This is a multi-part series that covers monitoring Microsoft Azure Active Directory (AD).

In this blog post, which is part 1 of the series, you will learn about and understand Microsoft Azure Active Directory (Azure AD) and how it is different from an on-premises Active Directory (AD).

As technology keeps evolving, companies increasingly look to technologies like Cloud Computing to expand, modernize and stay competitive, and in doing so companies can expose themselves to risks.

Data has become the most crucial element for businesses. With more data, hackers are breaching clouds and organizations these days and organizations must adhere to increased regulatory standards protecting customer assets and data.

Medium and large organizations struggle to understand how they can protect and secure their data, their customers, and their very existence before moving to the cloud. They are always looking for tools that can prevent data breaches and lower the complexity of identity and access management issues. Microsoft Azure Active Directory (Azure AD) is one such tool that helps you manage identities and access capabilities with ease.

What is Azure Active Directory?

Azure Active Directory logoAzure Active Directory (Azure AD) is Microsoft’s multi-tenant, cloud-based Identity and Access Management (IAM) service. It takes care of authentication and authorization of user and application identities. It’s the digital infrastructure that allows your employees to sign in and access external resources, such as those held in Microsoft 365 service, an ever-growing list of other SaaS applications, as well as those held on corporate networks.

When you sign up for any services offered by Microsoft Azure cloud, Microsoft automatically assigns a default directory, which is an instance of Azure AD. This directory holds the users and groups that will have access to each of the services the company has signed up for. This default directory is sometimes referred to as a tenant. For more information about creating a tenant for your organization, see Quickstart: Create a new tenant in Azure Active Directory. The Azure Active Directory tenant represents your organization. Each tenant might have 1 to N Azure Subscriptions. Azure Subscription is a group of cloud services that are billed together.

An Azure AD user account might be single-tenant (has access to resources of a single organization) or multi-tenant (two or more organizations). Every user, who needs access to Azure resources, needs an Azure user account. A user account contains all the information needed to authenticate the user during the sign-in process. Once authenticated, Azure AD builds an access token to authorize the user and determine what resources they can access and what they can do with those resources.

Typically, Azure AD defines users in three ways:

  1. Cloud identities – These users exist only in Azure AD. Examples are administrator accounts and users that you manage yourself.
  2. Directory-synchronized identities – These users exist in an on-premises Active Directory. A synchronization activity that occurs via Azure AD Connect software brings these users into Azure.
  3. Guest users – These users exist outside Azure. Examples are accounts from other cloud providers and Microsoft accounts, such as an Xbox LIVE account. Their source is Invited User. This type of account is useful when external vendors or contractors need access to your Azure resources.

What is the difference between AD (Active Directory) and Azure AD?

You may be familiar with on-premises Active Directory concepts. On-Premises Active Directory is on servers called Domain Controllers (DC). Each DC contains a catalog of users and computers that are authorized to access resources on the network. Users authenticate to DCs via Kerberos or the NTLM protocol. Azure AD and On-Premises AD are both created by Microsoft, and they are both IAM systems, but that’s pretty much where the comparisons stop. The following table outlines the differences and similarities between Active Directory concepts and Azure Active Directory:

Concept Active Directory (AD) Azure Active Directory
Users
Provisioning – users Organizations create internal users manually or use an in-house or automated provisioning system, such as the Microsoft Identity Manager to integrate with an HR system. Existing AD organizations use Azure AD Connect to sync identities to the cloud.
Azure AD adds support to automatically create users from cloud HR systems.
Azure AD can provision identities in SCIM-enabled SaaS apps to automatically provide apps with the necessary details to allow access for users.
Provisioning – external identities Organizations create external users manually as regular users in a dedicated external AD forest, resulting in administration overhead to manage the lifecycle of external identities (guest users). Azure AD provides a special class of identity to support external identities. Azure AD B2B will manage the link to the external user identity to make sure they are valid.
Entitlement management and groups Administrators make users members of groups. App and resource owners then provide these groups with access to apps or resources. Groups are also available in Azure AD and administrators can also use groups to grant permissions to resources. In Azure AD, administrators can assign membership to groups manually or use a query to dynamically include users to a group.
Administrators can use Entitlement management in Azure AD to provide users with access to a collection of apps and resources using workflows and, if necessary, time-based criteria.
Admin management Organizations will use a combination of domains, organizational units, and groups in AD to delegate administrative rights to manage the directory and resources it controls. Azure AD provides built-in roles with its Azure AD role-based access control (Azure AD RBAC) system, with limited support for creating custom roles to delegate privileged access to the identity system, the apps, and resources it controls.
Managing roles can be enhanced with Privileged Identity Management (PIM) to provide just-in-time, time-restricted, or workflow-based access to privileged roles.
Credential management Credentials in Active Directory are based on passwords, certificate authentication, and smartcard authentication.
Passwords are managed using password policies that are based on password length, expiry, and complexity.
Azure AD uses intelligent password protection for cloud and on-premises. Protection includes smart lockout plus blocking common and custom password phrases and substitutions.
Azure AD significantly boosts security through multi-factor authentication and passwordless technologies, like FIDO2.
Azure AD reduces support costs by providing users a self-service password reset system.
Applications
Infrastructure applications Active Directory forms the basis for many on-premises infrastructure components, for example, DNS, DHCP, IPSec, WiFi, NPS, and VPN access. In a new cloud world, Azure AD is the new control plane for accessing apps versus relying on networking controls. When users authenticate, Conditional Access (CA) will control which users will have access to which apps under required conditions.
Traditional and legacy applications Most on-premises applications use LDAP, Windows-Integrated Authentication (NTLM and Kerberos), or Header-based authentication to control access to users. Azure AD can provide access to these types of on-premises apps using Azure AD application proxy agents running on-premises. Using this method, Azure AD can authenticate Active Directory users on-premises using Kerberos while you migrate or need to coexist with legacy apps.
SaaS applications Active Directory doesn’t support SaaS applications natively and requires a federation system, such as AD FS. SaaS apps supporting OAuth2, SAML, and WS-* authentication can be integrated to use Azure AD for authentication.
Line of business (LoB) applications with modern authentication Organizations can use AD FS with Active Directory to support LoB applications requiring modern authentication. LoB applications requiring modern authentication can be configured to use Azure AD for authentication.
Mid-tier/Daemon services Services running in on-premises environments normally use AD service accounts or group Managed Service Accounts (gMSA) to run. These apps will then inherit the permissions of the service account. Azure AD provides managed identities to run other workloads in the cloud. The lifecycle of these identities is managed by Azure AD and is tied to the resource provider can’t be used for other purposes to gain backdoor access.
Devices
Mobile Active Directory doesn’t natively support mobile devices without third-party solutions. Microsoft’s mobile device management solution, Microsoft Intune, is integrated with Azure AD. Microsoft Intune provides device state information to the identity system to evaluate during authentication.
Windows desktops Active Directory provides the ability to domain join Windows devices to manage them using Group Policy, System Center Configuration Manager, or other third-party solutions. Windows devices can be joined to Azure AD. Conditional access can check whether a device is Azure AD, joined as part of the authentication process.
Windows devices can also be managed with Microsoft Intune. In this case, conditional access will consider whether a device is compliant (for example, up-to-date security patches and virus signatures) before allowing access to the apps.
Windows servers Active Directory provides strong management capabilities for on-premises Windows servers using Group Policy or other management solutions. Windows servers virtual machines in Azure can be managed with Azure AD Domain Services. Managed identities can be used when VMs need access to the identity system directory or resources.
Linux/Unix workloads Active Directory doesn’t natively support non-Windows without third-party solutions, although Linux machines can be configured to authenticate with Active Directory as a Kerberos realm. Linux/Unix VMs can use managed identities to access the identity system or resources. Some organizations migrate these workloads to cloud container technologies, which can also use managed identities.

Monitoring Azure AD

When monitoring Azure AD, you will need tools that monitor logs, events, metrics, and traces both continually and historically to identify potential issues. In future blog posts, I’ll go into details on how to audit AD but to give an idea of what is possible, here are a few examples of what eG Enterprise covers:

    • Monitor app registrations; track certificate errors

Azure Certificate errors

    • Audit activities – add/delete/modify users, applications, service principals, groups, policies, members, etc.

Azure sign in log

    • Monitor and audit different sign-in logs

Azure Key log information screen

What is Azure AD Connect?

Azure AD Connect is the Microsoft tool designed to be a bridge solution between On-premises Active Directory and Azure AD.

It enables IT admins to federate on-premises user identities to the Azure platform so that users can use the same credentials to access both on-premises applications and cloud services, such as Microsoft 365.

It is included for free with your Azure subscription. It offers multiple features, including synchronization, federation integration and health monitoring.

By default, the sync is one way: from on-premises AD to Azure AD. However, you can configure the writeback function to sync changes from Azure AD back to your on-premises AD. That way, for instance, if a user changes their password using the Azure AD self-service password management function, the password will be updated in the on-premises AD.

Azure AD user accounts illustration

Azure AD Connect can synchronize the user accounts, groups, and credential hashes in your on-premises AD by a scheduler. Most attributes of the user accounts, such as the User Principal Name (UPN) and security identifier (SID), are synchronized.

However, the following objects and attributes are NOT synchronized:

  • Any objects and attributes you specifically exclude from the sync
  • SidHistory attributes for users and groups
  • Group Policy objects (GPOs)
  • The contents of the Sysvol folder
  • Computer objects for computers joined to the on-premises AD environment
  • Organization unit (OU) structures

By default, a sync task runs every 30 minutes. If the sync task is not running correctly, you may experience issues like:

  • Sync account issues – If you change the password for a user in On-premises AD, it does not sync on Azure AD, and thereby, the user is unable to access the resources.
  • Connectivity issues – Microsoft has a Azure AD Connectivity URL, which shows the list of URLs that need to work between AD Connect and Azure AD.

So, it is important to monitor the Azure AD Connect performance. eG Enterprise captures and reports the following metrics for Azure AD Connect:

Azure AD Connect Status screen

It is very common for those with hybrid infrastructure mixing on-premises technologies, such as RDSH farms, Citrix, or VMware with cloud-hosted technologies, such as AVD Hostpools to be using both Azure AD and Active Directory and also Azure AD Connect.

Azure AD Sequence illustration

Azure AD – Pricing and Licensing

Azure Active Directory comes in four editions:

  • Free
  • Office 365 apps
  • Premium P1
  • Premium P2

The Free edition is included with a subscription of a commercial online service e.g. Azure, Dynamics 365, Intune, and Power Platform.

Office 365 subscriptions include the Free edition, but Office 365 E1, E3, E5, F1, and F3 subscriptions also include additional features, see Microsoft’s pricing page for details.

SLA for Azure Active Directory

At the time of drafting this blog post (October 2021), Microsoft guarantees 99.99% availability of the Azure Active Directory Basic and Premium services. The services are considered available in the following scenarios:

  • Users are able to login to the Azure Active Directory service.
  • Azure Active Directory successfully emits the authentication and authorization tokens required for users to log into applications connected to the service.

No SLA is offered for the Free edition of Azure Active Directory, and this should be a serious consideration within most enterprises when evaluating whether to migrate critical identity and access management.

Using Azure AD Connect is free and included in your Azure subscription. However, using Azure AD Connect Health requires an Azure AD Premium P1 license. To find the right license for your requirements, see Comparing generally available features of the Free, Basic, and Premium editions.

Useful Links: