What is Azure
Active Directory?
Use A Service for managing identities and access in the cloud is called Azure Active Directory (Azure AD). This solution facilitates access to hundreds of additional SaaS apps, the Azure portal, and external resources like Microsoft 365 for your staff members. Additionally, Azure Active Directory enables them to access internal assets like applications on your company intranet network and any cloud apps created for your business.
A Who uses Azure AD?
IT Admin: Based on a company's needs, utilize Azure AD to limit access to your applications and app resources as an IT administrator. For instance, you may utilize Azure AD to make it mandatory for users to provide two-factor authentication before accessing crucial corporate resources. Additionally, you may automate user provisioning across your current Windows Server AD and your cloud apps, such as Microsoft 365, using Azure AD. Last but not least, Azure AD provides you with strong features to automatically assist in protecting user identities and credentials as well as to satisfy your access governance needs.
App developers: As an app developer, you may utilize Azure AD to provide single sign-on (SSO) to your app, allowing it to interact with a user's pre-existing credentials. Azure AD also has APIs that can be used to build customized app experiences based on existing corporate data.
Microsoft 365, Office 365, Azure, or Dynamics CRM Online subscribers: You already use Azure AD as a subscriber. Each Microsoft 365, Office 365, Azure, and Dynamics CRM Online tenant is immediately an Azure AD tenant. You can start managing access to your connected cloud apps right now.
What are the Azure AD licenses?
Azure AD is required for sign-in activities and identity security in Microsoft Online business services such as Microsoft 365 or Microsoft Azure. If you subscribe to any Microsoft Online business service, you will receive Azure AD with all of its complimentary features. Upgrade to Azure Active Directory Premium P1 or Premium P2 licenses to add premium functionality to your Azure AD deployment. The commercial licenses for Azure AD are built on top of your current free directory. For your mobile users, the licenses enable self-service, increased monitoring, security reporting, and safe access.
• Free Azure Active Directory. User and group administration, on-premises directory synchronization, basic reporting, self-service password reset for cloud users, and single sign-on across Azure, Microsoft 365, and many popular SaaS apps are all available.
• Premium Azure Active Directory P1. In addition to the Free features, P1 provides hybrid users with access to both on-premises and cloud resources. It also supports sophisticated administration features including dynamic groups, self-service group management, Microsoft Identity Manager, and cloud write-back capabilities, which enable on-premises users to change their own passwords.
• Premium Azure Active Directory P2. In addition to the Free and P1 capabilities, P2 includes Azure Active Directory Identity Protection to assist give risk-based Conditional Access to your apps and important enterprise data, as well as Privileged Identity Management to help find, limit, and monitor administrators and their access to resources, as well as just-in-time access when needed.
• Licenses for "pay as you go" features. Additional feature licenses, such as Azure Active Directory Business-to-Customer, are also available (B2C). Identity and access management solutions for customer-facing apps can be provided by B2C
Which features work in Azure AD?
After selecting your Azure AD license, your business will
have access to some or all of the following features:
|
Category |
Description |
|
Application management use |
Use Application Proxy, single
sign-on, the My Apps interface, and Software as a Service (SaaS) apps to
manage your cloud and on-premises apps. For further information, read the
Application Management documents and How to enable secure remote access to
on-premises apps. |
|
Authentication |
Manage self-service password
reset, Multi-Factor Authentication, a custom prohibited password list, and
smart lockout in Azure Active Directory. |
|
Azure Active Directory for
developers creates Create |
Create apps that sign in with
all Microsoft identities and obtain tokens to use with Microsoft Graph, other
Microsoft APIs, or custom APIs. See Microsoft identity platform for further
details (Azure Active Directory for developers). |
|
Business-to-Business (B2B) |
Manage your external partners
and guest users while preserving control over your business data. |
|
Business-to-Customer (B2C) |
Customize and control how users
sign up, sign in, and manage their profiles when using your apps. |
|
Conditional Access |
Manage access to your cloud
application. |
|
Device Management |
Control how your cloud and
on-premises devices access company data. |
|
Domain services without without |
Without the use of domain
controllers, add Azure virtual machines to a domain. For further
information. |
|
Enterprise users using |
Using groups and administrator
roles, you may manage license allocations, app access, and delegation. For
further information, visit hybrid hybrid hybrid |
|
Hybrid identity Use |
Use Azure Active Directory
Connect and Connect Health to offer a single user identity for all resources,
independent of location, for authentication and permission (cloud or
on-premises). For further information. |
|
Identity governance control
control |
Control employee, business
partner, vendor, service, and app access to manage your organization's
identity. You can also conduct access audits. For further information, visit
Identity |
|
protection detection detects |
Detect possible vulnerabilities
impacting the identities of your business, set policies to respond to
suspicious acts, and then take necessary measures to remedy them. For further
information. |
|
Managed identities for Azure
resources |
Give your Azure services an
automatically maintained Azure AD identity that can authenticate any Azure
AD-supported authentication service, including Key Vault. For further
information, please visit. |
|
Privileged identity management
(PIM) |
Access inside your business
should be managed, controlled, and monitored. This feature provides access to
Azure AD and Azure resources, as well as other Microsoft Online Services such
as Microsoft 365 or Intune. |
|
Reports and monitoring |
Learn about the security and
use patterns in your environment. For further information, please visit. |
Terminology:
We recommend examining the following terminologies to better
understand Azure AD and its documentation
|
Term or concept |
Description |
|
Identity |
Something that can be verified.
A user with a username and password is an identity. Applications or other
servers that require authentication via secret keys or certificates are also
considered identities. |
|
Account |
An identity that is linked to
data. You can't have an account unless you have an identity. |
|
Azure AD account sure |
Azure AD or another Microsoft
cloud service, such as Microsoft 365, is used to generate an identity.
Identities are maintained in Azure AD and are available to cloud service
subscriptions in your business. This account is also known as a Work or
School account. |
|
Account Administrator |
This traditional subscription
administrator function is the billing owner of a subscription. This position
gives you the ability to manage all subscriptions in an account. |
|
Service Administrator |
This traditional subscription
administrator position grants you access to all Azure resources. This
position has the same access as a user with the Owner role at the
subscription scope. |
|
Owner |
This position assists you in
managing all Azure resources, including access. This role is based on a newer
authorization mechanism known as Azure role-based access control (Azure
RBAC), which allows for fine-grained access management to Azure resources. |
|
Azure AD Global administrator |
This admin position is given to
the person who created the Azure AD tenancy. Although there can be several
Global administrators, only Global administrators can assign administrator
privileges to users (including assigning other Global administrators). |
|
Azure subscription |
Payment for Azure cloud
services. You can have many subscriptions, each of which is tied to a credit
card. |
|
Azure tenant |
Azure AD instance that is
dedicated and trustworthy. When your company joins up for a Microsoft cloud
service subscription, the tenant is instantly formed. Microsoft Azure,
Microsoft Intune, and Microsoft 365 are examples of these subscriptions. A
single organisation is represented by an Azure tenant. |
|
Single tenant |
Single tenants are Azure
tenants who use other services in a dedicated environment. |
|
Multi-tenant |
Multi-tenant Azure tenants
access other services in a shared environment across several enterprises. |
|
Azure AD directory |
Each Azure tenant has its own
Azure AD directory that is secure. The Azure AD directory contains the
tenant's users, groups, and applications and is used to manage tenant
resources' identity and access. |
|
Custom domain |
Every new Azure AD directory
has an initial domain name, such as domainname.onmicrosoft.com. You may also
use your organization's domain names in addition to the initial name. To the
list of your organization's domain names, add the names you use to do
business and the names your users use to access your organization's services.
Adding custom domain names allows you to build user names that your users
will recognise, such as alain@contoso.com. |
|
Microsoft account (also called,
MSA) |
Personal accounts that allow
you to access your Microsoft consumer goods and cloud services. Outlook,
OneDrive, Xbox LIVE, and Microsoft 365 are examples of these goods and
services. Microsoft's consumer identity account system creates and stores
your Microsoft account. |
