Introduction (Mastering Microsoft Azure Active Directory Part 1)
In this article, we will understand the need for Microsoft Azure Active Directory.
Before Active Directory
1. Companies were managing user credentials manually on each user’s device. The problems with this approach are,
- Need to share admin accounts to update credentials if the user is on a remote location in case of login issues.
- Difficult to manage credentials on each user device.
2. After facing issues with the local credential management, many organizations started using the client-server architecture but still there were some issues with the client-server approach. These are,
- Managing different credentials for the same user for the multiple organization applications running on different servers was difficult because each application requires separate credential management.
After Active Directory
- Self-Managed Active Directory (Single domain controller)
A domain controller is set up using DCPromo. DCPromo (Domain Controller Promoter) is a tool in Active Directory that installs and removes Active Directory Domain Services and promotes domain controllers. It is called a domain controller because it creates a logical boundary and all the servers/systems come under this boundary. We add the credentials of each user in this domain controller and if any user wants to authenticate (from any device) with any server inside our domain, it sends a request to the domain controller for all the authentication.
The domain controller has a trust relationship with all the servers in a domain (step 4,5) and using this trust relationship, the servers in a domain know how to verify the token/claim when a client sends a domain-controller signed token/claim to any server in the domain for authentication.
Note: There can be multiple servers in a domain and the same authentication mechanism will be followed for each server in a domain.
Applications/Servers outside the domain
Even if a server is not part of our domain, we can integrate those servers with our domain and the users can authenticate with those servers as well.
Assuming Server-A is not part of our domain.
The benefits of a single domain controller (single directory) of the active directory are,
- Users can log in from any remote location.
- Users can log in with the same active directory credentials in each application/server (even if the server is not part of our domain).
The challenges with a single domain controller (single directory) of the active directory are,
- Availability
- Scalability
- High latency (Requesting the domain controller for authentication from a different domain/office in a different region)
2. Self-Managed Active Directory (Multiple Domain Controllers)
In this case, multiple synch/consistent domain controllers are set up for multiple domains in multiple regions to address availability, scalability, and latency challenges. Now, the issue with this approach is the difficulty in management as we have multiple domains and multiple domain controllers deployed in different regions, and therefore, Microsoft provides a managed service for the active directory that is managed by Microsoft.
3. Microsoft Azure Active Directory (Managed Service)
Azure Active Directory (Azure AD) is a cloud-based identity and access management service. This service helps your employees access external resources, such as Microsoft 365, the Azure portal, and thousands of other SaaS applications. Azure Active Directory also helps them access internal resources like apps on your corporate intranet network - Microsoft documentation.
To read more on the differences between Active Directory and Microsoft Active Directory,
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad
Commonly used terms in Active Directory
Domain
A domain is defined as a logical group of network objects (computers, users, devices) that share the same Active Directory database. When you add a domain to an existing tree, the new domain is a child domain of an existing parent domain.
Tree
A tree is a collection of one or more domains and domain trees in a contiguous namespace and is linked in a transitive trust hierarchy. When you have multiple domains in the same namespace (e.g., techdirect.local, zone.techdirect.local), they are considered to be in the same tree. The tree also supports multiple levels of domains.
Forest
A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible. A forest is a collection of one or more domains that may have one or more trees. What makes a forest unique is that it shares the same schema. The schema defines what and how Active Directory objects are stored.
To read more,
https://techdirectarchive.com/2020/04/11/what-is-active-directory-forest-trees-and-domain/
