Identity and Azure Active Directory: An overview

Learn how to use Azure AD as a cloud identity provider for your applications and resources

Introduction

Identity is the new security perimeter in the modern world of cloud computing. Whether you are accessing Microsoft cloud services, such as Azure, Microsoft 365, or Dynamics 365, or third-party SaaS applications, you need a reliable and secure way to authenticate and authorize your users, devices, and applications. Azure Active Directory (Azure AD) is the cloud identity provider that powers Microsoft cloud services and enables you to integrate your own applications and resources with it. Azure AD is not just a replica of Active Directory Domain Services (AD DS) in the cloud. It is a completely different service that speaks web protocols, such as OpenID Connect, OAuth 2.0, SAML, and WS-Federation, and offers a rich set of features and capabilities for identity management, security, and governance.

In this blog post, we will explore the fundamentals of Azure AD and how it can help you achieve your identity and access management goals. We will cover the following topics:

  • What is Azure AD and how does it differ from AD DS?
  • How to get Azure AD and how to manage it?
  • What are the objects and roles in Azure AD and how to synchronize them from AD DS?
  • What are the authentication and authorization options in Azure AD and how to enable them?
  • What are the advanced features and capabilities of Azure AD, such as Privileged Identity Management, Identity Governance, Passwordless Authentication, and Verifiable Credentials?

By the end of this blog post, you will have a solid understanding of Azure AD and how to use it as a cloud identity provider for your applications and resources. You will also learn some best practices and tips for securing and managing your Azure AD environment.

What is Azure AD and how does it differ from AD DS?

Azure AD is a cloud-based identity and access management service that provides identity services for Microsoft cloud services, such as Azure, Microsoft 365, and Dynamics 365, as well as thousands of third-party SaaS applications that trust Azure AD. Azure AD is not a replacement for AD DS, which is the on-premises directory service that stores and manages user accounts, computer accounts, organizational units, group policy objects, and other objects in a domain. Azure AD and AD DS are different services that serve different purposes and have different architectures and features.

Some of the key differences between Azure AD and AD DS are:

  • Azure AD is a cloud service that is accessible over the internet using web protocols, such as HTTPS, OpenID Connect, OAuth 2.0, SAML, and WS-Federation. AD DS is an on-premises service that is accessible over a network using protocols, such as NTLM, Kerberos, and LDAP.
  • Azure AD is a multi-tenant service that can host multiple Azure AD tenants, each with its own namespace, users, groups, devices, applications, and roles. AD DS is a single-tenant service that can host one or more AD DS domains, each with its own namespace, users, groups, computers, organizational units, and group policy objects.
  • Azure AD does not support organizational units, group policy objects, or nested groups. Azure AD supports flat groups, administrative units, and roles for managing objects and permissions. AD DS supports hierarchical organizational units, group policy objects, and nested groups for managing objects and permissions.
  • Azure AD supports cloud authentication, federation, and passwordless authentication methods for users, devices, and applications. AD DS supports password, smart card, and certificate-based authentication methods for users and computers.
  • Azure AD supports advanced features and capabilities, such as Privileged Identity Management, Identity Governance, Passwordless Authentication, Verifiable Credentials, Conditional Access, Identity Protection, Access Reviews, and Entitlement Management. AD DS supports basic features and capabilities, such as Active Directory Certificate Services, Active Directory Federation Services, Active Directory Rights Management Services, and Active Directory Lightweight Directory Services.

Azure AD and AD DS can work together to provide a hybrid identity solution, where you can synchronize your on-premises AD DS objects to Azure AD and enable single sign-on and seamless access to both on-premises and cloud resources. You can also extend your on-premises AD DS domain to Azure using Azure AD Domain Services, which provides a managed AD DS instance in Azure that supports domain join, LDAP, NTLM, and Kerberos authentication.

How to get Azure AD and how to manage it?

If you are using any Microsoft cloud service, such as Azure, Microsoft 365, or Dynamics 365, you already have Azure AD. Azure AD is the directory service that powers these cloud services and enables you to manage your users, groups, devices, applications, and roles. You can access and manage your Azure AD tenant using the Azure portal, the Microsoft Entra portal, the Microsoft 365 admin center, or the Azure AD PowerShell module. You can also use the Azure AD Graph API or the Microsoft Graph API to programmatically access and manage your Azure AD resources.

To get Azure AD, you need to create an Azure AD tenant, which is an instance of Azure AD that has its own namespace, users, groups, devices, applications, and roles. You can create an Azure AD tenant using the Azure portal, the Microsoft Entra portal, or the Azure AD PowerShell module. By default, your Azure AD tenant will have a name like tenant.onmicrosoft.com, where tenant is a name that you choose. You can also add custom domain names to your Azure AD tenant, such as tenant.com or tenant.net, by verifying that you own these domain names and adding them to your Azure AD tenant.

To manage your Azure AD tenant, you need to have an Azure AD role that grants you the necessary permissions to perform certain actions. There are many built-in Azure AD roles, such as Global Administrator, User Administrator, Password Administrator, Billing Administrator, Application Administrator, and more. You can also create custom Azure AD roles with specific permissions that suit your needs. You can assign Azure AD roles to users, groups, or devices, either at the global scope or at the administrative unit scope. Administrative units are containers that can hold users, groups, and devices, and allow you to delegate the management of these objects to specific users or groups.

To monitor and secure your Azure AD tenant, you can use various features and capabilities that Azure AD provides, such as:

  • Azure AD Secure Score, which gives you a numerical score based on the security posture of your Azure AD tenant and provides recommendations on how to improve it.
  • Azure AD Identity Protection, which detects and mitigates potential identity risks, such as compromised credentials, sign-in risk, or user risk, and provides policies and actions to remediate them.
  • Azure AD Conditional Access, which allows you to enforce granular policies and controls based on the context of the user, device, application, or resource, and require certain conditions or actions, such as multi-factor authentication, device compliance, or location, to grant or deny access.
  • Azure AD Audit Logs and Sign-In Logs, which provide detailed information on the activities and events that occur in your Azure AD tenant, such as user creation, role assignment, password reset, sign-in success, sign-in failure, or sign-in risk.
  • Azure AD Reports and Insights, which provide various reports and dashboards that help you analyze and visualize the data and trends in your Azure AD tenant, such as user activity, application usage, role assignments, license consumption, or security alerts.

What are the objects and roles in Azure AD and how to synchronize them from AD DS?

Azure AD has various types of objects that represent the entities and resources that you can manage and access in your Azure AD tenant. Some of the common objects in Azure AD are:

  • Users, which represent human beings who have an identity and a credential in Azure AD and can sign in and access applications and resources.
  • Groups, which represent collections of users, devices, or service principals that can be used for managing permissions, access, or settings.
  • Devices, which represent physical or virtual machines that have an identity and a credential in Azure AD and can be used for authentication, authorization, or management purposes.
  • Applications, which represent software applications that have an identity and a credential in Azure AD and can be used for authentication, authorization, or management purposes.
  • Service principals, which represent instances of applications that have an identity and a credential in Azure AD and can be used for authentication, authorization, or management purposes.
  • Enterprise applications, which represent SaaS applications that trust Azure AD for authentication and authorization and can be used for managing access, settings, or provisioning.
  • Roles, which represent sets of permissions that can be assigned to users, groups, devices, or service principals to perform certain actions or access certain resources in Azure AD or Azure.

If you have an on-premises AD DS environment, you can synchronize your AD DS objects to Azure AD using Azure AD Connect or Azure AD Connect Cloud Sync. Azure AD Connect is a tool that you install on an on-premises Windows server and configure to connect to your AD DS and Azure AD tenants. Azure AD Connect can synchronize your AD DS users, groups, devices, and other objects to Azure AD using various synchronization options, such as:

  • Password hash synchronization, which synchronizes the hash of the hash of the password of your AD DS users to Azure AD and enables cloud authentication using Azure AD.
  • Pass-through authentication, which passes the authentication request of your AD DS users to Azure AD and then to your on-premises AD DS domain controllers and enables hybrid authentication using AD DS.
  • Federation, which redirects the authentication request of your AD DS users to an on-premises federation service, such as AD FS, and enables federated authentication using SAML or WS-Federation.

Azure AD Connect can also enable other features and capabilities, such as:

  • Seamless single sign-on, which enables your AD DS users to sign in to Azure AD and Microsoft cloud services without entering their credentials again if they are already signed in to their AD DS domain.
  • Hybrid Azure AD join, which enables your AD DS domain-joined devices to be registered and managed by Azure AD and Intune and to support features such as Hello for Business, Conditional Access, or Windows Autopilot.
  • Hybrid Azure AD join with VPN, which enables your AD DS domain-joined devices that are outside your corporate network to be registered and managed by Azure AD and Intune using a VPN connection.
  • Azure AD Connect Health, which monitors the health and performance of your Azure AD Connect and AD DS environment and provides alerts, reports, and insights.

Azure AD Connect Cloud Sync is a cloud-based alternative to Azure AD Connect that simplifies the synchronization process and reduces the infrastructure and maintenance requirements. Azure AD Connect Cloud Sync uses lightweight agents that you install on your on-premises Windows servers and connect to your AD DS and Azure AD tenants. Azure AD Connect Cloud Sync can synchronize your AD DS users, groups, and devices to Azure AD using password hash synchronization or federation. Azure AD Connect Cloud Sync can also enable seamless single sign-on and hybrid Azure AD join.

What are the authentication and authorization options in Azure AD and how to enable them?

Authentication and authorization are two essential aspects of identity and access management. Authentication is the process of verifying the identity of a user, device, or application that is trying to access a resource. Authorization is the process of granting or denying the access or actions that a user, device, or application can perform on a resource. Azure AD provides various options and features for authentication and authorization, such as:

  • Multi-factor authentication (MFA), which is a method of authentication that requires two or more factors, such as something you know, something you have, or something you are, to verify your identity. Azure AD supports various MFA methods, such as Authenticator app, SMS, voice call, FIDO2 security keys, certificate-based authentication, or temporary access pass. You can enable MFA for your users using security defaults, which is a basic and free option, or conditional access, which is a granular and premium option.
  • Passwordless authentication, which is a method of authentication that eliminates the need for passwords and reduces the risk of phishing, credential theft, or password spray attacks. Azure AD supports various passwordless authentication methods, such as Windows Hello for Business, which uses a PIN or biometric to unlock a TPM in your device, FIDO2 security keys, which use a physical key that you insert or tap on your device, or Authenticator app, which uses a notification or a one-time code on your mobile device.
  • Single sign-on (SSO), which is a feature that enables you to sign in once and access multiple applications and resources without entering your credentials again. Azure AD supports various SSO methods, such as OpenID Connect, which is a modern and secure protocol for web and mobile applications, OAuth 2.0, which is a modern and secure protocol for delegated authorization and access tokens, SAML, which is a legacy but widely used protocol for web applications, and WS-Federation, which is a legacy but Microsoft-specific protocol for web applications.
  • Conditional Access, which is a feature that enables you to enforce granular policies and controls based on the context of the user, device, application, or resource, and require certain conditions or actions, such as MFA, device compliance, location, or sign-in risk, to grant or deny access. Conditional Access is a premium feature that requires Azure AD P1 or P2 license and can be configured using the Azure portal, the Azure AD PowerShell module, or the Microsoft Graph API.
  • Role-based access control (RBAC), which is a method of authorization that assigns roles to users, groups, devices, or service principals and grants them permissions to perform certain actions or access certain resources in Azure AD or Azure. Azure AD has various built-in roles, such as Global Administrator, User Administrator, Password Administrator, Billing Administrator, Application Administrator, and more. You can also create custom Azure AD roles with specific permissions that suit your needs. Azure has various built-in roles, such as Owner, Contributor, Reader, User Access Administrator, and more. You can also create custom Azure roles with specific permissions that suit your needs.

What are the advanced features and capabilities of Azure AD, such as Privileged Identity Management, Identity Governance, Passwordless Authentication, and Verifiable Credentials?

Azure AD is not just a cloud identity provider. It is also a platform that offers a rich set of features and capabilities for advanced identity and access management scenarios, such as Privileged Identity Management, Identity Governance, Passwordless Authentication, and Verifiable Credentials. These features and capabilities are designed to help you enhance the security, compliance, and user experience of your Azure AD environment. Some of these features and capabilities are:

  • Privileged Identity Management (PIM), which is a feature that enables you to manage, monitor, and audit the use of privileged roles in Azure AD and Azure. PIM allows you to grant users, groups, or devices the right to activate a privileged role on-demand or for a future time, for a limited duration, and with certain conditions or approvals. PIM also allows you to review and verify the role assignments, the role activations, and the role history, and to receive alerts and reports on the privileged activities. PIM is a premium feature that requires Azure AD P2 license and can be configured using the Microsoft Entra portal, the Azure AD PowerShell module, or the Microsoft Graph API.
  • Identity Governance, which is a set of features and capabilities that enable you to manage the lifecycle, access, and risk of your identities and resources in Azure AD and Azure. Identity Governance includes features and capabilities, such as Access Reviews, which allow you to review and verify the group memberships, app assignments, or role assignments of your users, groups, or devices, and to remove or renew the access as needed. Entitlement Management, which allows you to create and manage packages of access entitlements, such as roles, groups, or apps, and to assign them to users, groups, or devices based on policies, workflows, or requests. Identity Protection, which allows you to detect and mitigate potential identity risks, such as compromised credentials, sign-in risk, or user risk, and to provide policies and actions to remediate them. Verifiable Credentials, which allow you to issue and verify digital credentials that prove certain claims or attributes about your users, groups, or devices, and to use them for authentication and authorization purposes. Identity Governance is a premium feature that requires Azure AD P2 license and can be configured using the Microsoft Entra portal, the Azure AD PowerShell module, or the Microsoft Graph API.
  • Passwordless Authentication, which is a method of authentication that eliminates the need for passwords and reduces the risk of phishing, credential theft, or password spray attacks. Azure AD supports various passwordless authentication methods, such as Windows Hello for Business, which uses a PIN or biometric to unlock a TPM in your device, FIDO2 security keys, which use a physical key that you insert or tap on your device, or Authenticator app, which uses a notification or a one-time code on your mobile device. Passwordless Authentication is a free feature that can be enabled and configured using the Azure portal, the Azure AD PowerShell module, or the Microsoft Graph API.
  • Verifiable Credentials, which are a method of issuing and verifying digital credentials that prove certain claims or attributes about your users, groups, or devices, and to use them for authentication and authorization purposes. Verifiable Credentials are based on decentralized identifiers (DIDs) and trust frameworks that enable the issuer, the subject, and the verifier to exchange verifiable presentations without relying on a centralized identity provider. Azure AD supports Verifiable Credentials using the Microsoft Entra Verified ID solution, which allows you to issue and verify Verifiable Credentials using the Microsoft Authenticator app and the Microsoft Entra portal. Verifiable Credentials is a premium feature that requires a separate license and can be configured using the Microsoft Entra portal or the Microsoft Graph API.

Conclusion

In this blog post, we have explored the fundamentals of Azure AD and how it can help you achieve your identity and access management goals. We have covered the following topics:

  • What is Azure AD and how does it differ from AD DS?
  • How to get Azure AD and how to manage it?
  • What are the objects and roles in Azure AD and how to synchronize them from AD DS?
  • What are the authentication