Azure Active Directory: Introduction
Azure Active Directory is a multi-tenant, cloud-based directory and identity management service provided by Microsoft. It offers identity and access capabilities for applications running in both Microsoft Azure and in an on-premises environment. It is the foundation for Office 365 and other SaaS applications; users are allowed to sign in and access the resources in these applications. As it is entirely cloud-based, it offers more flexibility; hence it can act as an organization’s only directory and can also be synced with an on-premises directory.
What is Azure Active Directory used for?
In Azure Active Directory core directory services, access management, and identity protection are integrated into a single solution. In a large organization containing thousands of employees, each employee may need to access certain applications and services to perform their tasks. In the absence of Azure AD, the administrator has to provide a separate user ID and password for each application.
For example, a sales manager may need to access a folder containing inventory details, a database containing consumer information and a printer. Without Azure Active Directory, the IT administrator would have to provide a separate set of login credentials such as a user id and password to access each of these resources. This becomes a tedious process if this has to be done in an organization containing thousands of employees. However, with Azure Active Directory, multiple user logins can be handled without any issues. A single set of login credentials is sufficient to access all the services required by the employee. This is enhanced by features such as single sign-on (SSO), multi-factor authentication (MFA), and conditional access which helps maintain security and ease of access.
Who can use Azure AD?
Azure AD consists of three different types of service audiences namely IT administrators, application developers, and online customers.
- The IT administrators are responsible for authentication and sign-in procedures.
- Applications are built by the application developers using these services.
- The online customers use the services provided to them and their needs are taken care of by the service provider.
The service audience can choose an Azure Active Directory plan that works best for their requirements.
How does Azure AD differ from Windows AD?
While Windows Active Directory is an on-premises directory service, Azure AD Besides the contrast in on-premise and cloud location, there are many other differences listed as follows.
Windows AD is made up of components like organizational units, forests, and domains. It uses the Lightweight Directory Access Protocol (LDAP) for communication. It uses Kerberos and NTLM for the process of authentication. It uses Group Policy (GPOs) or other on-premise server management systems and is incapable of managing mobile devices.
Azure AD is composed of a flat directory structure of users and groups, where the instances are called “tenants”. It uses Representational State Transfer (REST) APIs for communication with other web-based services. Cloud-based protocols like OAuth2, SAML, and WS-Security are used for authorization and authentication. Azure Policy and Azure AD Domain Services are used for managing servers. It is capable of managing mobile devices.
Users and Groups in Azure AD
Users and groups are the basic components that makeup Azure Active Directory. Azure resources can only be accessed by users with an Azure user account. This account contains all the authentication information of the user, which is required during the sign-on process. An access token is built after the process of authentication to determine the resources that can be accessed by the user. Users are generally defined in three ways in Azure AD. They are:
- Administrator users
- Member users
- Guest users
Each type of user has a specific level of access. Administrators have the highest level of access followed by members, and the guest users have the lowest level of access.
In Azure Active Directory, users can be organized together to form a group, where the groups behave alike. It is easier to manage permissions using Microsoft Azure AD groups as they may be granted at the group level to make processes like authentication and deactivation easier. Users may either be sourced from an account in Azure AD or from an account in Microsoft. Two different types of groups may be defined in Azure AD. They are:
- Security groups: These groups can be used to manage and provide access to resources that are shared by a group of users. A security group allows all the members of the group to be provided permissions at once, instead of giving permissions to each member individually. This group may contain users, devices, service principals and other groups as its members.
- Microsoft 365 groups: This type of group can be used to allow members to access shared Microsoft services such as mailbox, files, calendar, etc. Even external users can be added as members. Unlike security groups, these groups only allow users to be members.
Adding users and groups to Azure AD
Users and groups may be added to Azure AD in the following ways:
- Syncing users from Windows AD to Azure AD using Azure AD Connect.
- Adding users manually with the help of Azure Management Portal.
- Scripting the process with Azure Active Directory PowerShell to add new users.
- Programming the process using Azure AD Graph API.
The following steps define how to create a basic group in the Azure Active Directory and add members to the group.
- Sign in to the Azure Portal using a Global Administrator account and select Azure Active Directory.
- Once you enter the Azure Active Directory page, select Groups–>New Group, to create a new group.
- Enter the required information on the New Group panel such group type, group name, group email address and the group description.
- Select a Membership type from the available options such as Assigned, Dynamic user and Dynamic device.
- Select Create to create the group and add members.
- In the Group page, select the Members option and add members to the group from the Select Members page.
- After adding the members, choose the Select option to complete the process.
- The members who are added to the group are displayed in the Group Overview page.
Access Management in Azure AD
In Azure AD, access rights can be given to users or groups to use the organization’s resources. Instead of providing access individually, the administrator or resource owner can provide access permissions to the group as a whole. Management rights can also be given to a member of the group, allowing them to add and remove the group members.
Access rights can be provided to users in the following ways.
- Direct assignment: The resource is assigned directly to the user, by the resource owner.
- Group assignment: The resource is assigned to a group by the owner, which allows all the members of the group to access the resource.
- Rule-based assignment: The resource is assigned to the users based on a rule specified by the resource owner. These rules are based on certain attributes assigned to the users.
- External authority assignment: The access to the resource is provided by an external source, such as an on-premises directory.
Security in Azure AD
Security can be maintained in Azure Active Directory by performing certain security defaults that are mentioned as follows. This helps protect the organization against both internal and external threats.
- All users should be required to perform Multi-factor Authentication (MFA).
- Privileged activities like the Azure portal access should be protected.
- Legacy authentication protocols should be blocked.
Security defaults can be enabled using the following steps.
- Sign in to the Azure portal as a security administrator, global administrator or a Conditional Access administrator and select Azure Active DirectoryàProperties.
- Select Manage security defaults and choose the Yes option for Enable security defaults.
- Finalize by selecting the Save option.
They can be disabled by following similar steps as mentioned above and selecting the No option in step 3.
Azure Active Directory Pros and Cons
Azure AD provides high availability and strong security measures. Multi-factor Authentication, Privileged Identity Management, and Conditional Access provide an extra layer of security against risks and threats. It is highly flexible and scalable and is entirely cloud-based. Features like Single Sign-on offer ease of access.
On the other hand, Azure AD requires some expertise in managing Microsoft Azure which includes server monitoring and patching. While the single solution offered by Azure AD increases the ease of access, it also increases the risks associated.