Azure Active Directory is a fully managed multi-tenant service offered by Microsoft. It was designed for the software-as-a-service world and provides full integration between SaaS and on-site applications. With Active Directory (AD), you can get identity and access capabilities for applications running both on-site and in the cloud. This means that access to on-site and cloud applications are greatly simplified. Self-service features of AD include password management and group management. These self-service features can substantially reduce the workload of an IT department.
If you’re already using an on-site directory, you can extend it to the cloud by using the directory integration capabilities of Azure AD. In this situation, users and groups are synced to Active Directory using, for example, Azure Active Directory Sync. This means that users can authenticate using Windows Server Active Directory when accessing on-site applications and using Azure Active Directory when accessing cloud applications. Because Azure AD is hosted in the cloud, which can be public or private, it can be accessed from anywhere. Finally, Azure AD is exposed to other services using web-based protocols and secure application programming interfaces (APIs). As a result, you can have a single sign-on (SSO) between separate services.
Who Uses It and Why?
IT admins can use AD to control access to apps and app resources, including requiring multi-factor authentication in order to access important resources. Azure AD can also increase the security of user identities and credentials. For app developers, Azure AD allows you to add a single sign-on (SSO) to your app, enabling it to work with a user’s pre-existing credentials. Finally, every Microsoft 365, Office 365, Azure or Dynamics CRM Online subscriber is already using Azure AD.
How Does It Work?
Users are generally added to a directory in Azure AD as a Work or Student Account user. The account will last as long as the user is part of the organisation and until an Administrator removes the account. A user from a different directory (an external user) in Active Directory can be added to a directory. This is useful when users in different directories need to access the same cloud applications.
Adding Users and Groups
You can add users and groups to Active Directory in a number of ways, including:
- Syncing from an on-site Windows Server Active Directory
- Manually using an Azure Management Portal, provided the number of users is relatively small
- Scripted using PowerShell and the Azure Active Directory cmdlets, which is more useful for larger numbers of users and groups
- Programmatically using the Azure Active Directory Graph API
You can provide access rights to a single user to an entire group. Using groups means that you can assign a set of access permissions to all the members of a group instead of one by one.
There are three different ways to assign access rights to users, including:
- Direct assignment. The resource owner assigns users to the resource.
- Group assignment. The resource owner assigns a group to the resource. This means that all members of the group automatically gain access to the resource.
- Rule-based assignment. The resource owner creates a group and also uses a rule, made up of attributes and values, to decide which users can access a specific resource.
Custom Domains & Security
Every directory gets a unique DNS name on the shared name. When you use a custom domain, you can associate a domain you own with a directory in Active Directory. This is not compulsory but is often preferred by those organisations which own their own domain name.
Azure AD includes a number of security features including:
- Multi-factor authentication. This provides an additional layer of security to user sign-ins and is easy to use and scalable.
- Conditional access provides more control about how, where from and who can access data. You can easily create policies to control access based on device type, apps, user roles or networks, among others.
- Dynamic groups provide automatic group membership based on user attributes, such as department or location, without having to manually set it up or monitor it.
Protocols Supported by Azure AD
Active Directory supports a number of protocols that are used to secure applications, including WS-Federation, SAML-P, OAuth 2.0 and OpenID Connect.
Find out more about it here: Azure Active Directory