IT:AD:Azure:Active Directory (AD)

Summary

Azure AD might be called Azure AD – but that's a marketing thing.

Azure AD is not a subset of the Azure Service. It's a totally separate Service, on which Azure relies (and so does IT:AD:Office 365 (O365), IT:AD:Visual Studio Team Services (VSTS), etc.)

The link to that service is:


!includeurl http://skysigal.com/_media/resources/configuration/plantuml/minimalist.txt

class "Azure Active Directory" as AD {

}
MS made a new AD solution because the original AD was designed for an era of intranet and Kerberos.

Comprehensive identity and access management solution in the cloud.

Used for * IT:AD:Office 365 (O365) * IT:AD:InTune * Dynamics CRM * Thousands of apps

An IT:AD:Azure:Account may be made an AD Directory's Global Administrator, who is not a Service Administrator or Service Co-Administrator * This is useful, so that if you have an IT:AD:Office 365 (O365) account you can add/remove AD users, without having to be granted access to the IT:AD:Azure:Portal:Classic Portal.

It is really important to understand how the AD Service differs from all other Azure Resources/Services. See:

Whereas other Resource/Service are 'owned' by the IT:AD:Azure:Subscription, a IT:AD:Azure:Subscription only has a trust relationship with an IT:AD:Azure:Subscription.

The above means: * if a Azure Subscription were suspended, all its Resources/Services would be suspended– bar Azure AD.
* if a Azure Subscription were terminated, another Azure Subscription could be started, and associated to the AD instance.


!includeurl http://skysigal.com/_media/resources/configuration/plantuml/default.txt

class O365
class "Visual Studio" as VS

class "Azure AD" as AAD
class "Cloud Identity" as CI
class "Synchronized Identity" as SI
class "Federated Identity" as FI

O365 -DOWN-> AAD
VS -DOWN-> AAD

AAD -DOWN- CI
AAD -DOWN- SI
AAD -DOWN- FI

CI -[Hidden]RIGHT- SI
SI -[Hidden]RIGHT- FI

note as N1
Provides Web based
"Single Sign On" to
Web Apps and
On-Prem modern apps
endnote


note as N2
Uses AD Connect to
Sync pwds.
"Shared Sign On" to:
* Web based "Single Sign On"
to Web and modern desktop apps
* Legacy On-Prem "Single Sign On".
endnote

note as N3
Uses Federation to
Provide "Single Sign On" (SSO)
experience across both
On-Prem and Web
endnote

N1 .UP. CI
N2 .UP. SI
N3 .UP. FI

* Advantages:

  • It will never go down. Replicated on 28 Data Centers.
  • Can integrate and sync onsite users/passwords with Azure Active Directory.
  • 3500 apps already federated…and you can add your app.
  • Features:
    • Controllable using IT:AD:Powershell
    • Device Registration
    • Access portal fro SSO based user access to
    • Self-service password reset/change
    • Azure AD Connect - for syncing on-premises to Azure Active Directory
    • Standard security reports for overview picture of environment.
    • B2B Collaboration (in preview)
    • Group based application management and provisioning (not in free)
    • Application Proxy: Secure remote access and SSO to on premises website. ⇐ ?
  • Premium edition:
    • Self service group management
    • Microsoft Identity Manager (MIM) user licenses - for on prmeises identity and access management.
    • Azure AD Connect Health: Monitor on-site AD infrastructure.

* Considerations:

  • Must be Windows 10 Device in order to join Windows InTune. Which is how you set up Policies (equivalent of AD domain policies).

* Lets you join Azure VM to a Domain without theneed to deploy domain controllers. * Users sign in to thesm VMS using corp AD. * TIp: use Groups to control access to which

THe feature is that it gives Azure AD the ability to control Kerberos based devices (interna).