Concerning Microsoft Azure Active Directory

Sysadmin Adam Fowler puts Azure AD to the test

Azure logo

Microsoft's Azure has moved forward in recent months with a clutch of upgrades and new feature releases.

Microsoft is also expanding Azure's worldwide presence, and with the Australian Azure data centre launched in October most continents have a local presence now.

This is great for IT staff who are either already on Azure or looking to jump on board but how does it affect end-users?

I set out to configure Azure Active Directory (AD) in a lab environment to explore the potential options and real-world usage of Microsoft's cloud solution.

If you haven’t looked into Azure AD, it is a fair assumption that you believe it to be a domain controller based in Microsoft's cloud. Although it is possible to do this by building a virtual machine in Azure and configuring AD, Azure AD is something different.

AD is mainly focused on authenticating and authorising users and computers; Azure AD takes it a step further, providing a global single sign-on experience to end-users by integrating with thousands of other services.

Consider Azure AD as an extension to AD. Where AD handles corporate resources and identities on-premises, Azure AD handles consumer-based devices and identities for the public cloud.

There are three editions of Azure AD: free, basic and premium. Microsoft shows the differences here.

Premium service

The free edition is quite feature rich but lacks several value-add features, plus the 99.9 per cent service-level agreement.

Basic and premium editions will require a chat with your enterprise agreement licenser, but you may already be entitled to basic or premium depending on your existing user client access licences.

The biggest selling points of the paid-for versions are group-based access management and provisioning (you can set up and configure users as a group rather than one by one), self-service password resets and multi-factor authentication. If you are using Forefront Identity Manager then you will need to go premium.

Azure AD synchronises with an on-premise AD forest. There are three ways in which your directory can be integrated with Azure: Azure Active Directory Synchronization Tool (DirSync), Azure Active Directory Synchronization Services (AAD Sync) and Forefront Identity Manager 2010 R2.

Another helpful table is here. Microsoft also offers Azure AD Connector tool, a packaged, wizard-driven install of both Azure Active Directory Synchronization and Active Directory Federation Services.

My advice is to skip DirSync if possible and use AAD Sync instead. Microsoft has announced that AAD Sync is the replacement tool for DirSync. FIM 2010 R2 is overkill, but use it if you have it already.




Biting the hand that feeds IT © 1998–2019