Active Directory (AD) is a Microsoft brand for identity related capabilities. In the on-premises world, AD provides a set of identity capabilities and services and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). Azure Active Directory (Azure AD) is AD reimagined for the cloud, designed to solve for you the new identity and access challenges that come with the shift to a cloud-centric, multi-tenant world.
Azure AD can be truly seen as an Identity Management as a Service (IdMaaS) cloud multi-tenant service. This document is intended for IT professionals, system architects, and developers who are interested in understanding the various options for managing and using identities in their (hybrid) cloud environment based on the Azure AD offerings and how to leverage their related capabilities.
Table of Contents
Objectives of this paper 4
Non-objectives of this paper 5
Organization of this paper 5
About the audience 5
What is Azure AD? 6
Editions of Azure AD 9
Anatomy of Azure AD 15
Creating multiple directories in Azure AD 24
Deleting a specific directory in Azure AD 27
Managing directory configuration 29
Extending your on-premises identity infrastructure with Azure 29
Managing the Internet domains for your directory 33
Synchronizing your directory with the on-premises directories 37
Federating your directory with the on-premises directories 51
Many applications, one identity repository 60
Discovering all cloud applications in use within your organization 60
Leveraging pre-integrated popular SaaS applications 64
"Bringing Your Own Application" (BYOA) 71
Accessing your on-premises web applications on the Internet 83
Providing identity and access management to (your) modern business applications 90
Managing access to applications 93
Assigning/Removing users 93
Using groups to control access 96
Leveraging dynamic groups 97
Registering the devices 98
Using Conditional Access Control 102
Monitoring and protecting access to applications and beyond 105
Monitoring security reports and blocking users 105
Using Azure Multi-Factor Authentication 109
Leveraging the Privileged Identity Management service 110
Empowering users 116
Using the Azure AD Access Panel 116
Editing the profile settings for the users 117
Self-service password reset for cloud users 119
Self-service group management for users 123
Accessing applications from the Azure AD Access Panel 125
Self-service for application access 128
Customizing the Azure AD Access Panel (and the Sign-in page) 130
Using the “My Apps” mobile applications 134
The cloud is changing the way in which applications are written. Accelerated market cycles, multi-tenancy, pure cloud solutions and hybrid deployments, web programmability, and the rise of devices (smartphones, tablets, etc.) as well as rich clients as consumption models offer without any doubt new opportunities.
Modern business applications1 also present at the same time new challenges for the key services both on-premises and through the (hybrid) cloud that represent the identity management, the provisioning, the role management, and the authentication.
The "Bring Your Own Apps" (BYOA) for cloud and Software-as-a-Service (SaaS) applications,
The desire to better collaborate a la Facebook with the “social” enterprise,
The need to support and integrate with social networks, which lead to a "Bring Your Own Identity" "(BYOI) trend,
Identity becomes a service where identity “bridges” in the cloud “talk” to on-premises directories or the directories themselves move and/or are located in the cloud (see Gartner report 2013 Planning Guide: Identity and Privacy2).
Identity, like compute, storage and networking, is an essential platform service. In the same way that identity played a critical role in the adoption of workgroup computing, identity services will play a critical role as organizations adopt the cloud. Organizations will use cloud services and applications created by ISVs, Platform-as-a-Service (PaaS) cloud platforms for (Line of Business (LOB)) custom development, as well as Infrastructure-as-a-Service (IaaS) cloud environment for specific workloads, or part of them, to onboard the cloud for IT optimization reasons.
Kim Cameron, Microsoft Chief Identity Architect, is convinced3 that “organizations will find they need new identity management capabilities to take full advantage of the cloud. They will also find that the most reliable and cost-effect way to obtain these capabilities is through Identity Management as a Service – i.e. using the cloud to master the cloud.
We can therefore predict with certainty that almost all organizations will subscribe to identity services that are cheaper, broader in scope and more capable than the systems of today.
Enterprises will use these services to manage authentication and authorization of internal employees, the supply chain, and customers (including individuals), leads and prospects. Governments will use them when interacting with other government agencies, enterprises and citizens.
Identity Management as a Service will require that we move beyond the models of identity management that have guided our thinking to date. A new service-based model will emerge combining more advanced capabilities with externalization of operations to achieve reduction in risk, effort and cost."