Microsoft Azure AD

Azure Active Directory (Azure AD) is the cornerstone that powers many of Microsoft’s business cloud solutions. You may be using Azure Active Directory and not even know it. If you have Office 365, Dynamics 365 Online or Azure, you have Azure AD already.

What is Azure AD

Microsoft Azure Active Directory, which is usually shortened to Azure AD or sometimes AAD, has been developed by Microsoft and is a Multi-Tenant, centralised management platform for users, devices and groups within Microsoft Azure. Azure AD provides for a cloud based identity both internally and/or externally.  Azure AD can be used to provide access internally such as internally developed apps on a corporate network, or other services which require authentication such as Azure MFA as well as externally, which might include for purposes like Microsoft Office 365, Azure based apps, SaaS applications or Azure MFA when the user is not on the corporate network.

Azure Active Directory can be used independently for creating your infrastructure which will allow for “Cloud Objects” however as Azure AD is not a replacement for Windows Server AD,  should you happen to already have an on-premises AD, it can be extended to the cloud using Microsoft’s Active Directory Connect ‘ADConnect’ or what was previously known as DirSync, which provides for “synchronised objects”. 

Proxar IT Consulting have not only experience in configuration for brand new businesses but also businesses who have existing infrastructures who want to start using Azure AD with Azure AD Connect.  The benefits to a business who wish to use Azure and Microsoft Office 365 products with a single username and password rather than different credentials for multiple applications, provide for not only less management but also (and more importantly) a better user experience.

Proxar IT Consulting are Gold Microsoft Partners and are strongly focused on Cloud Migrations to Azure/Office 365, so much so that we have a dedicated department whom all are Microsoft Certified Engineers who specialise in this field.  Proxar IT Consulting can provide you with full confidence in knowing we do this on a regular basis and can deliver a seamless and organised experience. 

Hybrid Azure AD
Hybrid Azure AD provides a mechanism to connect your on-premise AD to Azure AD and synchronise objects.  When using Azure AD Connect, this provides easy centralised management which can be controlled from a primary source (on-premise AD) and is synced by default every 30 minutes to your Azure AD Tenant.  In addition to syncing objects you can also configure devices for Hybrid Azure AD Join which provides users with seamless SSO to Azure and Office 365 applications.
An Administrator can configure with the Azure AD Connect GUI the following settings:
Privacy Settings – Azure AD Health to collect Data to monitor and gain insights into your on-premises synchronisation services and Application Telmetry to collect anonymous data that helps Microsoft understand how you use Azure AD Connect
Current Configuration – A summary overview of the setup
Customise synchronisation – Option to change which OUs are synced and within which Domains Directory should you have more than one
Configure device options – Device Registration (Hybrid Azure AD Join and synchronised device writeback)
Refresh directory schema – Update the schema for a directory to enable synchronisation of newly installed features
Configure stage-in mode – Results in no data changes being exported to Azure AD or back to on-premise AD, Password writeback and Password has synchronisation will also be disabled
Change user sign-in – which Sign On method should be used (this includes Password Hash Synchronisation, Pass-through authentication, Federation with AD FS, Federation with PingFederate) or to not have it configured at all.  You can also choose SSO
Configure Source Anchor – Change the Source Anchor from AD attribute objectGUID to mS-DS-ConsistencyGuid
Manage Federation – Update the ADFS SSL Certificate
Optional features – such as Exchange hybrid deployment, Exchange Mail Public Folders, Azure AD app and attribute filtering, Password has synchronisation, Password writeback, group writeback, Device writeback and Directory extension attribute sync can all be setup within here

Benefits of Azure AD

Global Availability – Microsoft’s service and handling runs from 28 different Data Centres around the world
Multiple Platform Functionality – Azure AD allows for multiple Domains to be used within your Azure
Integration with Windows Server AD – Azure AD Connect can be used to sync on-premise Windows AD with your Azure AD
Device registration – Devices can automatically be set to enrol and sync to Azure
SSO for Multiple Applications – Single-Sign on for integrated 3rd parties including SaaS and ADFS apps.
Self-Service Password – A dedicated Self-Service Password Portal
Azure Multi-Factor Authentication (MFA) – Microsoft’s own Azure Multi-Factor Authentication
Auditing – Custom Auditing for business needs
Security Monitoring and Alerting – Custom Security preferences and Alerts to specified Email Addresses

Conditional Access:

Conditional access is a set of policies which can ultimately grant or deny a user (or a group of users) access based upon the specified condition(s).

Conditional access works side-by-side with Azure and Office 365, therefore can be assigned to Cloud Apps ranging for a single Cloud app (such as OneDrive) or to all Azure cloud apps.  The benefits of doing this is to prevent unauthorised access to platforms not only internally but also externally.  This can be done based on Device Platform (such as Android, iOS, Windows Phone, Windows macOS), the Location (i.e is it on a trusted public IP), the access method (i.e from a web browser or a mobile phone as well as the Device State (i.e is it Hybrid Azure AD Joined)

This is ideal for businesses who wish to allow some departments access to something and block for others, or safeguard company data by knowing it can only be accessed via a company device and not from a user’s personal device or from an internet cafe.

Within the Conditional Access configuration, it provides an easy to use tool with the functionality to identify which policies have been deployed based upon the scenario settings as well as a dedicated troubleshooting section which provides aid and support with Conditional Access to things like issues with configuration policies for an application, location-based conditional access issues, problems with being unable to enforce a policy to enrolling devices within Azure AD for the purpose of Conditional Access.  There are a few features which are currently being developed and are in preview but are likely to become permanent features in the future.

Azure AD MFA

Azure AD Multi-Factor Authentication (MFA) is Microsoft’s developed mechanism with the primary purpose to avoid compromising your infrastructure from unauthorised access and hackers.
Azure AD MFA provides for a two-step verification process which works by requiring two (or more) of the following authentication methods:
– Something you know (typically a password)

– Something you have (a trusted device that is not easily duplicated, like a phone)

– Something you are (biometrics)

The security of two-step verification means that even if an attacker manages to learn the user’s password, on it’s own it is useless without also having possession of the additional authentication method.

Azure AD MFA requires an active subscription which must include Active Directory Premium or Microsoft 365 Business
Also, Azure AD Global Administrators have a subset of Azure AD MFA capabilities available as a means to protect Global Administrator Accounts if the licenses above are not in place.

NOTE: For Full features use of Azure Multi-Factor Authentication when using Conditional Access policies, it does require the use of Azure MFA to be licensed.  The exceptions are if you use Azure AD Free, or standalone Office 365 licenses, or when a pre-created Conditional Access baseline protection policies is in use for your users and administrators.

We have a dedicated article on Azure MFA, in the link below, that goes into more detail about why Azure MFA is such a good option to improve overall security, how Azure MFA can be purchased and some things to look out for, which we have learnt when implementing Azure MFA for clients.

Azure MFA

New customers may no longer purchase Azure MFA as a standalone offering effective September 1st, 2018. MFA will continue to be an available feature in Azure AD Premium licenses.

Azure AD Single sign-on (SSO)

Single Sign-On (SSO) is system that enables users to securely authenticate with multiple applications and websites by logging in only once—with just one set of credentials, generally a username and password and maybe the additional use of Multi Factor Authentication (MFA). Azure AD Single sign-on (SSO) is when this occurs within Azure’s infrastructure (rather than an on-premise infrastructure).

With Azure SSO, once the user has signed onto an Azure AD joined device on a corporate network, not only can the user access company resources, web applications as well as SaaS applications, the user can also launch applications hosted within Azure using MyApps but also the Office 365 portal and any other hosted Microsoft services which the user may have access permission to without the need to reauthenticate a 2nd and 3rd time.

There are some great benefits of using Azure SSO with the primary being able to remove the need for users to remember multiple usernames (and quite possibly in multiple formats) as well as different passwords for each application.  The Administrator only needs to manage one set of credentials for the user proving to take up less time administering and troubleshooting logon username/password issues, but most importantly, from a user’s perspective provides a seamless logon giving a far greater user experience.
The downsides of using SSO are if functionality via the SSO platform is unavailable, then users are locked out unable to login again until the problem has been resolved, should someone gain unauthorised access to an account they will likely gain access to other application and lastly, from a security perspective SSO may not address certain levels of security each application may need.

Azure AD Restrictions and Limitations

Directories – A single user can belong to a maximum of 500 Azure AD directories as a member or as a guest.  A single user can create a maximum of 20 directories.

Domains – You can add no more than 900 managed Domain names. If you set up all of your Domains for federation with on-premises Active Directory, you cannot add any more than 450 domain names in each directory.

Resources – A maximum of 50,000 Azure AD resources can be created in a single directory by users of the Free edition of Azure Active Directory by default. If you have at least one verified domain, the default directory service quota in Azure AD is extended to 300,000 Azure AD resources.A non-admin user can create no more than 250 Azure AD resources. Both active resources and deleted resources that are available to restore count toward this quota. Only deleted Azure AD resources that were deleted fewer than 30 days ago are available to restore. Deleted Azure AD resources that are no longer available to restore count toward this quota at a value of one-quarter for 30 days. If you have developers who are likely to repeatedly exceed this quota in the course of their regular duties, you can create and assign a custom role with permission to create a limitless number of app registrations.

Schema extensions – String-type extensions can have a maximum of 256 characters.

Binary-type extensions are limited to 256 bytes.  Only 100 extension values, across all types and all applications, can be written to any single Azure AD resource.  Only User, Group, TenantDetail, Device, Application, and ServicePrincipal entities can be extended with string-type or binary-type single-valued attributes.

Schema extensions are available only in the Graph API version 1.21 preview. The application must be granted write access to register an extension.

Applications – A maximum of 100 users can be owners of a single application.

Groups – A maximum of 100 users can be owners of a single group.  Any number of Azure AD resources can be members of a single group.  A user can be a member of any number of groups.  The number of members in a group that you can synchronize from your on-premises Active Directory to Azure Active Directory by using Azure AD Connect is limited to 50,000 members.

Application Proxy – A maximum of 500 transactions per second per App Proxy application.  A maximum of 750 transactions per second for the tenant

A transaction is defined as a single http request and response for a unique resource. When throttled, clients will receive a 429 response (too many requests).

Access Panel -There’s no limit to the number of applications that can be seen in the Access Panel per user. This applies to users assigned licenses for Azure AD Premium or the Enterprise Mobility Suite.

A maximum of 10 app tiles can be seen in the Access Panel for each user. This limit applies to users who are assigned licenses for Azure AD Free license plan. Examples of app tiles include Box, Salesforce, or Dropbox. This limit doesn’t apply to administrator accounts.

Reports – A maximum of 1,000 rows can be viewed or downloaded in any report. Any additional data is truncated.

Administrative units – An Azure AD resource can be a member of no more than 30 administrative units.

Admin roles and permissions – A group cannot be added as an owner.  A group cannot be assigned to a role.  Users’ ability to read other users’ directory information cannot be restricted outside of the tenant-wide switch to disable all non-admin users’ access to all directory information (not recommended). More information on default permissions here.  It may take up to 15 minutes or signing out/signing in before admin role membership additions and revocations take effect.

Licensing required for Azure AD
A Microsoft Azure / Microsoft Office 365 Tenant is free to sign up to however depending on your business needs will dictate which licensing is required.  Trying to identify which license best fits your specific business is proving tricky for many businesses as Microsoft continue to add various licensing options across the different sectors and industry (i.e Governments, Education, Health, Charities and Nonprofit etc.). 

Microsoft licensing in particular Azure Active Directory can be confusing when choosing which license you require for your business – Azure Active Directory is just one aspect of the whole consideration and depends on a range of other requirements (such as Office 365, SharePoint, Exchange, OneDrive and not just Azure AD). 

The good news is if you already use Office 365, you may in fact already have sufficient licensing which is required to utilise Azure Active Directory unless you require some of the more critical tools which offer security, compliance and identity management then a minimum of a P1 license will be required and possibly a P2 depending on needs.
With Azure AD, there are 4 different types of subscriptions, Free/Basic, Office 365 Apps, P1 and P2. 

Here at Proxar, we work with clients to provide the best Microsoft licencing, we demystify all the options and offer a solution that’s tailored for the client, whether that’s Office 365 or Microsoft 365 Business, Enterprise or a combination of add-ons like Azure AD Premium.

More information about Azure Active Directory is available on the Microsoft website.
Please see a comparison chart below for the Premium Features:

Premium FeaturesFreeO365 AppsP1P2
Password Protection (custom banned password)
Password Protection for Windows Server Active Directory (global & custom banned password)
Self-service password reset/change/unlock with on-premises write-back
Microsoft Cloud App Discovery4
Azure AD Join: MDM auto enrollment & local admin policy customization
Azure AD Join: self-service bitlocker recovery, enterprise state roaming
Advanced security and usage reports
Hybrid Identities    
Application Proxy
Microsoft Identity Manager user CAL5
Connect Health
Advanced Group Access Management    
Dynamic groups
Group creation permission delegation
Group naming policy
Group expiration
Usage guidelines
Default classification
Conditional Access    
Conditional Access based on group, location, and device status
Azure Information Protection integration
SharePoint limited access
Terms of Use (set up terms of use for specific access)
Microsoft Cloud App Security integration
3rd party MFA partner integration
3rd party identity governance partners integration
Identity Protection    
Vulnerabilities and risky accounts detection
Risk events investigation
Risk based Conditional Access policies
Identity Governance    
Privileged Identity Management (PIM)
Access Reviews
Entitlement Management

Summary: There are three main differences between P1 and P2 subscriptions.
1. P2 has Identity Protection (PIM) which lets you manage and control conditional access to apps based on risk

2. P2 gives you Access Reviews which provides for monitoring access within your organization

3. P2 provides Entitlement Management which aids with manging access to groups, applications and SharePoint Online sites for internal and external use

Proxar IT Consulting are CSPs (Cloud Solution Providers) which means we can manage your licensing for your business.