Concerning Microsoft Azure Active Directory

Sysadmin Adam Fowler puts Azure AD to the test

Getting hands-on with Azure and AD

The Register ran a live hands-on session about implementing Azure AD on 25 November. Try to follow official Microsoft documentation on the process, as many articles published don't refer to the latest options.

DirSync and AAD Sync are quite easy to get going, as shown in this TechNet article. It should take you only a few minutes to install and configure.

Azure Active Directory screenshot

Synced Active Directory Users showing in Azure

There are a few caveats. If you want true single sign-on, the domain you set up in Azure will need to match a public domain name you own, as well as being a valid domain for AD.

You also need to add a record to your public domain for Azure to authenticate it. For testing purposes, none of this needs to match. You can use an onmicrosoft.com subdomain if single sign-on is not important to you, but integration with third-party apps may be limited.

Once you have users in Azure AD, you can start adding applications, either ones that you have developed or from the gallery. Your own application can be either web-based or a native client on a computer, phone or tablet (this last is currently in preview only).

As I am not a developer, I didn't get into the self-built based application testing, but Microsoft documentation is available here. One of the great benefits of Azure AD is being able to provide your users with an application that can be used inside or outside the company network.

After single sign-on is configured, staff can access a long list of applications using just their standard company credentials for authorisation. This is the sort of thing to get many developers and security experts excited (or at least relieved), as it provides an easy way to control and secure access “in the wild”.

At the time of writing, more than 2,400 applications are supported. All of them can be added case by case, and you can enable access per user or per group, which gives you great flexibility as to what you provide and to whom.

Applications Added in Azure

Applications Added in Azure

Applications that are available in Azure have up to three sign-on methods: Windows Azure AD single sign-on (AD SSO), password SSO and existing SSO.

Windows Azure AD SSO is generally the best option if the third party supports it, as it establishes federation between the two services. Password SSO and existing SSO are what every application will support at a minimum.

Password SSO turns Azure AD into a simple cloud-based password manager, while existing SSO requires AD Federation Services or another SSO provider to look after the login process.

Using single sign-on via Azure AD means automatic provisioning of third-party services is possible if federation is supported between Azure and the third party.




Biting the hand that feeds IT © 1998–2019