IT:AD:Azure:Active Directory (AD)


Azure AD might be called Azure AD – but that's a marketing thing.

Azure AD is not a subset of the Azure Service. It's a totally separate Service, on which Azure relies (and so does IT:AD:Office 365 (O365), IT:AD:Visual Studio Team Services (VSTS), etc.)

The link to that service is:

PlantUML Graph MS made a new AD solution because the original AD was designed for an era of intranet and Kerberos.

Comprehensive identity and access management solution in the cloud.

Used for


An IT:AD:Azure:Account may be made an AD Directory's Global Administrator, who is not a Service Administrator or Service Co-Administrator

Relationship to Azure Subscriptions

It is really important to understand how the AD Service differs from all other Azure Resources/Services. See:

Whereas other Resource/Service are 'owned' by the IT:AD:Azure:Subscription, a IT:AD:Azure:Subscription only has a trust relationship with an IT:AD:Azure:Subscription.

The above means:

Identity Management

PlantUML Graph



  • Advantages:
    • It will never go down. Replicated on 28 Data Centers.
    • Can integrate and sync onsite users/passwords with Azure Active Directory.
    • 3500 apps already federated…and you can add your app.
    • Features:
      • Controllable using IT:AD:Powershell
      • Device Registration
      • Access portal fro SSO based user access to
      • Self-service password reset/change
      • Azure AD Connect - for syncing on-premises to Azure Active Directory
      • Standard security reports for overview picture of environment.
      • B2B Collaboration (in preview)
      • Group based application management and provisioning (not in free)
      • Application Proxy: Secure remote access and SSO to on premises website. ⇐ ?
    • Premium edition:
      • Self service group management
      • Microsoft Identity Manager (MIM) user licenses - for on prmeises identity and access management.
      • Azure AD Connect Health: Monitor on-site AD infrastructure.
  • Considerations:
    • Must be Windows 10 Device in order to join Windows InTune. Which is how you set up Policies (equivalent of AD domain policies).

Azure AD Domain Services for Hybrid

  • Lets you join Azure VM to a Domain without theneed to deploy domain controllers.
  • Users sign in to thesm VMS using corp AD.
  • TIp: use Groups to control access to which

THe feature is that it gives Azure AD the ability to control Kerberos based devices (interna).