Info Sharing Blog

Saturday, July 18, 2020

Azure Active Directory : Overview #CloudScribblings

July 18, 2020 Posted by jaacostan ,
Azure Active Directory is an Identity store in the Cloud. You can create users,groups and service principles in the Azure AD. When you create an Azure account, an Azure AD directory is automatically created by default. You mention all your identities in the directory and is used to authenticate and authorize the users to access a resource in the Azure Cloud. If you want to drill-down the access permission, then you can make use of Role Based Access Control (RBAC) which is different from the Azure AD roles.Using Azure AD, you can enable a lot of security features for authentication & authorization such as Multi-Factor Authentication (MFA), Conditional Access, Privileged Identity Management (PIM) etc.
When it comes to billing, Azure AD is different from your Subscription billing. Normally all your resource usage will be billed against your subscription. But for Azure AD, you need to purchase the license separately from Microsoft Office 365 portal using a Work/school account. The license are classified in to 4. Free,Office 365 apps,Premium P1,Premium P2. The Free AD subscription doesn't have an SLA attached. And if you want to make use of Conditional Access with MFA, PIM & Identity Governance, then you much go with Premium P2 license. To purchase a license, requires a Global Administrator account joined to your own custom domain. Using that account, login and purchase the license from the Microsoft Office portal. Once you purchased the license, you have to manually assign the license to the AD users to make use of the features. However you can perform this dynamically as well.

An important thing to note is, An Azure AD is just an Identity Store and you cannot join devices like you perform on your legacy on-premises MS AD server. Azure AD doesn't support LDAP or Kerberos. If you want to implement a proper Active Directory, then you need to spin up an Active Directory server on a Windows Virtual Machine. Also there is a separate Managed service from Azure, which is Azure Active Directory Domain Services (AD DS), enables to join your Azure Virtual Machines to the domain. In this case, you don't need to manage the domain controller manually.

Azure Active Directory has two types of Users.

1) Member
A member is a normal cloud user. An Active Directory member can read all directory information and can invite external users. They can also manage their own profile information and can register applications in the AD.
2) Guest
Restricted user  who can manage only their own profile data. Cannot browse the directory and cannot register applications in the AD.