When we talk about Identity and Access what do we really mean? For me, it boils down to who you are and what you are entitled to access.
Simple statement, but it does start to get rather complicated when you think about Identity Management. If you think about your own organisation what directory service does it use? Probably Active Directory Domain Services (AD DS). Think about how many years it has it been fine tuned with integration with third party solutions such as:
- Remote access via RADIUS servers
- Two factor authentication
- Single sign on into applications
- Synchronization of user accounts and groups into hosted web services for web filtering
- Integration with software that provides corporate wide email signatures
- Integration with software that provides automated provisioning and de-provisioning of users
The list does truly go on and on. Most organisations will treat their on-premises Active Directory Domain Services (AD DS) as the one source of all truth for users, groups, permissions and passwords.
So that’s the on-premises bit, what’s this Azure Active Directory all about?
What is Azure Active Directory
According to Microsoft Azure ‘What is Azure Active Directory‘ homepage it is Microsoft’s multi-tenant cloud based directory and identity management service. Great you say but what does that really mean?
The key is in the multi-tenant part, its a directory service built for Microsoft. It isn’t architected in the same way as AD DS, most of us are used to the terms Kerberos, NLTM and LDAP, well these aren’t available in Azure AD. Instead Azure AD uses web centric language such as SAML 2.0, WS-Federation and OAuth2.0 More details on Azure AD Authentication Protocols can be found here.
For those among us who like facts and figures Azure AD Basic and Premium has an SLA of 99.95% and operates out of twenty eight of Microsoft datacentres. With the object and metadata being held across two or more locations.
Noticeably Azure AD, doesn’t provide the same features set that we are used to with AD DS, for example group policy isn’t available. Azure AD Join is out for Windows 10 devices which provides some enrollment and integration features into areas such as email, but again it doesn’t provide the rich feature set you would expect from your on-premises AD DS.
Microsoft are adding features continuously to Azure AD, so I’m sure things will progress and update in the near future. This then leaves us with three choices when it comes to accessing cloud based solutions:
This is where you have a separate identify and access for your on-premises AD DS and Azure AD.
A user ‘John Smith’ has to manage his credentials for both on-premises access to applications via AD DS and different set of credentials for access to applications in Azure AD.
These are identities that exist on-premises in AD DS and in Azure AD. Typically Azure AD Connect would be used to manage the password synchronization using hashing algorithms. It uses a SQL Server database to store identity data, with the Express version enabling you to manage 100,000 objects.
Using AD Connect you will gain the on-premises password will authenticate both AD DS and Azure AD. Users will have single sign-on for an extensive set of pre-integrated SaaS applications. At the moment 2,577 applications are pre-configured for Azure AD integration.
Federated enables your on-premises AD DS to be the source of authentication into Azure AD and other cloud based resources or partner organizations. Essentially it supports advanced scenarios that cannot be achieved using the synchronized deployment method for example your security policy prohibits password hashes being synchronized to the cloud.
It should be noted that it is higher maintenance, requires additional servers and extensive setup and redundancy to ensure users can authenticate.
Azure AD Free, Basic and Premium
Just to make things slightly more complicated, Microsoft have three versions of Azure AD, these are Free, Basic and Premium.
- Free – This is the entry level option that doesn’t provide an SLA or company branding. It does however give you the following:
- Up to 500,000 objects
- You have access to SSO applications using the 2,577 Azure AD pre-integrated SaaS applications
- Ability to extend on-premises AD DS into Azure AD
- Self Service Password Changes for Azure AD users
- Basic – This is the first paid for option which extends the free features by including:
- No object limit
- 99.9% SLA
- Company branding for login pages and access panel
- Self Service Password Resets for Azure AD users
- Premium – This is the top option, which extends the Basic features by including:
- Self service group management
- Self Service Password Resets with on-premises writeback
- Multi-Factor Authentication
- Self service Bitlocker recovery
Azure AD is a web scale directory that provides SSO and integration with SaaS and on-premises directory structures and applications. It is maturing all time with the inclusion of new features on a regular basis.
In the next article I will look at Availability Set concepts, see you in the next installment.