Azure Active Directory Demystified

Posted on by kvaes

Introduction

Last year when I talked with customers during strategic roadmap exercises, I always portrayed one big message to them ;

“If you only have room in your budget for one project, then it’s <cloud identity>!”

social-identity-theory

The IT landscape is evolving at a pace none of us can manage… Really, you are not alone! Looking towards applications & cloud services, they are breeding faster then rats / mice / … Do you really want to manage one million (or more) directories? Because each application potentially has its own directory for authentication. Please forgive us if anyone would either join or leave the company? Then we, as IT, would need to make alterations to those one million directories… Ohhhh my! So you really need an identity strategy!

 

Identity vision for Enterprises

So the vision I want to embed everyone out there with is the following ;

One Organization Identity

per Person

for ALL applications

If you haven’t… read that vision once more. You’ll need to think how you can manage that statement. Because for the moment, no offense meant, most organizations out there haven’t…

For those who are regulars readers of my blog, or follow me on twitter, you might have noticed the same message in my presentation on “Cloud & Security“.

Identity is the base foundation for any security initiative you are going to embark upon. 

I cannot stress this enough… You cannot achieve one of the base security principles “Confidentiality” without being able to identity a person. And it will be unmanageable to have more than one identities per person (related to the organization).

Now be aware that I mentioned ; One organizational identity… Also know that this person will probably also have identities outside of the organization. So keep this in mind also… But that’s something we’ll tackle later on in the “B2C” story.

 

Azure Active Directory

So what is Azure Active Directory (aka “AAD”)?

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud based directory and identity management service.

For IT Admins, Azure AD provides an affordable, easy to use solution to give employees and business partners single sign-on (SSO) access to thousands of cloud SaaS Applications like Office365, Salesforce.com, DropBox, and Concur.

For application developers, Azure AD lets you focus on building your application by making it fast and simple to integrate with a world class identity management solution used by millions of organizations around the world.

Azure AD also includes a full suite of identity management capabilities including multi-factor authentication, device registration, self-service password management, self-service group management, privileged account management, role based access control, application usage monitoring, rich auditing and security monitoring and alerting. These capabilities can help secure cloud based applications, streamline IT processes, cut costs and help ensure that corporate compliance goals are met.

Source

Is it the same as the Active Directory (aka “AD”) we know by having a domain within our network? No… Consider AAD as a cloud based flat directory. You won’t be able to join servers & assign GPO’s (for now). Want to learn more? I strongly recommend starting off with the following infographic ; https://azure.microsoft.com/en-us/documentation/infographics/cloud-identity-and-access/

 

Identity Models

Many people often run into AAD when implementing Office 365. It’s often referred to as “the tenant where all the users reside”. So it will not surprise you, that I’m going to refer to a great blog on it where the different sign-in models of Office 365 are explained ; https://blogs.office.com/2014/05/13/choosing-a-sign-in-model-for-office-365/

As you have probably noticed, this blog goes back to 2014… More than 2 years ago! So it’s not something new and its been proven in the market as a (more than) decent solution!

Anyhow, there are three sign-in models ;

choosesignin_01

For most enterprises, this always comes back to either “Synchronized Identity” or “Federated Identity”. What’s the difference between both? If we slim it down very much… With a “Federated Identity” you will authenticate via a federation mechanism (like ADFS, Active Directory Federation Services) directly towards your own directory. With “Synchronized Identity”, you wil authenticate towards the cloud directory of AAD itself. The users and passwords will have been synced into this directory, so this is a “one password” strategy. Where the “Federated Identity” has more an “single sign-on” strategy.

Now as I mentioned, these models have been active for quite some time. To make matters a bit more complex, know that “AAD Pass-Through Authentication” is currently in preview… Again, summarizing things a bit unrespectfully, this is a solution that will reside somewhere between Synced & Federated Identity. Look at it like a (lightweight) managed ADFS in the cloud. More info on that, check Nicholas Romyn’s blog on it!

 

Different flavours

So we’re up to speed on “the basics”?  😉 Know that AAD comes in various flavours… I would advise you to check out the following documentation page for a comprehensive view on the matter and off-course the Azure pricing page.

In essence ;

And in the end you can provide a single portal for all your cloud apps (if wanted)…

 

B2B

Another concept that is possible with AAD is “B2B“… Where do we see this useful? Every company that uses Office 365 has an AAD in the backend. The identities of those organizations are stored/linked in that directory. With B2B we are able to grant permissions in our applications to an identity store with another organization. The identity is still managed by that organization, and we’re “merely” referencing it. What’s a practical use case?

  • Azure : Grant your service provider access to resources via their organizational account. You manage who gets access. The partner manages the user (and its authentication process).
  • Office 365 : Grant partners access to your SharePoint with their own organizational account.

 

B2C

B2C” enables you to have a cloud identity management system for your customer facing web & mobile applications. It’s an enterprise grade platform where you can link to other identity providers (like Google, Facebook, Twitter, etc) if you want to, or store it in your own dedicated B2C directory. So no need to create your own login & access management system for it!

 

TL;DR

  • AAD is not the same as AD
  • AAD offers a lot of features interesting to Enterprises
  • AAD covers a lot of scenario’s from cloud identity to B2B to B2C.

Published by kvaes

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.