IT:AD:Azure:Active Directory (AD)

An IT:AD:Azure:Account may be made an AD Directory's Global Administrator, who is not a Service Administrator or Service Co-Administrator

Relationship to Azure Subscriptions

It is really important to understand how the AD Service differs from all other Azure Resources/Services. See:

Whereas other Resource/Service are 'owned' by the IT:AD:Azure:Subscription, a IT:AD:Azure:Subscription only has a trust relationship with an IT:AD:Azure:Subscription.

The above means:

Identity Management

O365Visual StudioAzure ADCloud IdentitySynchronized IdentityFederated IdentityProvides Web based"Single Sign On" toWeb Apps andOn-Prem modern appsUses AD Connect toSync pwds."Shared Sign On" to:Web based "Single Sign On"to Web and modern desktop appsLegacy On-Prem "Single Sign On".Uses Federation toProvide "Single Sign On" (SSO)experience across bothOn-Prem and Web



  • Advantages:
    • It will never go down. Replicated on 28 Data Centers.
    • Can integrate and sync onsite users/passwords with Azure Active Directory.
    • 3500 apps already federated…and you can add your app.
    • Features:
      • Controllable using IT:AD:Powershell
      • Device Registration
      • Access portal fro SSO based user access to
      • Self-service password reset/change
      • Azure AD Connect - for syncing on-premises to Azure Active Directory
      • Standard security reports for overview picture of environment.
      • B2B Collaboration (in preview)
      • Group based application management and provisioning (not in free)
      • Application Proxy: Secure remote access and SSO to on premises website. ⇐ ?
    • Premium edition:
      • Self service group management
      • Microsoft Identity Manager (MIM) user licenses - for on prmeises identity and access management.
      • Azure AD Connect Health: Monitor on-site AD infrastructure.
  • Considerations:
    • Must be Windows 10 Device in order to join Windows InTune. Which is how you set up Policies (equivalent of AD domain policies).

Azure AD Domain Services for Hybrid

  • Lets you join Azure VM to a Domain without theneed to deploy domain controllers.
  • Users sign in to thesm VMS using corp AD.
  • TIp: use Groups to control access to which

THe feature is that it gives Azure AD the ability to control Kerberos based devices (interna).