Azure AD — Almost all you need to know
B2B, B2C, Conditional Access, Azure AD Connect, Hybrid Identities, MFA, Identity Protection and lots more!
Azure Active Directory (Azure AD) is Microsoft’s cloud-based Identity and Access management (IAM) service, which helps your employees sign in and access resources in:
- External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.
- Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organization.
The above image shows an Azure AD instance with Azure AD Connect enabled (more on this later) and its various components. Azure AD instance contains an overview of users, groups, devices, enterprise applications, registered application, application proxy, among other things.
Before we go further, let’s clear up some terminology:
- Identity — A thing that can get authenticated. It can be a user, but also applications and services.
- Account — An identity that has data associated with it. You cannot have an account without an identity.
- Azure AD account — An identity created through Azure AD or another Microsoft cloud service, such as Office 365.
- Azure tenant / Azure AD tenant — A dedicated and trusted instance of Azure AD that’s automatically created when your organization signs up for a Microsoft cloud service subscription, such as Microsoft Azure, Microsoft Intune, or Office 365. An Azure tenant represents a single organization.
- Azure AD directory — Each Azure tenant has a dedicated and trusted Azure AD directory. The Azure AD directory includes the tenant’s users, groups, and apps.
- Azure subscription — Used to pay for Azure cloud services. You can have many subscriptions and they’re linked to a credit card. Multiple subscriptions can trust the same Azure AD directory. Each subscription can only trust a single directory.
- Azure AD Global administrator — This administrator role is automatically assigned to whomever created the Azure AD tenant. Global administrators can do all of the administrative functions for Azure AD and any services that federate to Azure AD. You can have multiple Global administrators, but only Global administrators can assign administrator roles (including assigning other Global administrators) to users.
- Single tenant — Azure tenants that access other services in a dedicated environment are considered single tenant.
- Multi-tenant — Azure tenants that access other services in a shared environment, across multiple organizations, are considered multi-tenant.
- Custom domain — Every new Azure AD directory comes with an initial domain name, domainname.onmicrosoft.com. Adding custom domain names helps you to create user names that are familiar to your users, such as email@example.com.
- Owner — This role helps you manage all Azure resources, including access.
You can deploy enterprise applications as well as custom applications into Azure AD tenant using Azure Active Directory as your identity provider. That means you don’t have to build extra IAM capability into your apps and can concentrate on delivering business value instead of spending your time in undifferentiated heavylifting like IAM.
Custom applications can be registered using App registration blade.
Note: You can decide whether all users are allowed to register custom applications by going into the User settings blade and editing the App registration radio box.
Further, permissions for your custom application APIs can be provided through the API permissions blade.
Azure AD Connect
Azure AD Connect is a tool used to provide or enable Hybrid Identity. It is a common user identity for authentication and authorization to all resources, regardless of location, i.e. the same credentials can be used for Azure or on-premise.
- Synchronization — Responsible for synchronizing users, groups, and other objects between your on-premise Active Directory and Azure AD.
- Health Monitoring — Azure AD Connect Health provides monitoring pf the whole synchronization infrastructure and provide a central location in the Azure portal to view this activity.
Important: Azure AD Connect is only supported on Windows Server 2012 R2 and up
It requires a SQL Server Database to store identities.
Staging mode can be used for HA — High availability or other scenarios where you want to introduce a new server and decommission the old. In Staging mode, the synchronization doesn’t export any data to Azure, however it has all the changes synced locally. In case of a Disaster Recovery Scenario, this server could be used as a backup and taken out of the staging mode when necessary.
- Federation integration — Federation is an optional part of Azure AD Connect and can be used to configure a hybrid environment using an on-premises AD FS infrastructure. AD FS stands for Active Directory Federation Services and this option requires a lot of extra infrastucture, for e.g. 2 or 3 AD FS Servers for high availability and Web Application proxy for external access. This option also doesn’t support seamless single sign-on.
- Password hash synchronization — A sign-in method that synchronizes a hash of a hash of user’s on-premises AD password with Azure AD. This option requires no extra infrastructure. However, since moving passwords, even if as a hash of a hash, outside of your premises is a security risk, this option is not considered very safe.
- Pass-through authentication — A sign-in method that allows users to use the same password on-premises and in the cloud, but doesn’t require the additional infrastructure of a federated environment. It only requires outbound connectivity from the on-premises authentication agent. It provides seamless single sign-on, however it is not integrated with Azure AD Connect Health.
Following is a decision tree provided by Microsoft to help you decide which authentication method to use:
Details on decision questions:
- Azure AD can handle sign-in for users without relying on on-premises components to verify passwords.
- Azure AD can hand off user sign-in to a trusted authentication provider such as Microsoft’s AD FS.
- If you need to apply, user-level Active Directory security policies such as account expired, disabled account, password expired, account locked out, and sign-in hours on each user sign-in, Azure AD requires some on-premises components.
- Sign-in features not natively supported by Azure AD:
- Sign-in using smartcards or certificates.
- Sign-in using on-premises MFA Server.
- Sign-in using third-party authentication solution.
- Multi-site on-premises authentication solution.
External Identities allow people outside your organization to access your apps and resources, while letting them sign in using whatever identity they prefer. Azure AD supports a variety of scenarios from business-to-business (B2B) collaboration to app development for customers and consumers (business-to-consumer, or B2C).
Azure AD B2B
This functionality allows you to invite external users into your own AD tenant as “guest” users that you can assign permissions to (for authorization) while allowing them to use their existing credentials (for authentication). You can invite a guest user by selecting “New Guest User” in the Users blade.
This invited guest then has to accept the invitation and provide the consent for his name, email address and photo to be read and that’s it! This invited guest would then be able to access applications in the “My Apps” portal that it has been granted access to.
Azure AD B2C
Azure AD B2C provides following features:
- Securely authenticate your customers using their favorite identity provider (Google, Facebook, Amazon etc.)
- Capture login, preferences and conversion data for the customers.
- Provide completely customized and branded registration and login experience
First step to using Azure AD B2C is to create an AD tenant that is used specially for B2C. An Azure AD B2C tenant is different than an Azure Active Directory tenant. The primary resources you work with in an Azure AD B2C tenant are: directory (user data), application registration (your customer facing application), Identity provider (Facebook, Google etc.) and User flows (policies)
User flows represents how you design your user’s authentication experience, like sign up, sign-in etc.
The aim of authentication is to verify your credentials. Azure AD authentication includes the following components:
- Azure Multi-Factor Authentication (MFA) — Instead of just asking you for a password (something you know), it additionally authenticates you something you have (phone) or something you are (fingerprint scan). For example, following image shows how Microsoft authenticates you with your phone (something you have) by sending you a code or calling you.
- Hybrid integration to write password changes back to on-premises environment and enforce password protection policies for an on-premises environment.
- Self-service password reset — Allows you to change your password, reset it in case you forgot it or to unlock your account.
MFA can be enabled per user, using conditional access policies or Identity Protection. You can decide what verification methods are going to be available to the users, for e.g. call/text to phone, notification/verification code etc. You can also configure certain IPs which are trusted and thus exempt from MFA verification. Further it’s possible to allow your users to create app passwords for accessing non-browser apps.
Conditional Access policies at their simplest are if-then statements, if a user wants to access a resource, then they must complete an action. For example, there are baseline policies requiring MFA for admins. You can use Named locations to give names to IP ranges / Country /Regions and also if needed, add them as trusted locations. These names can further be used in your Conditional Access policies.
A policy consists of:
- Assignments — This contains users and groups, cloud apps to which this policy shoud apply under the conditions such as device platform, locations (named locations) etc.
- Access controls — If the above met conditions are true, then what action should be taken. For e.g. you can decide to grant access but only with MFA etc.
Identity Protection is a tool that allows organizations to accomplish three key tasks:
- Automate the detection and remediation of identity-based risks.
- Investigate risks using data in the portal.
- Export risk detection data to third-party utilities for further analysis.
There are two types of risk: User and Sign-in and two types of detection or calculation: Real-time and Offline. A user risk represents the probability that a given identity or account is compromised whereas a sign-in risk represents the probability that a given authentication request isn’t authorized by the identity owner.
For detection and remediation, it is recommended that you configure three policies: MFA registration policy (requiring MFA registration at sign-in), user risk policy (if a user has been compromised, require a password change) and sign-in risk policy (if there is a considerable risk, require MFA).
Privileged Identity Management
Privileged Identity Management provides time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused access permissions. It provides just-in-time privileged access to Azure AD and Azure resources. Just-in-time here means that the access is time-bound (maximum activation duration) and given on the fly.
It makes you require approval to activate PIM eligible roles. Thus if you need a role, you request that role with a reason/justification. The approver receive a notification regarding the request and can activate or deny the request giving certain reason/justification.
Another great feature is you can schedule access reviews where you decide who still needs what role and what roles/permissions should be rescinded.
- Free: user and group management, on-premises directory synchronization, self-service password change for cloud users, and single sign-on across Azure, Office 365, and many popular SaaS apps.
- Premium P1: Free features + hybrid users can access both on-premises and cloud resources. It also includes self-service group management, Microsoft Identity Manager (an on-premises identity and access management suite) and cloud write-back capabilities.
- Premium P2: P1 features + Identity Protection to help provide risk-based Conditional Access to your apps and critical company data and Privileged Identity Management to help discover, restrict, and monitor administrators and their access to resources and to provide just-in-time access when needed.
- “Pay as you go” feature licenses: Additional feature licenses like B2C (Business to Customer) which provides identity and access management solutions for your customer-facing apps.
You gotta know!
- You can’t use on-prem MFA infrastructre if you are using Password hash sync option for Azure AD Connect. The only option in that case would be Azure AD MFA.
- If your subscription expires, you lose access to all the other resources associated with the subscription.
- Moving your Azure Kubernetes Service (AKS) cluster to a different subscription, or moving the cluster-owning subscription to a new tenant, causes the cluster to lose functionality due to lost role assignments and service principal’s rights.
- When you associate a subscription to a different directory, users that have roles assigned using RBAC lose their access. Classic subscription administrators, including Service Administrator and Co-Administrators, also lose access. Policy Assignments are also removed from a subscription when the subscription is associated with a different directory.