Azure AD is a popular cloud-based directory and identity management service, developed by Microsoft. While it is essentially based on Active Directory, Microsoft’s on-premises identity management solution, Azure AD provides a number of additional features and benefits, which we will cover in this article.
To summarize, Azure AD is cost-effective, easy-to-use, and can be integrated into a wide range of platforms and applications, both on-premise and ‘in-the-cloud’. It provides a Single Sign-On (SSO) feature, which includes multi-factor authentication and self-service password management. It also provides a number of additional security features, including security monitoring and alerting, and can be configured to detect anomalous logon attempts.
Benefits provided by Azure AD
Below is a more detailed explanation of the features/benefits provided by Azure AD.
Microsoft guarantees 99.9% availability. All data is first written to the Active Primary partition, and then replicated to the Passive Primary, and then to the Secondary Replica partitions, from which data is read. In total, Microsoft has 28 data centers spread across multiple geographic regions.
Strong Azure AD Security
As you would expect, Microsoft takes security very seriously. Azure AD has a number of security features, which include Multi Factor Authentication, Conditional Access and Privileged Identity Management (PIM), to name a few.
Multi Factor Authentication (MFA) in Azure AD
MFA provides an extra layer of security to accounts by requesting an additional form of verification. Azure AD provides the following MFA verification methods:
- Microsoft Authenticator app
- OATH Hardware token
- OATH Software token
- Voice call
You can set up Conditional Access policies to ensure that users are only granted access to the data they need to perform their role. These policies are basically if-then statements, which can check for a wide range of signals, including user or group membership, IP location, devices and applications used, and more. It is also possible for admins to set up a ‘Dynamic Group’, where group membership will automatically change based on certain attributes, such as employee type, location, department, and more.
Privileged Identity Management (PIM) in Azure AD
Azure AD PIM enables fine-grained control over privileged accounts and the resources they have access to. This feature also provides an audit trail which will help administrators identify suspicious privileged account activity.
Azure AD supports a large number of identity providers, which means that users can log in to Azure AD using their Microsoft, Google, Facebook, or GitHub accounts. Additionally, Azure AD can be integrated into a wide range of apps, such as Salesforce, Office 365, and more. The Azure AD API can be easily integrated into applications built using a wide range of programming languages, such as .NET, Java, Python, and Ruby. It can also be integrated into mobile operating systems, such as Android and iOS.
Single Sign-on (SSO)
Azure AD’s SSO feature enables users to login to multiple applications via a single pane, which includes both SaaS and on-premises applications. The SSO feature makes it easier for administrators to add new users and services without needing to set up credentials or security groups for each application or service.
The Application Proxy makes it easy for admins to publish their on-premise applications to Azure AD. Once published, users can access these applications remotely and securely – without the need for a VPN.
The MyApps portal (access panel) in Azure AD provides a list of all applications which the logged-on user is permitted to access. Additionally, directly from the MyApps portal, you can access features for account/group management, password management, and more. The MyApps portal can be accessed via a web browser or mobile app.
Self Service Features
Azure AD gives users more control over certain account functions, which can save time and money as there’s is less need to involve the administrator or other specialized members of staff. The most notable self-service feature is the self-service password reset (SSPR), which enables users to reset their passwords if/when required. To change their password, the user will be required to respond to security challenges, or even provide an additional verification method, if MFA is enabled. The user can also create and manage groups, as well as control which users are allowed to access the group, and the actions they are allowed to perform.
Azure AD Collaboration
Azure AD makes it easy to share information with partners and customers outside of their organization. There are two main external collaboration features, which include Azure AD B2B (business-to-business) and Azure AD B2C (business-to-customer). The B2B feature enables you to invite business associates to your application or service, where they can use their existing Azure identity to sign-in. The B2C feature is similar, but in this case, your customers can choose their own identity provider (Facebook, Google, GitHub, etc.) to sign-in to your application or service. In both cases, the administrator can use MFA and Conditional Access policies to control access to resources.
Azure AD Reporting
Azure AD now provides a wealth of security/activity reports. These reports give administrators an overview of how their accounts, data, and applications are being accessed and used, and by whom. Administrators will also have visibility into any unauthorized cloud applications used within the ecosystem.
If you feel that the native auditing features of Azure AD are not sophisticated enough for your needs, or you are using a hybrid/multi-cloud environment, you can easily integrate a third-party real-time Azure AD auditing solution that uses machine learning models to detect and respond to anomalous activity. A dedicated third-party solution will also provide data discovery and classification, inactive user account management, real-time alerts to your inbox or mobile device, and more.