Microsoft Windows Azure Active Directory (Windows Azure AD or Azure AD) is a cloud service that provides administrators with the ability to manage end-user identities and access privileges. Its services include core directory, access management and identity protection. As the name implies, Azure AD is part of the Microsoft Azure public cloud computing platform.
The service gives administrators the freedom to choose which information will stay in the cloud, who can manage or use the information, which services or applications can access the information, and which end users can have access. Azure AD can help to provide single sign-on (SSO), so end users don't have to enter passwords multiple times to access cloud applications.
Azure AD is used by IT admins, app developers and Microsoft cloud service subscribers. IT admins use Azure AD to manage role permissions and control access to specific applications and resources for individual users. App developers may use Azure AD to add single sign-on to apps that work with preexisting user credentials. Azure AD also provides app developers with application program interfaces (APIs) that use existing data within the organization. Subscribers to Microsoft cloud services, such as Office 365, Dynamics CRM Online or Azure, are, by default, tenants of Azure AD.
Azure AD comes in four distinct tiers of service and pricing. Basic features, with limitations, can be accessed at no cost. Subscribers to Microsoft 365 Office apps obtain more functionality than the basic features. Azure AD Premium requires an additional extra monthly subscription, and it comes in two tiers: P1 and P2 (highest tier).
Despite the similar name, Azure AD is not the same as Windows Active Directory (Windows AD), another Microsoft product.
How does Windows Azure Active Directory work?
Azure AD is a cloud-based service for identity and access management (IAM). It is a secure online authentication store for individual user profiles and groups of user profiles, and it falls into the identity as a service (IDaaS) category. Azure AD is intended for managing access to cloud-based applications and servers that use modern authentication protocols such as SAML 2.0, OpenID Connect, OAuth 2.0 and WS-Federation.
Azure AD manages access through user accounts, which carry a username and a password. Users can be organized into different groups, which can be granted different access privileges for individual applications. Identities can also be created for cloud applications, which may be from Microsoft or third-party software as a service (SaaS), to grant user access through.
Azure AD uses SSO to connect users to SaaS applications. This allows each user to access the full suite of applications they have permission for, without having to repeatedly log in each time. Azure AD creates access tokens which are stored locally on employee devices; these tokens may be created with expiration dates. For important business resources, Azure AD can require multifactor authentication (MFA).
Security in Azure AD
Azure AD contains a number of features to secure and protect organizational data. Azure AD's security features include MFA, SSO for cloud-based SaaS applications, context-based adaptive policies, identity governance, an application proxy to secure remote access and protective machine learning (to guard against stolen credentials and suspicious log-on attempts).
A feature called Security Defaults in Azure AD was released recently, which, when turned on, will block legacy authentication protocols, require MFA for administrators and users and require MFA for valuable organizational resources. The purpose of security defaults is to better secure digital assets, as baseline access policies in Azure AD are designed to accommodate organizations with legacy clients and added on third-party security features. Security defaults are designed against common types of attacks such as phishing, password spray and session replay. If not disabled, malicious attacks can use legacy protocols to authenticate, whilst bypassing multifactor authentication.
Windows AD vs. Azure AD
Azure AD is not to be confused with Windows Active Directory, another Microsoft service with a similar name. Active Directory consists of several services that run on Windows Server, managing user access to networked resources, such as printers. Though Azure AD and Windows AD both manage user accounts, they use completely different authentication protocols and code bases. Therefore, Azure AD is not simply the cloud-based counterpart of Windows AD.
Key differences include the following:
- Unlike Windows AD, Azure AD is designed for web-based services. Azure AD supports services that use REST (Representational State Transfer) APIs for online cloud-based apps such as Office 365.
- Azure AD uses different protocols from Windows AD. Azure AD uses protocols such as SAML and OAuth.2.0. It does not support NTLM, Kerberos or LDAP (Lightweight Directory Access Protocol).
- Azure AD uses Azure Policy, as opposed to Group Policy in Windows AD.
- Azure AD does not use OUs (organizational units) or forests. It has a flat directory structure.
- Azure AD Join, which links to PCs (personal computers), can only be used with Windows 10.
Azure AD features and licensing
Azure AD comes in four different licensing tiers: free (lowest), Office 365 Apps, Premium P1 and Premium P2 (highest).
The free licensing tier has a 500,000-object limit for directory objects. It contains all of the business-to-business, core identity and access management features. It does not include IAM for Office 365, premium features, hybrid identities, conditional access, identity protection, identity governance or advanced group access management. According to Microsoft, features included in the free tier are:
- Unlimited single sign-on
- User provisioning
- Federated Authentication (Active Directory Federation Services or third-party identity provider)
- Users and group management
- Device registration
- Cloud authentication (Pass-Through Authentication, Password Hash synchronization, Seamless SSO)
- Azure AD Connect sync, which extends an organization's on-premises directories to Azure AD
- Self-service password change
- Azure AD Join (desktop SSO and administrator BitLocker recovery)
- Password protection
- Multifactor authentication
- Basic reporting for security and usage
- Azure AD features for guest users
The second-lowest tier of Azure AD services is accessible for subscribers to Office 365 apps. It is accessible for subscribers of the E1, E3, E5, F1 and F3 levels. This tier has no directory object limit. It includes all of the features offered in the free tier, plus identity and access management for Office 365 apps, such as:
- Customized company branding of access panels and logon/logout pages
- Service-level agreement (SLA)
- Self-service password reset for cloud users
- Two-way synchronization of device objects between Azure AD and on-premises directories
The Premium P1 tier grants the second-highest level of access to Azure AD. Premium P1 access costs $6 per month, per user. It includes full functionality of Azure AD, except for identity protection and identity governance. Specific features in Premium P1 include everything offered in the Office 365 tier, plus:
- Premium password protection, self-service password reset with on-premises write-back
- Advanced group access management
- Azure AD Join with mobile device management (MDM) auto enrollment, local admin policy customization, self-service BitLocker recovery, enterprise state roaming
- Advanced security and usage reports
- Hybrid identities
- Conditional access
The Premium P2 tier costs $9 per month, per user and includes the full suite of Azure AD functionality. It includes everything offered in P1, as well as identity protection and identity governance features.