Azure Active Directory, also known as Azure AD, is Microsoft’s cloud-based identity and access management service that provides IT administrators the ability to manage user identities and access privileges. It combines directory services, advanced identity governance, and application access management under a single roof.

The service offers developers a standardized approach to add single sign-on (SSO) to their application. Microsoft’s cloud-based services such as Office 365, Microsoft Azure and Dynamics 365 use Azure Active Directory for sign-in and identity protection.

According to Microsoft, more than 6 million organizations around the world are using Azure AD.

What can you do with Azure AD: 

  • Azure AD allows you to create and manage users and groups and also the ability to allow or deny access to enterprise resources.

  • Connect on-premise directories and use one identity to access applications

  • Remote access to on-premise applications

  • Azure AD supports several SaaS applications such as Office 365, Google Apps, Salesforce, Workday, Servicenow , Canvas, and box.

  • Azure AD offers self-service capabilities such as password resets, group management, application requests and application management.

  • Multi-factor authentication

  • Offer B2B and B2C access

  • Application proxy: Publish applications inside a private network and share it with users outside your network

Azure Active Directory Editions

There are three tiers of Azure Active Directory: Free, Basic and Premium. Key features for each tier is listed below

Free:

  • Synchronization or federation with on-premises directories through Azure AD Connect (sync engine)

  • Directory objects

  • User/group management (add/update/delete), user-based provisioning, device registration

  • Single sign-on (SSO)

  • Self-service password change for cloud users Security and usage reports

Basic: Includes all the features in free tier and the following

  • Group-based access management and provisioning

  • Self-service password reset for cloud users

  • Company branding (log-on pages, Access Panel, customization)

  • Application Proxy

  • Enterprise SLA of 99.9%

Premium: Includes all the features in Free and Basic and the following

  • Self-service group and app management, self-service application additions, dynamic groups

  • Self-service password reset, change, unlock with on-premises write-back

  • Multi-factor authentication (cloud and on-premises, MFA Server)

  • MIM CAL + MIM Server

  • Cloud App Discovery

  • Connect Health

  • Automatic password rollover for group accounts

Azure Active Directory: Capabilities

Azure Active Directory:  Capabilities
Azure Active Directory: Identity as a Service (IDaaS) Provider

“Azure Active Directory (Azure AD) is an identity and access management-as-a-service (IDaaS) solution that combines
single-on capabilities to any cloud and on-premises application with advanced protection. It gives your people, partners,
and customers a single identity to access the applications they want and collaborate from any platform and device. And
because it’s based on scalable management capabilities and risk-based access rules, Azure AD helps ensure security and
streamline IT processes.” – Microsoft

Azure Active Directory: Identity Secure Score

To help users keep a close eye on their security configuration and measure it against best practices, Azure AD calculates identity secure score and offers recommendations to improve security.

Azure monitors client’s security configuration every 48 hours, compares settings with best practices and offers an identity secure score between 1(lowest possible score) and 248 (highest possible score).

Azure AD's identity secure score is number between 1 and 248 that functions as an indicator for how aligned your configuration is with Microsoft's best practices recommendations for security.

Identity Secure Score: Available for all editions of Azure AD

Azure Active Directory reports

Azure active directory offers two types of reports, security reports and activity reports. These reports give users a comprehensive view of activity in their environment.

  • Security reports: You get two types of security reports, users who are flagged as risk and risky sign-ins
  • Activity reports: The two types of activity reports are audit logs and sign-in activity

Azure Active Directory Pricing:

Pricing varies based on the type of Azure AD edition, Free, Basic, Premium P1, and Premium P2. Users can get free single sign-on for up to 10 apps per user, 500,000 directory objects and free access to premium features for 30 days.

Edition Pricing per user/month
Basic$1
Premium P1$6
Premium P2$9

For more details and latest information on pricing please visit Azure AD Pricing

Azure Active Directory: B2C

Azure Active Directory (Azure AD) B2C is a cloud-based consumer identity management service that can be used to customize and control user interaction with web, desktop, mobile, and single-page applications. Using this service, end users can sign up, sign in, reset passwords, and edit profiles.

Azure Active Directory B2B

Azure Active Directory business-to-business (B2B) is a cloud-based service that can be used to collaborate, by securely sharing applications with users from other organization.

Azure Active Directory B2B uses an invitation and redemption process to securely share resources. This allows external organizations, even the ones that are not using Azure AD to use their own credentials to access your business resources.

Azure AD business-to-business APIs can be used to customize the invitation and redemption process, and also to build self-service sign-up portals.

Azure Active Directory (AD) Domain Services

Azure AD Domain Services provides managed cloud-based domain services such as domain join, group policy, LDAP & Kerberos/NTLM authentication in Azure. This service is fully compatible with Windows Server AD.

Administrators deploy domain controllers while migrating on-premise applications to cloud in order to handle the identity of applications.
Azure AD Domain Service, which is essentially a domain controller as a service makes migrating to Azure an easier process.

Application management with Azure Active Directory

Azure Active Directory (Azure AD) can be used to provide end users secure access to on-premise and cloud hosted applications.

Some of the key advantages of using Azure AD is automated user provisioning, cloud-scale identity protection, multi-factor authentication, conditional access policies and single-sign-on.

Apps federated via Azure AD

Azure AD Connect

Azure AD Connect is a tool designed to offer hybrid identity management. It replaced Microsoft’s earlier identity integration tools such as DirSync and Azure AD Sync.

The tool allows users to connect their on-premise identity infrastructure with the cloud-based Azure Active Directory. Features include password hash synchronization, pass-through authentication, federation integration, synchronization and health-monitoring.

The Azure AD Connect tool can be hosted in the cloud using Azure IaaS. 

  • Potentially faster provisioning and lower cost of operations

  • Increased availability

Architecture to run Azure AD Connect Tool on a Azure IaaS
virtual machine

Integrators and Competitors:

In October 2017, AWS launched AWS Directory Service for Microsoft Active Directory (Standard Edition), also known as AWS Microsoft AD. Built on top of Microsoft Active Directory, the service enables AWS users to utilize Microsoft Active Directory to manage their users, groups, and devices.

Though Google Cloud Identity is not a directory service, it can be used to manage users, devices and applications.