{"id":19785,"date":"2022-01-18T08:30:59","date_gmt":"2022-01-18T13:30:59","guid":{"rendered":"https:\/\/www.eginnovations.com\/blog\/?p=19785"},"modified":"2025-05-16T01:26:07","modified_gmt":"2025-05-16T05:26:07","slug":"what-is-azure-active-directory","status":"publish","type":"post","link":"https:\/\/www.eginnovations.com\/blog\/what-is-azure-active-directory\/","title":{"rendered":"What is Azure Active Directory (Azure AD)?"},"content":{"rendered":"
\n

This is a multi-part series that covers monitoring Microsoft Azure Active Directory (Azure AD)<\/a>. In this blog post, which is part 1 of the series, you will learn about and understand Microsoft Azure Active Directory (Azure AD) and how it is different from an on-premises Active Directory (AD).<\/p>\n

As technology keeps evolving, companies increasingly look to technologies like Cloud Computing to expand, modernize and stay competitive, and in doing so companies can expose themselves to risks. Data has become the most crucial element for businesses. With more data, hackers are breaching clouds and organizations these days and organizations must adhere to increased regulatory standards protecting customer assets and data.<\/p>\n

Medium and large organizations struggle to understand how they can protect and secure their data, their customers, and their very existence before moving to the cloud. They are always looking for tools that can prevent data breaches and lower the complexity of identity and access management issues. Microsoft Azure Active Directory (Azure AD) is one such tool that helps you manage identities and access capabilities with ease.<\/p>\n

<\/span>What is Azure Active Directory?<\/span><\/h2>\n

\"AzureAzure Active Directory (Azure AD) is Microsoft\u2019s multi-tenant, cloud-based Identity and Access Management (IAM) service. It takes care of authentication and authorization of user and application identities. It\u2019s the digital infrastructure that allows your employees to sign in and access external resources, such as those held in Microsoft 365 service, an ever-growing list of other SaaS applications, as well as those held on corporate networks.<\/p>\n

When you sign up for any services offered by Microsoft Azure cloud, Microsoft automatically assigns a default directory, which is an instance of Azure AD. This directory holds the users and groups that will have access to each of the services the company has signed up for. This default directory is sometimes referred to as a tenant. For more information about creating a tenant for your organization, see Quickstart: Create a new tenant in Azure Active Directory.<\/a> The Azure Active Directory tenant represents your organization. Each tenant might have 1 to N Azure Subscriptions. Azure Subscription is a group of cloud services that are billed together.<\/p>\n

An Azure AD user account might be single-tenant (has access to resources of a single organization) or multi-tenant (two or more organizations). Every user, who needs access to Azure resources, needs an Azure user account. A user account contains all the information needed to authenticate the user during the sign-in process. Once authenticated, Azure AD builds an access token to authorize the user and determine what resources they can access and what they can do with those resources.<\/p>\n

Typically, Azure AD defines users in three ways:<\/p>\n

    \n
  1. Cloud identities \u2013<\/strong> These users exist only in Azure AD. Examples are administrator accounts and users that you manage yourself.<\/li>\n
  2. Directory-synchronized identities \u2013<\/strong> These users exist in an on-premises Active Directory. A synchronization activity that occurs via Azure AD Connect software brings these users into Azure.<\/li>\n
  3. Guest users \u2013 <\/strong>These users exist outside Azure. Examples are accounts from other cloud providers and Microsoft accounts, such as an Xbox LIVE account. Their source is Invited User. This type of account is useful when external vendors or contractors need access to your Azure resources.<\/li>\n<\/ol>\n

    <\/span>What is the difference between AD (Active Directory) and Azure AD?<\/span><\/h2>\n

    You may be familiar with on-premises Active Directory<\/a> concepts. On-Premises Active Directory is on servers called Domain Controllers (DC). Each DC contains a catalog of users and computers that are authorized to access resources on the network. Users authenticate to DCs via Kerberos or the NTLM protocol. Azure AD<\/strong> and On-Premises AD<\/strong> are both created by Microsoft, and they are both IAM systems, but that\u2019s pretty much where the comparisons stop. The following table outlines the differences and similarities between Active Directory concepts and Azure Active Directory:<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
    Concept<\/strong><\/td>\nActive Directory (AD)<\/strong><\/td>\nAzure Active Directory<\/strong><\/td>\n<\/tr>\n
    Users<\/strong><\/td>\n<\/tr>\n
    Provisioning – users<\/td>\nOrganizations create internal users manually or use an in-house or automated provisioning system, such as the Microsoft Identity Manager to integrate with an HR system.<\/td>\nExisting AD organizations use Azure AD Connect to sync identities to the cloud.
    \nAzure AD adds support to automatically create users from cloud HR systems.
    \nAzure AD can provision identities in SCIM-enabled SaaS apps to automatically provide apps with the necessary details to allow access for users.<\/td>\n<\/tr>\n
    Provisioning – external identities<\/td>\nOrganizations create external users manually as regular users in a dedicated external AD forest, resulting in administration overhead to manage the lifecycle of external identities (guest users).<\/td>\nAzure AD provides a special class of identity to support external identities. Azure AD B2B will manage the link to the external user identity to make sure they are valid.<\/td>\n<\/tr>\n
    Entitlement management and groups<\/td>\nAdministrators make users members of groups. App and resource owners then provide these groups with access to apps or resources.<\/td>\nGroups are also available in Azure AD and administrators can also use groups to grant permissions to resources. In Azure AD, administrators can assign membership to groups manually or use a query to dynamically include users to a group.
    \nAdministrators can use Entitlement management in Azure AD to provide users with access to a collection of apps and resources using workflows and, if necessary, time-based criteria.<\/td>\n<\/tr>\n
    Admin management<\/td>\nOrganizations will use a combination of domains, organizational units, and groups in AD to delegate administrative rights to manage the directory and resources it controls.<\/td>\nAzure AD provides built-in roles with its Azure AD role-based access control (Azure AD RBAC) system, with limited support for creating custom roles to delegate privileged access to the identity system, the apps, and resources it controls.
    \nManaging roles can be enhanced with Privileged Identity Management (PIM) to provide just-in-time, time-restricted, or workflow-based access to privileged roles.<\/td>\n<\/tr>\n
    Credential management<\/td>\nCredentials in Active Directory are based on passwords, certificate authentication, and smartcard authentication.
    \nPasswords are managed using password policies that are based on password length, expiry, and complexity.<\/td>\n    		Azure AD uses intelligent password protection for cloud and on-premises. Protection includes smart lockout plus blocking common and custom password phrases and substitutions.
    \nAzure AD significantly boosts security through multi-factor authentication and passwordless technologies, like FIDO2.
    \nAzure AD reduces support costs by providing users a self-service password reset system.<\/td>\n<\/tr>\n
    Applications<\/strong><\/td>\n<\/tr>\n
    Infrastructure applications<\/td>\nActive Directory forms the basis for many on-premises infrastructure components, for example, DNS, DHCP, IPSec, WiFi, NPS, and VPN access.<\/td>\nIn a new cloud world, Azure AD is the new control plane for accessing apps versus relying on networking controls. When users authenticate, Conditional Access (CA) will control which users will have access to which apps under required conditions.<\/td>\n<\/tr>\n
    Traditional and legacy applications<\/td>\nMost on-premises applications use LDAP, Windows-Integrated Authentication (NTLM and Kerberos), or Header-based authentication to control access to users.<\/td>\nAzure AD can provide access to these types of on-premises apps using Azure AD application proxy agents running on-premises. Using this method, Azure AD can authenticate Active Directory users on-premises using Kerberos while you migrate or need to coexist with legacy apps.<\/td>\n<\/tr>\n
    SaaS applications<\/td>\nActive Directory doesn’t support SaaS applications natively and requires a federation system, such as AD FS.<\/td>\nSaaS apps supporting OAuth2, SAML, and WS-* authentication can be integrated to use Azure AD for authentication.<\/td>\n<\/tr>\n
    Line of business (LoB) applications with modern authentication<\/td>\nOrganizations can use AD FS with Active Directory to support LoB applications requiring modern authentication.<\/td>\nLoB applications requiring modern authentication can be configured to use Azure AD for authentication.<\/td>\n<\/tr>\n
    Mid-tier\/Daemon services<\/td>\nServices running in on-premises environments normally use AD service accounts or group Managed Service Accounts (gMSA) to run. These apps will then inherit the permissions of the service account.<\/td>\nAzure AD provides managed identities to run other workloads in the cloud. The lifecycle of these identities is managed by Azure AD and is tied to the resource provider can\u2019t be used for other purposes to gain backdoor access.<\/td>\n<\/tr>\n
    Devices<\/strong><\/td>\n<\/tr>\n
    Mobile<\/td>\nActive Directory doesn\u2019t natively support mobile devices without third-party solutions.<\/td>\nMicrosoft\u2019s mobile device management solution, Microsoft Intune, is integrated with Azure AD. Microsoft Intune provides device state information to the identity system to evaluate during authentication.<\/td>\n<\/tr>\n
    Windows desktops<\/td>\nActive Directory provides the ability to domain join Windows devices to manage them using Group Policy, System Center Configuration Manager, or other third-party solutions.<\/td>\nWindows devices can be joined to Azure AD. Conditional access can check whether a device is Azure AD, joined as part of the authentication process.
    \nWindows devices can also be managed with Microsoft Intune. In this case, conditional access will consider whether a device is compliant (for example, up-to-date security patches and virus signatures) before allowing access to the apps.<\/td>\n<\/tr>\n
    Windows servers<\/td>\nActive Directory provides strong management capabilities for on-premises Windows servers using Group Policy or other management solutions.<\/td>\nWindows servers virtual machines in Azure can be managed with Azure AD Domain Services. Managed identities can be used when VMs need access to the identity system directory or resources.<\/td>\n<\/tr>\n
    Linux\/Unix workloads<\/td>\nActive Directory doesn’t natively support non-Windows without third-party solutions, although Linux machines can be configured to authenticate with Active Directory as a Kerberos realm.<\/td>\nLinux\/Unix VMs can use managed identities to access the identity system or resources. Some organizations migrate these workloads to cloud container technologies, which can also use managed identities.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

    \"\"<\/a><\/p>\n

    <\/span>Monitoring Azure Active Directory<\/span><\/h2>\n

    When monitoring Azure AD, you will need tools that monitor logs, events, metrics, and traces both continually and historically to identify potential issues. In future blog posts, I\u2019ll go into details on how to audit AD but to give an idea of what is possible, here are a few examples of what eG Enterprise<\/a> covers:<\/p>\n