The Azure Guide/Azure Active Directory

Azure Active Directory can be thought of as a successor to the long-standing Active Directory feature that can be used to manage networked computers, but cloud-based and far more versatile.

Active Directory edit

It is a set of services that run on Windows Server that can be used to manage computers and assign permissions. A simple example is that of virtually any business - a higher ranked member will have higher permissions than a lower-ranked one - and AD can be used to set up user accounts for the whole network. Some examples of the services leveraged include Lightweight Directory Services, Certificate Services, Federation Services and Rights Management Services and so on[1].

Need for Azure edit

While immensely powerful, Active Directory is beset with limitations and its relative lack of interoperability with non-Windows users[2]. While Microsoft has Active Directory Federation Services as an alternative, an alternative was needed. There's where Azure comes in.

As we already know, Azure is the default hosting platform for Office 365 services. This means that Azure AD can be used to integrate multiple Microsoft services easily - for instance, it is possible to associate a user with an Office 365 account and an account which they can use to log in into the company servers.

While Azure AD does have a free tier, there are premium options available which enable additional features and advanced management options, amongst others[3].

The Office AD website provides a good explanation:

Let's take a look at how the Azure Active Directory, or Azure AD, identity model is able to effectively provide us with an Active Directory lite from the cloud. Azure AD may sound complex, but it isn't really. It's the default identity model for Office 365. So you may have already used it when creating users in Office 365. Imagine a database containing just a few user attributes, such as name, tenant, role, and password, all stored in the cloud using the highly available Azure Cloud Services that can scale to millions of records, an Active Directory lite, if you will, all without the layers and complexity that an on-premises Active Directory gives you.

There are no costs for using Azure Active Directory. There are, however, additional paid subscription levels for using the Azure Active Directory Basic and Premium tiers. These provide value-added features, such as company branding on the portal and user self-service password reset. To understand the Azure AD life cycle, let's first run through a typical scenario. A new user is created and then managed in Office 365.

The user account information is stored in Azure AD. And then whenever the user needs to be verified, all identity and access management is performed by Azure AD. This is always available, and it uses cloud-based Infrastructure as a Service, or IaaS. Azure AD allows you to move your Active Directory authentication services to the cloud. Whether these are public or private clouds, the data is always safe and available and stored in the data center.

If you want to retain local ownership, you can use Federation Services to provide on-premises identity whilst at the same time allowing you to extend your Active Directory environment to the cloud. We know that the cloud offers scalability and always-on availability. Because Azure AD is hosted in the cloud, it can be depended upon and accessed anywhere. Microsoft is able to expose Azure AD to other services via web-based protocols and application programming interfaces, or APIs, which allow trusted communications with Azure AD.

With these secure APIs, Azure AD can integrate with other services, such as on-premises AD, and allow the ability to have a single sign-on, or SSO, between separate services. Azure AD simplifies authentication by providing identity as a service. That is, Azure AD is responsible for verifying the identity of users. This can be achieved through a number of industry standard protocols, such as OAuth 2.0, SAML 2.0, OpenID Connect, and Web Services Federation, or WS-Federation.

When you use Office 365, Azure, or Intune, you are indirectly interfacing with Azure AD. There are also a number of tools to manage Azure AD. If you already have an Azure subscription, you can use the Azure portal if you only need to add or modify a few users. The Azure AD Connect tool, which replaces DirSync, is the primary synchronization tool and allows on-premises Active Directory accounts to be synced with Azure AD.

For more complex environments, you can manage on-premises resources with Active Directory Directory Services, or AD DS, with the Lightweight Directory Access Protocol, or LDAP. And Active Directory Federation Services, AD FS, can then be deployed on site, and this then provides single sign-on control locally. If you prefer working at the command line, you can also interact directly with Azure AD using the AD Graph API, which is a REST API, or by using the Azure AD PowerShell cmdlets, such as Get-AzureADUser and New-AzureADUser.

Azure AD can also be used by app developers to enable single sign on (SSO) integration with their applications, which is not possible with AD alone.

References edit