-
Resources
- Forums
-
What is Azure Active Directory and how does AAD work?
What is Azure Active Directory?
Azure Active Directory (AD) is a cloud-based identity and access management service. Azure Active Directory comprises a database (directory) that records things like what users there are and who’s allowed to do what, and set of services that enable your employees to sign in (authentication) and access only the IT resources they’re allowed to (authorization). That includes both internal resources, such as data and tools on your corporate intranet, and external resources like Microsoft 365 and SaaS applications.
It’s equally important to understand what Azure Active Directory is not. It is not simply Active Directory running on Microsoft’s servers instead of servers in your own on-premises datacenter; it is a separate solution that is part of the Microsoft Azure public cloud computing platform.. However, on-prem Active Directory and Azure AD can — and often do — work together, in what’s known as a hybrid AD environment.Does my organization have Azure Active Directory?
If your organization subscribes to any Microsoft Online business service such as Office 365, it has Azure Active Directory.
However, only some Azure Active Directory features are included for free. To get capabilities like self service, enhanced monitoring, security reporting and mobile device security, you need to upgrade to an Azure AD Basic, Premium P1 or Premium P2 license.
Who uses Azure Active Directory?
Three types of users interact with Azure Active Directory:
- IT admins work directly with Azure AD. In particular, they set up users, groups, permissions and various settings, such as when to require multifactor authentication (MFA) and whether to allow users outside the organization to access various resources. The person who creates the tenant is automatically its Global Administrator; they can then add additional admins to the tenant.
- Application developers interact with Azure AD through application programming interfaces (APIs), for example, to enable their apps to work with a user's Azure AD credentials and to build personalized app experiences using the organization’s data.
- Business users generally don’t realize it, but they interact with Azure AD, too. Every time they log into Microsoft cloud resources, such as SharePoint Online or Teams, Azure AD is at work behind the scenes, verifying that they who are they say they are and ensuring they can access only the resources that they are authorized to use.
How is Azure AD structured?
The basic building block of Azure AD is the tenant. An Azure AD tenant is just a dedicated instance of Azure AD for a particular company. To create a tenant, your organization simply signs up for a Microsoft cloud service like Office 365 and provides some details like your organization’s name and location. Your initial domain name will be the name you specify plus “.onmicrosoft.com” (domainname.onmicrosoft.com). You can't change or delete your initial domain name, but you can add custom domain names, such companyname.com, to your tenant.
Each Azure tenant has a dedicated and trusted Azure AD directory, which includes the tenant's users, groups and apps, and performs identity and access management functions for the tenant’s resources.
It’s vital to understand that here we’re using the word “domain” in the internet sense (a website domain name). It has nothing to do with an on-prem AD domain, which is a group of related users, computers and other AD objects that are managed together. Similarly, Azure AD does not have other AD structures like forests and organizational units (OUs).
What are the key differences between Active Directory and Azure Active Directory?
Even though on-prem AD and Azure AD have similar names and share a common core purpose, they are quite different solutions. Here are the key facts to keep in mind:
- Active Directory is part of the Windows Server operating system, which runs on servers called domain controllers (DCs).
- Azure Active Directory runs on Microsoft servers in Microsoft datacenters.
- Active Directory uses a hierarchical structure. The primary unit is the AD domain. The objects in a domain are often grouped into organizational units (OUs) that mirror business structures like departments. Larger organizations often have multiple domains grouped into a forest.
- Azure Active Directory has a flat structure. The basic building block is the tenant: a dedicated instance of Azure AD for a particular organization.
- LDAP
- REST APIs
- Active Directory has been around so long that its authentication protocols have evolved a great deal, from LM to NTLM and then to the currently supported NTLMv2 and Kerberos.
- Azure AD uses modern authentication protocols like OAuth, SAML and OpenID Connect. Moreover, it offers features like self-service password reset, multifactor authentication (MFA), Conditional Access policies and even passwordless authentication.
- When an authenticated user tries to do something (such as read a piece of data or run an application), Active Directory decides whether to allow the action by (among other things) checking the permissions they’ve been granted directly and via membership in AD security groups, as well as the rules laid down in Group Policy.
- Azure AD security groups — These are similar in structure and function to AD security groups, but they are comprised of Azure AD user accounts and are used to grant access to cloud resources like Teams and SharePoint Online.
- Microsoft 365 groups (formerly called Office 365 groups) — These groups can secure items like a security group does, but can also act as a data repository for shared mailboxes, SharePoint Online and Teams.
- Azure AD roles — Roles grant specific sets of permissions to different types of administrators. There are dozens of built-in Azure AD roles such as Exchange Administrator, and you can also create your own custom roles.
Azure AD handles authorization very differently. The main components include:
- In Active Directory, one of the most powerful tools for managing computers is Group Policy. For instance, you can use Group Policy to prevent the installation of unauthorized machines, lock a computer after a certain period of inactivity, automatically install software updates on all computers, and prevent the use of removable storage devices.
- In Azure AD, device management is done with Microsoft Intune. You can set up different rules for organization-owned devices and personal (BYOD) devices enrolled in Intune. Options include blocking jailbroken devices, pushing certificates to devices so users can connect to your network via a VPN, and wiping corporate data from a device that is lost or stolen.
How do on-prem AD and Azure AD work together?
While it’s possible to have a purely cloud-based environment, most organizations today have a hybrid AD environment. They use the free Microsoft tool Azure AD Connect to sync identity data from their on-prem AD to Azure AD; then users can use their on-premises credentials to authenticate to cloud resources such as SharePoint Online, Teams, and SaaS apps like Dropbox, Google apps and Amazon Web Services (AWS).
Behind the scenes, IT pros manage users, groups and permissions (primarily) in the on-prem AD, and any changes are automatically synced up to the cloud. This alleviates the need to try to manage two completely separate sets of identities and permissions, which would be very difficult and highly prone to error.
However, not everything can be stored and managed in the on-premises AD. You will also have cloud-only objects and attributes, such as these:
- Cloud-only user accounts — You will likely want B2B (business-to-business) and B2C (business-to-consumer) accounts in Azure AD for external users. For example, you send your business partners or consultants an email invitation and then federate their external identities into your Azure Active Directory. As a result, you have an Azure AD account that simply does not exist in your on-premises AD.
- Cloud-only attributes — Every user in your on-prem AD who is permitted to use Office 365 applications has “license type” attribute that determines what features they are entitled to use. Since this attribute exists only in the cloud, so if the user object is deleted, you could recover the on-premises AD user object and use Azure AD Connect to sync it back up to Azure Active Directory, but the license type attribute would be gone, leaving the user unable to work in Office 365 until you resolve the problem manually.
Where can I learn more about Azure Active Directory and hybrid Active Directory?
Check out these pages to learn more about Azure Active Directory and hybrid AD: