Azure Identity And Access Management Part 1 – Azure Active Directory – Overview
First of all, Thank you so much for your comments, suggestions and questions on our last series on Azure Networking . Now I am starting with a new series on Azure Identity And Access Management . After Azure Networking , Azure Identity And Access Management is considered as the second Pillar of Microsoft Azure. We will try to cover the basic concept of most of the important features and services related to this service provided by Microsoft Azure. Please let me know if i missed any thing important or any suggestions by commenting this article.
Today we will start with one major service provided by Microsoft Azure is Azure Active Directory . So lets start the new journey with our first article of this series.
Azure Active Directory :
Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service provider, which helps our employees sign in and access to following resources.
- External resources
- Internal resources
Microsoft Azure Active Directory is a complete identity and access management cloud solution that combines core directory services, application access management and advanced identity protection.
Users Of Azure Active Directory :
Microsoft has categorized all users of active directory into following three differentcategories.
- IT Admin
- App Developers
- Microsoft 365, Office 365, Azure, or Dynamics CRM Online subscribers.
Azure Active Directory Licenses :
Four types of licence provided by Microsoft and with it’s price level from lower to higher. Each licence provide different types of features as per their price. Always the higher level licence holds few new features with all features from its lower one as described in following.
Azure Active Directory Free :
- Provides user and group management.
- On-premises directory synchronization.
- Basic reports.
- Self-service password change for cloud users.
- Single sign-on across Azure.
- Office 365 and many popular SaaS apps.
- Microsoft Identity Manager(an on-premises identity and access management suite).
- Cloud write-back capabilities.
Azure Active Directory Premium 1 :
- All features provided of free Azure AD.
- Allow access to hybrid users on both on-premises and cloud resources.
- Dynamic groups and Self-service group management.
Azure Active Directory Premium 2 :
- All features provided of Premium Azure AD.
- Azure Active Directory Identity Protection ( https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection).
- Privileged Identity Management ( https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-getting-started).
Pay As You Go :
- All features provided of Premium 2 Azure AD.
- B2C, it helps to manage identity and access management solutions for your customer-facing apps.
Active Directory Terminology :
When we are taking about Azure Active Directory, following terms comes into the picture. I am not going into detail of those, but Lets have a list of those.
- Identity : – A thing that can get authenticated. An identity can be a user with a username and password. Identities also include applications or other servers that might require authentication through secret keys or certificates.
- Account : – An identity that has data associated with it. We cannot have an account without an identity.
- Azure AD Account : – An identity created through Azure AD or another Microsoft cloud service, such as Office 365. This account is also sometimes called a Work or school account.
- Azure Subscription : – Used to pay for Azure cloud services. We can have many subscriptions.
- Azure Tenant : – A dedicated and trusted instance of Azure AD that’s automatically created when our organization signs up for a Microsoft cloud service subscription, such as Microsoft Azure, Microsoft Intune, or Office 365. An Azure tenant represents a single organization.
- Azure AD Directory : – Each Azure tenant has a dedicated and trusted Azure AD directory. The Azure AD directory includes the tenant’s users, groups, and apps and is used to perform identity and access management functions for tenant resources.
- Custom Domain : – Every new Azure AD directory comes with an initial domain name, domainname.onmicrosoft.com. In addition to that initial name, We can also add our organization’s domain names. Adding custom domain names helps us to create user names that are familiar to our users, such as manas@Knowledge-junction.com.
Major features With Azure Active Directory :
Microsoft Azure Active Directory ships with many features. After we choose our Azure AD license, we’ll get access to some or all of the following features for our organization based on our chosen licence.
- Enterprise users — Azure AD user management services helps to manage license assignment, access to apps, and set up delegates using groups and administrator roles. If you want more information, see this article.
- Application Management — Manage our cloud and on-premises apps using Application Proxy, single sign-on, the My Apps portal (also known as the Access panel), and Software as a Service (SaaS) apps. To learn more, see this article.
- Azure AD Authentication — In Azure Active Directory (Azure AD), authentication involves more than just the verification of a username and password. Following are the service provided by Azure AD Authentication.
- Self-service password reset
- Azure Multi-Factor Authentication
- Hybrid integration to write password changes back to on-premises environment
- Hybrid integration to enforce password protection policies for an on-premises environment
- Pass-wordless authentication
- Business-to-Business (B2B) — This feature allow us to manage our guest users and external partners, while maintaining control over our own corporate data. If you want more information, see this series of articles.
- Business-to-Customer (B2C) — Customize and control how users sign up, sign in, and manage their profiles when using our apps.
- Conditional Access — This feature of Azure AD helps to Manage access to our cloud apps and resources. to know more, see this article.
- Azure Active Directory for developers — Helps to Build apps that sign in all Microsoft identities, get tokens to call Microsoft Graph, other Microsoft APIs, or custom APIs.
- Device Management — This feature is helps to control and manage, how our cloud or on-premises devices access our corporate data. To learn more on device management, see the series of articles.
- Domain services — We can Join Azure virtual machines to a domain without using domain controllers by the help of this service. To learn more about Azure Domain Services see this link.
- Hybrid identity — Microsoft’s identity solutions cover both on-premises and cloud-based capabilities. It creates a single user identity for authentication and authorization to all resources, regardless of location. We call this hybrid identity which will work in both On-premise and cloud.
- Identity governance — It provides us with capabilities to ensure that the right people have the right access to the right resources at right time. For more details of this service, see this article.
- Identity protection — Identity Protection is a service that allows organizations to automate the detection and remediation of identity-based risks and investigate risks using data in the portal. For more information of this service, see this article.
- Managed identities for Azure resources — This feature helps to Managed identities for Azure resources and Provides our Azure services with an automatically managed identity in Azure AD that can authenticate any Azure AD-supported authentication service, including Key Vault.
- Privileged identity management (PIM) — PIM feature helps to Manage, control, and monitor access within our organization. This feature includes access to resources in Azure AD and Azure, and other Microsoft Online Services, like Office 365. To know more of this service, see this article.
- Reports and monitoring — With Azure AD reporting and monitoring, we can retain our Azure AD activity logs for long-term use or integrate it with third-party tools to gain insights into our environment.
Major Roles and Responsibilities :
- Account Administrator — This administrator role is conceptually the billing owner of a subscription. This role has access to the Azure Account Center and enables us to manage all subscriptions in an account.
- Service Administrator — This administrator role enables us to manage all Azure resources, and their access. This role has the equivalent access of a user who is assigned the Owner role at the subscription scope.
- Owner — This role helps us to manage all Azure resources, including access. This role is built on a newer authorization system called role-base access control (RBAC) that provides fine-grained access management to Azure resources.
- Azure AD Global administrator — This administrator role is automatically assigned to whomever created the Azure AD tenant. Global administrators can do all of the administrative functions for Azure AD and any services that federate to Azure AD, such as Exchange Online, SharePoint Online, and Skype for Business Online. We can have multiple Global administrators, but only Global administrators can assign administrator roles (including assigning other Global administrators) to users.
- Microsoft account (MSA) — Personal accounts that provide access to our Microsoft products and cloud services, such as Outlook, One-drive, or Office 365. Our Microsoft account is created and stored in the Microsoft consumer identity account system that’s run by Microsoft.
New In Azure Active Directory :
Azure AD receives improvements on an ongoing basis and updating the details in this page ( https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/whats-new ). This page is updated monthly, so revisit it regularly. If you’re looking for items that are older than six months, you can find them in the Archive for What’s new in Azure Active Directory.
Following are three latest updates from microsoft.
- The new My Apps portal is now generally available. if you need more infor see this ( https://docs.microsoft.com/en-in/azure/active-directory/manage-apps/access-panel-collections )
- Workspaces in Azure AD have been renamed to collections.
- Azure AD B2C Phone sign-up and sign-in using custom policy (Public Preview : https://docs.microsoft.com/en-in/azure/active-directory-b2c/phone-authentication )
Azure Active Directory pricing :
Azure Active Directory comes in four editions—Free, Office 365 apps, Premium P1, and Premium P2. There are different price tag for each editions with different services. We can find complete pricing details of Azure AD in following link. https://azure.microsoft.com/en-in/pricing/details/active-directory.
Note — : Enterprise Mobility and Security E3 licenses include Azure Active Directory Premium P1 and Enterprise Mobility and Security E5 licenses include Azure Active Directory Premium P2.
Frequently asked questions about Azure Active Directory :
Azure Active Directory (Azure AD) is a comprehensive identity as a service (IDaaS) solution that spans all aspects of identity, access management, and security. We have so many questions, doubts or suggestions with us when we are trying to configure features of Azure Active directory. Found more FAQ on azure active Directory in the following link.
Azure AD Community Support :
To take help from Azure AD community groups , please check the following URLs.
Following are the support can be found .
- Technical support for Azure Active Directory Free and Premium is available through Azure Support, starting at ₹1,916.792/month. Billing and account management support is provided at no cost.
- Service Level Agreement (SLA): Azure Active Directory Premium editions guarantee a 99.9% monthly availability. Free services, such as Azure Active Directory Free, do not have an SLA. For more details, visit the Azure SLA page.
With this article, I am starting my journey with Azure Identity And Access Management series here. There would be other independent articles for each of Azure AD features. I hope this article gives you an idea about Azure AD.
Next Article : Part 2 – Azure Active Directory – Enterprise Users
Please let us know if I missed anything important here on Azure AD.
Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more.
If you have any suggestion / feedback / doubt, you are most welcome. Stay tuned on Knowledge-Junction, will come up with more such articles.
Thanks for reading 🙂 .