introduction
speaking about microsoft 365 without pointing to Azure Active Directory is meaningless
simply because Microsoft 365 is relay on Azure Active Directory [AAD ] for identity management
in the first article of series identity management & Protection : we have found here in networks pioneers that it is very important to understand Azure Active Directory [later referred to AAD ] , before diving inside how to secure user identity
please join us in this article and next articles to discuss identity management and how to secure it
what is Azure Active Directory
since old old days : identity management take crucial part of any IT system as centralized solution
linux and unix system was mostly working on Lightweight Directory Access Protocol (referred to LDAP ) as identity management
microsoft developed it own on-premise identity management product which called Active Directory Domain Service (referred to ADDS )
later :
cloud application getting more popular , and this raised the need to centralized identity management for cloud application >> Microsoft developed cloud identity management called Azure Active Directory ( referred Azure AD)
Azure Active Directory (Azure AD) is Microsoft’s next evolution of identity and access management solutions for the cloud.
Azure AD takes ADDS approach to the next level by providing organizations with an Identity as a Service (IDaaS).
Azure Active Directory (Azure AD) helps your employees sign in and access:
- CLoud apps : such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.
- On-Premise Apps : such as apps on your corporate network and intranet,
Azure AD vs Microsoft 365 vs Azure IaaS
some people when hearing of Azure AD >> directly jump to Azure (forget next words Active Directory 🙂 )
actually we have to differentiate between Azure AD ,Microsfot365 , Azure IaaS
Microsoft365 :
- Software as a services SaaS :
- where you can use application without need to install it in your computer
- but we still need something it identify (Authenticate ) you to open your OWN file >> which done by Azure AD
Azure
- InfraStructure As a service : IaaS
- where you can build your server without need to buy physical Hardware or to have physical Datacenter
- but we still need something it identify (Authenticate ) you to run your Servers >> which done by Azure AD
Azure Active Directory
- is centralized Identity Management , and the NEXT we will see in this article 🙂
Azure AD vs ADDS
OK ..
Now we know that microsoft has two identity management solution
- ADDS for on-premise network [local environment ]
- AZure AD : for Cloud Apps
let us to make some comparison between both
- Azure AD provides built-in roles with its role-based access control (RBAC) system, with limited support for creating custom roles to delegate privileged access to the identity system >> while ADDS relay on domains, organizational units, and groups
- Azure AD uses intelligent password protection for cloud and on-premises. Protection includes smart lockout plus blocking common and custom password phrases and substitutions >> while ADDS Credentials in Active Directory is based on passwords, certificate authentication, and smartcard authentication
- Azure AD use conditional access (CA) will control which users will have access to which apps under required conditions >> while ADDS DNS, DHCP, IPSec, WiFi, NPS, and VPN access.
- SaaS apps supporting OAuth2, SAML, and WS in AzureAD >> while ADDS require ADFS
- Microsoft Intune, is integrated with Azure AD to manage mobile >> while ADDS need third party solution
- Windows devices can be joined to Azure AD. Conditional access can check if a device is Azure AD joined as part of the authentication process. >> while ADDS use GPO to manage local PCs
- Security in cloud is driven by [identity , apps ,devices ]>> while ADDS use perimeter network to isolate data from user
Single Sign-On SSO
what is Single sign-on (SSO) ?
SSO is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials.
With single sign-on, users sign on once to access
- domain-joined devices,
- company resources,
- software as a service (SaaS) applications,
- and web applications.
Without single sign-on, by contrast, users must remember application-specific passwords and log into each application individually.
How to configure SSO in Azure AD and ADDS ?
To configure single sign-on
- Cloud applications use
- OpenID Connect,
- OAuth, SAML, password-based,
- linked, or disabled methods for single sign-on.
- On-premises applications use
- password-based,
- Integrated Windows Authentication,
- header-based
- , linked, or disabled methods for single sign
AAD license and features
any Microsoft product released with many levels and features and of course with different price list
Azure ADfree
Included in any Azure Subscription
500K object limit
No limit for MS365 applications
- Maximum 10 SSO apps per users
- MFA Only for office365 services
Azure AD Premium-1 [referred to ADD-P1 ]
- 6$ per user per month
- No limit on SSO apps
- Conditional access on device/location
- MFA for MS365 and on premise services [hybrid ]
Azure AD Premium-2 [referred to ADD-P2 ]
- 9$ per user per month
- All features in AAD P1
- Identity protection like : MFA ,PIM, Conditional Access , and Azure Identify protection
be careful :
Azure AD licensing Model and price number are subjected to change at any time
so ,,, What to Do ?
simply keep tuning with Azure AD Price list >> https://azure.microsoft.com/en-us/pricing/details/active-directory/
what to manage in Azure AD
let us to try to open azure portal >> then open azure active directory to explore the inside
open https://portal.azure.com/ >> provide you credential as global admin for your tenant
azure AD provide us with the following :
section Manage alllow us to manage all tenant aspect including but NOT limited to :
- users
- group
- external identities like gmail users
- administrative roles assigned to users
- devices joined to AAD to meet security needs (fully detailed later )
- assigned license
- Azure AD Connect : which used to connect local ACtive Directory ADDS as hybrid environment
- and son many features that will improve your administrative capabilities
concussion
in this article we have got an overview of Azure ADDS
next articles we will see how to protect identities in AAD with the most powerful protection tools
please join us there
