Azure Active Directory

What is Azure Active Directory or Azure AD?

Azure Active Directory or Azure AD, as it is popularly known is Microsoft’s multi-tenant, cloud-based directory, and identity management service. Azure AD combines core directory services, application access management, and identity protection in a single solution, offering a standards-based platform that helps developers deliver access control to their apps, based on centralized policy and rules.

Azure Active Directory (aka Azure AD) is a fully managed multi-tenant service from Microsoft that offers identity and access capabilities for applications running in Microsoft Azure and for applications running in an on-premises environment. (Read:- Azure Active Directory Domain Services – An Overview)

Azure AD is not a replacement for Windows Server Active Directory. If you already have an on-premises directory, it can be extended to the cloud using the directory integration capabilities of Azure AD. In these scenarios, users and groups in the on-premises directory are synced to Azure AD using a tool such as Azure Active Directory Sync (AAD Sync). This has the benefit of users being able to authenticate against Windows Server Active Directory when accessing on-premises applications and resources, and authenticating against Azure AD when accessing cloud applications. The user can authenticate using the same credentials in both scenarios.

Azure AD is the directory behind Microsoft Online Services subscriptions like Office 365, Dynamics CRM Online, Intune, etc. and is used to store user identities and other tenant properties. Just like the on-premises AD stores the information for Exchange, SharePoint, Lync and your custom LOB applications, Azure AD for instance stores the information for Exchange Online, SharePoint Online, Lync Online and any custom applications build in the Microsoft’s cloud (or in another cloud).

Editions of Azure AD

Azure AD is available in three different editions to choose from:

• Azure Active Directory (Free)With the Free edition of Azure AD, you can manage user accounts, synchronize with on-premises directories, and get single sign-on across Azure, Office 365, and thousands of popular SaaS applications.
• Azure Active Directory BasicAzure AD Basic provides the application access and self-service identity management requirements of task workers with cloud-first needs. With the Basic edition of Azure AD, you get all the capabilities that Azure AD Free has to offer, plus group-based access management, self-service password reset for cloud applications, customizable environment for launching enterprise and consumer cloud applications, and an enterprise-level SLA of 99.9 percent uptime.
• Azure Active Directory PremiumWith the Premium edition of Azure AD, you get all of the capabilities that Azure AD Free and Azure AD Basic have to offer, plus additional feature-rich enterprise-level identity management capabilities.

Managing directory configuration

Azure AD enables a customer to start using its IdMaaS features with no on-premises footprint. Accordingly, Azure AD provides for hosted (cloud) identities where customers can create users, groups and other principals for their organization. The cloud identities are directly mastered in an Azure AD directory tenant.Extending your on-premises identity infrastructure with Azure

Azure AD supports the following three directory integration scenarios:

• Directory synchronizationThis scenario enables to synchronize on-premises directory objects (users, groups, contacts, etc.) to the cloud to help reduce administrative overhead. Once directory synchronization has been set up, administrators can manage directory objects from the organization on-premises identity infrastructure and those changes will be synchronized to the related directory tenant.
• Directory synchronization with password synchronizationThis scenario is used when you want to enable your users to sign in to Azure AD and other cloud-based applications using the same user name and password as they use to log onto your corporate on-premises network. This scenario is available for an on-premises Active Directory mono-forest or multi-forest environment.
• Directory synchronization with single sign-onThis scenario enables to provide users with the most seamless authentication experience as they access Microsoft cloud services and/or other cloud-based SaaS applications while logged on to the corporate network.

Considering the above, Azure AD enables a seamless sign-in experience for identities that rely on password (hash of hash) synchronization (“same” sign-on) or a supported STS to federate between the on-premises and cloud directories (single sign-on).

Users can gain access to Azure AD or any other application that is integrated into Azure AD by authenticating to their Azure AD user accounts, either through a prompt to provide valid credentials or through a federated single sign-on process. Once authenticated, user’s identities refer to the user names associated with the Azure AD accounts.AZURE AD v ON-PREMISE AD

Once upon a time, IT pros believed that the risks of a data breach and compromised credentials were high enough to delay putting data on the cloud.  But over time with improved security, wider adoption and greater confidence, tech anxiety subsides and running cloud-based applications such as Microsoft’s subscription-based service Office 365 feels like a natural next step.

• On-Premise Active Directory First released with Windows 2000 Server edition, Active Directory is essentially a database that helps organize your company’s users, computers and more. It provides authentication and authorization to applications, file services, printers, and other on-premises resources. It uses protocols such as Kerberos and NTLM for authentication and LDAP to query and modify items in the AD databases.
• Azure Active Directory, on the other hand, was designed to support web-based services that use REST (REpresentational State Transfer) API interfaces for Office 365, Salesforce.com etc. Unlike plain Active Directory, it uses completely different protocols (Goodbye, Kerberos, and NTLM) that work with these services–protocols such as SAML and OAuth 2.0.
  with Azure AD, you won’t be creating forests and domains. Instead, you’ll be a tenant, which represents an entire organization. In fact, once you sign up for an Office 365, Sharepoint or Exchange Online, you’ll automatically be an Azure AD tenant, where you can manage all the users in the company as well as the passwords, permissions, user data, etc.Besides seamlessly connecting to any Microsoft Online Services, Azure AD can connect to hundreds of SaaS applications using a single sign-on. This lets employees access the organization’s data without repeatedly requiring them to log in. The access token is stored locally on the employee’s device. Plus you can limit access by creating token expiration dates.