Let’s talk about Azure AD

Kenny Li
12 min readJul 13, 2023

--

Photo by Aubrey Odom on Unsplash

Azure Active Directory (Azure AD) is a comprehensive identity and access management solution offered by Microsoft. It provides a wide range of powerful features and capabilities that enhance security, streamline user access, and simplify identity management. From advanced security measures like conditional access and identity protection to enhancing user experience with single sign-on and self-service options, Azure AD empowers organizations to establish a robust and user-friendly identity framework. Azure AD seamlessly integrates with other Microsoft services and platforms, such as Microsoft 365 and Azure cloud services, creating a unified ecosystem that enhances productivity, collaboration, and security. Whether you’re managing internal users, external partners, or a combination of both, Azure AD offers identity governance and hybrid identity management solutions to ensure comprehensive control and flexibility. Additionally, Azure AD simplifies infrastructure management by centralizing identity and access management across various applications and services, providing organizations with a seamless and efficient solution for their identity needs.

How does Azure AD differ from Active Directory?

Active Directory (AD) is a directory service developed by Microsoft that is used to manage and organize resources in a Windows network environment. It provides a centralized database of user accounts, computer accounts, and other network resources, enabling administrators to authenticate and authorize users and control their access to resources, in a scalable manner. Active Directory plays a vital role in managing security policies, allowing administrators to define and enforce security settings across the network. It also facilitates the implementation of group policies, which enable administrators to manage and configure user and computer settings. Additionally, Active Directory supports domain services, providing a hierarchical structure for organizing network resources, including domains, forests, and trusts. Active Directory was first included in Windows 2000 Server and has been a foundational component of Windows-based networks since then.

Showing below was taken from a comparison table that Microsoft has on their Microsoft Learn site.

User

Provisioning: users

AD: Organizations create internal users manually or use an in-house or automated provisioning system, such as the Microsoft Identity Manager, to integrate with an HR system.

VS

Azure AD: Existing AD organizations use Azure AD Connect to sync identities to the cloud. Azure AD adds support to automatically create users from cloud HR systems. Azure AD can provision identities in SCIM enabled SaaS apps to automatically provide apps with the necessary details to allow access for users.

Provisioning: external identities

AD: Organizations create external users manually as regular users in a dedicated external AD forest, resulting in administration overhead to manage the lifecycle of external identities (guest users)

VS

Azure AD: Azure AD provides a special class of identity to support external identities. Azure AD B2B will manage the link to the external user identity to make sure they are valid.

Entitlement management and groups

AD: Administrators make users members of groups. App and resource owners then give groups access to apps or resources.

VS

Azure AD: Groups are also available in Azure AD and administrators can also use groups to grant permissions to resources. In Azure AD, administrators can assign membership to groups manually or use a query to dynamically include users to a group. Administrators can use Entitlement management in Azure AD to give users access to a collection of apps and resources using workflows and, if necessary, time-based criteria.

Admin management

AD: Organizations will use a combination of domains, organizational units, and groups in AD to delegate administrative rights to manage the directory and resources it controls.

VS

Azure AD: Azure AD provides built-in roles with its Azure AD role-based access control (Azure AD RBAC) system, with limited support for creating custom roles to delegate privileged access to the identity system, the apps, and resources it controls. Managing roles can be enhanced with Privileged Identity Management (PIM) to provide just-in-time, time-restricted, or workflow-based access to privileged roles.

Credential management

AD: Credentials in Active Directory are based on passwords, certificate authentication, and smartcard authentication. Passwords are managed using password policies that are based on password length, expiry, and complexity.

VS

Azure AD: Azure AD uses intelligent password protection for cloud and on-premises. Protection includes smart lockout plus blocking common and custom password phrases and substitutions. Azure AD significantly boosts security through Multi-factor authentication and passwordless technologies, like FIDO2. Azure AD reduces support costs by providing users a self-service password reset system.

Apps

Infrastructure apps

AD: Active Directory forms the basis for many infrastructure on-premises components, for example, DNS, DHCP, IPSec, WiFi, NPS, and VPN access

VS

Azure AD: In a new cloud world, Azure AD, is the new control plane for accessing apps versus relying on networking controls. When users authenticate, Conditional access (CA) controls which users have access to which apps under required conditions.

Traditional and legacy apps

AD: Most on-premises apps use LDAP, Windows-Integrated Authentication (NTLM and Kerberos), or Header-based authentication to control access to users.

VS

Azure AD: Azure AD can provide access to these types of on-premises apps using Azure AD application proxy agents running on-premises. Using this method Azure AD can authenticate Active Directory users on-premises using Kerberos while you migrate or need to coexist with legacy apps.

SaaS apps

AD: Active Directory doesn’t support SaaS apps natively and requires federation system, such as AD FS.

VS

Azure AD: SaaS apps supporting OAuth2, SAML, and WS-* authentication can be integrated to use Azure AD for authentication.

Line of business (LOB) apps with modern authentication

AD: Organizations can use AD FS with Active Directory to support LOB apps requiring modern authentication.

VS

Azure AD: LOB apps requiring modern authentication can be configured to use Azure AD for authentication.

Mid-tier/Daemon services

AD: Services running in on-premises environments normally use AD service accounts or group Managed Service Accounts (gMSA) to run. These apps will then inherit the permissions of the service account.

VS

Azure AD: Azure AD provides managed identities to run other workloads in the cloud. The lifecycle of these identities is managed by Azure AD and is tied to the resource provider and it can’t be used for other purposes to gain backdoor access.

Devices

Mobile

AD: Active Directory doesn’t natively support mobile devices without third-party solutions.

VS

Azure AD: Microsoft’s mobile device management solution, Microsoft Intune, is integrated with Azure AD. Microsoft Intune provides device state information to the identity system to evaluate during authentication.

Windows desktops

AD: Active Directory provides the ability to domain join Windows devices to manage them using Group Policy, System Center Configuration Manager, or other third-party solutions.

VS

Azure AD: Windows devices can be joined to Azure AD. Conditional access can check if a device is Azure AD joined as part of the authentication process. Windows devices can also be managed with Microsoft Intune. In this case, conditional access, will consider whether a device is compliant (for example, up-to-date security patches and virus signatures) before allowing access to the apps.

Windows servers

AD: Active Directory provides strong management capabilities for on-premises Windows servers using Group Policy or other management solutions.

VS

Azure AD: Windows servers virtual machines in Azure can be managed with Azure AD Domain Services. Managed identities can be used when VMs need access to the identity system directory or resources.

Linux/Unix workloads

AD: Active Directory doesn’t natively support non-Windows without third-party solutions, although Linux machines can be configured to authenticate with Active Directory as a Kerberos realm.

VS

Azure AD: Linux/Unix VMs can use managed identities to access the identity system or resources. Some organizations, migrate these workloads to cloud container technologies, which can also use managed identities.

In conclusion to the comparison above, when comparing Active Directory to Azure Active Directory (Azure AD), there are both similarities and differences to consider. While both solutions are focused on identity and access management, there are distinct characteristics that set them apart. Active Directory is primarily designed for on-premises environments and is tightly integrated with Windows Server. It offers extensive control over domain-based resources and provides features like domain join, Group Policy, and LDAP support.

On the other hand, Azure Active Directory is a cloud-based identity and access management service that is part of the Microsoft Azure cloud platform. It extends the capabilities of Active Directory to the cloud and provides identity services for cloud-centric and hybrid environments. Azure AD offers features such as single sign-on, multi-factor authentication, and application management, which are essential for modern cloud-based applications and services.

While Active Directory is suited for managing on-premises resources, Azure AD is optimized for managing cloud resources, including Microsoft 365, Azure services, and other SaaS applications. It provides a centralized identity platform that enables users to access resources from anywhere, on any device, using their organizational credentials.

By leveraging both Active Directory and Azure Active Directory, organizations can achieve a hybrid identity model, where users can seamlessly authenticate and access resources across on-premises and cloud environments. This hybrid approach allows organizations to leverage their existing investments in Active Directory while taking advantage of the scalability, flexibility, and modern features offered by Azure AD.

Azure AD offers various licensing options to cater to different organizational needs. See below for what each license offers from Microsoft Azure AD.

  • Azure Active Directory Free. Provides user and group management, on-premises directory synchronization, basic reports, self-service password change for cloud users, and single sign-on across Azure, Microsoft 365, and many popular SaaS apps.
  • Azure Active Directory Premium P1. In addition to the Free features, P1 also lets your hybrid users access both on-premises and cloud resources. It also supports advanced administration, such as dynamic groups, self-service group management, Microsoft Identity Manager, and cloud write-back capabilities, which allow self-service password reset for your on-premises users.
  • Azure Active Directory Premium P2. In addition to the Free and P1 features, P2 also offers Azure Active Directory Identity Protection to help provide risk-based Conditional Access to your apps and critical company data and Privileged Identity Management to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed.
  • “Pay as you go” feature licenses. You can also get licenses for features such as, Azure Active Directory Business-to-Customer (B2C). B2C can help you provide identity and access management solutions for your customer-facing apps. For more information, see Azure Active Directory B2C documentation.

As you progress to higher-tier licenses, you gain access to more robust security and management features, enabling you to enhance your overall identity and access management strategy in the cloud environment.

We have discussed Azure AD and compared it to traditional Active Directory. However, due to the vastness of Azure AD, covering everything in a single post would make it too lengthy. In this post, we will conclude with an actual Azure AD implementation story from Walmart, and we will explore more in-depth Azure AD topics in future posts. So, stay tuned for more insights into Azure AD. Stay Tune!

Now, let’s look at a real-world implementation of Azure AD with Walmart.

Today’s post was written by Sue Bohn, partner director of Program Management and Ben Byford and Gerald Corson, senior directors of Identity and Access Management at Walmart.

Greetings!

I’m Sue Bohn, partner director of Program Management at Microsoft. I’m an insatiable, lifelong learner and I lead the Customer & Partner Success team for the Identity Division. I’m jazzed to introduce the “Voice of the Customer” blog series. In this series, the best of our customers will present their deployment stories to help you learn how you can get the most out of Azure Active Directory (Azure AD). Today we’ll hear from Walmart. I love the convenience of Walmart; where else can you buy tires, socks, and orange juice in one trip?

Walmart teamed up with Microsoft to digitally transform its operations, empower associates with easy-to-use technology, and make shopping faster and easier for millions of customers around the world. But this strategic partnership didn’t just happen overnight. In the beginning, Walmart’s cybersecurity team was skeptical about the security of the public cloud and Azure AD. Ben Byford and Gerald Corson, senior directors of Identity and Access Management at Walmart, share their team’s journey working with Microsoft to embrace the cloud with Azure AD:

Working closely with our Microsoft account team convinced us we could safely write back to on-premises and enable password hash synch

In the beginning, we were willing to feed to the cloud but at that time not comfortable allowing the syncing of passwords to the cloud or write back to on-premises from cloud. We were skeptical of the security controls. We involved Microsoft in the strategy and planning phases of our initiatives and made slow but steady progress. As we worked with the Microsoft team, representatives were eager to get any and all feedback and to provide it to their product groups. This led to our critical Azure AD enhancement requests being received and solutions were delivered. When we ran into bugs, we were able to troubleshoot issues with the very people who wrote the application code. Our Microsoft account team was right there with us, in the trenches, and they were committed to making sure we were confident in Azure AD’s capabilities. Over time, as we learned more about Azure AD and the new security features we were enabling, our trust in Microsoft’s Azure AD security capabilities grew and many of our security concerns were alleviated.

Given our scale, validating and verifying the security capabilities of Azure AD was key to empowering our users while still protecting the enterprise. Walmart currently has over 2.5 million Azure AD users enrolled, and with that many users we need very granular controls to adequately protect our assets. The entire team, including Microsoft, rolled up our sleeves to figure out how to make it work, and together we’ve enabled several features that let us apply custom security policies. Azure Information Protection (AIP), an amazing solution that is only possible with Azure AD, allows us to classify and label documents and emails to better protect our data. Azure AD Privileged Identity Management (PIM) gives us more visibility and control over admins. Azure AD dynamic groups lets us automatically enable app access to our users. This is a huge time saver in an environment with over half a million groups. With all of the work we did with Microsoft and our internal security team, we were able to turn on the two features we previously did not think we would be able to — password hash synch and write back from cloud to on-premises. This was critical to our journey as we had never allowed a cloud solution to feed back into our core environment in this manner.

Driving down help desk calls with self-service password reset

One example that shows how much we trust the security of Azure AD and the cloud is self-service password reset (SSPR). The biggest driver of help desk calls at Walmart is people who get locked out of their accounts because of a forgotten password. It wastes a tremendous amount of our help desk’s time and frustrates associates who lose time sitting on the phone. We believed that letting users reset their passwords and unlock their accounts without help desk involvement would go a long way and improve productivity, but we had always been nervous about giving people who weren’t on Walmart PCs that kind of access. Another hurdle was ensuring that our hourly associates were only able to utilize this service while they were clocked in for work. Microsoft helped us solve this with the implementation of custom controls.

Our Microsoft team supported us the entire way, and we’re proud to say that SSPR is being rolled out. When we started this journey, we would never have believed that we would allow people to reset their passwords from a public interface, but here we are, and the user experience is great!

Engage Microsoft early

If there is one thing we would have done differently, it would be to engage Microsoft at a deeper level earlier on in the process. Our public cloud adoption didn’t really take off until we brought them in and spent time with their backend product engineering teams. Microsoft’s commitment to improving security and the cloud is clear. Their work to safeguard data has continuously improved, and while we work closer with them, they also continue to incorporate our feedback into future feature releases. It is the relationship that has allowed us to securely implement Azure AD at our scale.

--

--

Kenny Li
Kenny Li

Written by Kenny Li

An ardent believer in continuous learning, thrive on solving IT challenges and delivering innovative solutions that exceed expectations. Marathon Runner.