operating system requirements to joining your workstations to Azure AD, Azure AD Domain Services or Microsoft Intune. In short you should ensure your devices are at-least running Windows 10 (not Windows 10 Home edition). Read more on device requirements here: here

What restrictions do I currently have in place and what do I want to put in place?

As mentioned above in the differences between Active Directory and Azure AD. Azure AD does not allow you to utilise group policy for device and policy management. The replacement for this is Microsoft Intune (Microsoft Endpoint Manager). No only can you manage your windows devices, but IOS, MacOS and Android also. You should plan careful how you should implement what policies you currently have with Microsoft Intune. A great tool to use is Group Policy analytics in Microsoft Endpoint Manager to analyse your current policies and migrate the workload to Microsoft Endpoint Manager. Read more about Group Policy Analytics here: here

What applications do I have and what are their dependencies?

Software and applications are often the key indicator as to whether your environment is ready to be adopted to the Azure Cloud. Many applications are dependant on fast local file access to run efficiently and anything other than that could halt production. If you are running an application that has a requirement for an on-premise Active Directory or server you should first reach out to the application vendor to see if they have a cloud (web based) alternative to the product or whether it can be integrated with Azure Active Directory and utilise Azure Cloud services. If the application cannot be adopted to the cloud, it likely does not fit with your business plan and you should look for an alternative product, but take that advice with a pinch of salt, most businesses are running a hybrid of on-premise and cloud infrastructure. here

How can I manage my computers with Azure Active Directory?

With Azure Active Directory, Microsoft provides the Microsoft Intune platform for you to manage and govern devices that access your corporate environment. The online portal is called Microsoft Endpoint Manager (or Microsoft Intune) and from here you can provision new and existing devices, apply compliance policies to give you control and visibility over your devices, create configuration profiles to apply settings and preferences to your devices, apply conditional access policies to govern which devices can access your environment under certain conditions and much more. 

Intune is a powerful tool which can be used to replace your traditional on-premise group policy and active directory. Azure Active Directory provides the identity and device backbone for controlling your devices through Intune. 

How much does Azure Active Directory Cost?

The pricing and features can often be quite tricky to understand. Lets saying you already have an Microsoft 365 tenant which contains Microsoft 365 business standard licenses providing your user email services and application licensing. With this basic license you are able to join your devices to Azure Active Directory, but that’s about it.. To get all the features you need to be up to par with your on premise Active Directory, you are going to need to pay a little more.

The next step up is Azure Active Directory Premium P1 license. You can purchase this as an add-on license or the other option is to upgrade to a license such as Microsoft 365 Business Premium which includes Azure Active Directory Premium P1. Check out here what is included in Azure Active Directory Premium P1 license: https://www.microsoft.com/en-gb/security/business/identity-access-management/azure-ad-pricing

But wait! there is a little more too it. The Premium P1 license gives you additional features such as conditional access,  dynamic group memberships, global password protection, self service password reset and additional usage reports. But it doesn’t provide device management…

For device management you need an Microsoft Intune license. Luckily Microsoft Intune is only 1 single license and only has one type. So really you will need an Azure Active Directory Premium P1 license, a Microsoft Intune license and your Microsoft 365 Business Standard license for email and applications. 

Luckily there are many different bundles where all of these licenses are rolled into one. I recommend if you have under 300 licensed users in your environment you look at the Microsoft 365 Business Premium license which incorporates all of these features into one. Read more about it here: https://docs.microsoft.com/en-us/office365/servicedescriptions/microsoft-365-service-descriptions/microsoft-365-business-service-description

 

Thank you for taking the time to read my post. If you are looking to certify on Azure or start training make sure to check out my post to taking a Free Microsoft Exam.

Daniel Bradley

My name is Daniel Bradley and I work with Microsoft 365 and Azure as an Engineer and Consultant. I enjoy writing technical content for you and engaging with the community. All opinions are my own.

Leave a Reply