IT:AD:Azure:Active Directory (AD)


Azure AD might be called Azure AD – but that's a marketing thing.

Azure AD is not a subset of the Azure Service. It's a totally separate Service, on which Azure relies (and so does IT:AD:Office 365 (O365), IT:AD:Visual Studio Team Services (VSTS), etc.)

The link to that service is:


class "Azure Active Directory" as AD {

MS made a new AD solution because the original AD was designed for an era of intranet and Kerberos.

Comprehensive identity and access management solution in the cloud.

Used for * IT:AD:Office 365 (O365) * IT:AD:InTune * Dynamics CRM * Thousands of apps

An IT:AD:Azure:Account may be made an AD Directory's Global Administrator, who is not a Service Administrator or Service Co-Administrator * This is useful, so that if you have an IT:AD:Office 365 (O365) account you can add/remove AD users, without having to be granted access to the IT:AD:Azure:Portal:Classic Portal.

It is really important to understand how the AD Service differs from all other Azure Resources/Services. See:

Whereas other Resource/Service are 'owned' by the IT:AD:Azure:Subscription, a IT:AD:Azure:Subscription only has a trust relationship with an IT:AD:Azure:Subscription.

The above means: * if a Azure Subscription were suspended, all its Resources/Services would be suspended– bar Azure AD.
* if a Azure Subscription were terminated, another Azure Subscription could be started, and associated to the AD instance.


class O365
class "Visual Studio" as VS

class "Azure AD" as AAD
class "Cloud Identity" as CI
class "Synchronized Identity" as SI
class "Federated Identity" as FI

O365 -DOWN-> AAD


CI -[Hidden]RIGHT- SI
SI -[Hidden]RIGHT- FI

note as N1
Provides Web based
"Single Sign On" to
Web Apps and
On-Prem modern apps

note as N2
Uses AD Connect to
Sync pwds.
"Shared Sign On" to:
* Web based "Single Sign On"
to Web and modern desktop apps
* Legacy On-Prem "Single Sign On".

note as N3
Uses Federation to
Provide "Single Sign On" (SSO)
experience across both
On-Prem and Web

N1 .UP. CI
N2 .UP. SI
N3 .UP. FI

* Advantages:

  • It will never go down. Replicated on 28 Data Centers.
  • Can integrate and sync onsite users/passwords with Azure Active Directory.
  • 3500 apps already federated…and you can add your app.
  • Features:
    • Controllable using IT:AD:Powershell
    • Device Registration
    • Access portal fro SSO based user access to
    • Self-service password reset/change
    • Azure AD Connect - for syncing on-premises to Azure Active Directory
    • Standard security reports for overview picture of environment.
    • B2B Collaboration (in preview)
    • Group based application management and provisioning (not in free)
    • Application Proxy: Secure remote access and SSO to on premises website. ⇐ ?
  • Premium edition:
    • Self service group management
    • Microsoft Identity Manager (MIM) user licenses - for on prmeises identity and access management.
    • Azure AD Connect Health: Monitor on-site AD infrastructure.

* Considerations:

  • Must be Windows 10 Device in order to join Windows InTune. Which is how you set up Policies (equivalent of AD domain policies).

* Lets you join Azure VM to a Domain without theneed to deploy domain controllers. * Users sign in to thesm VMS using corp AD. * TIp: use Groups to control access to which

THe feature is that it gives Azure AD the ability to control Kerberos based devices (interna).