Azure Active Directory is service that manages the authentication and authorization of users, devices, and apps in cloud. All Microsoft cloud solutions (Office/Microsoft 365, Azure and Dynamics 365 online) use the Azure active directory tenant to manage users’ identities and permissions. We should not confuse Azure active directory with Active directory domain services which is the Microsoft solution to manage authentication and authorization in on-premises environments.
How to Add Users or Groups to Azure AD
- Synchronizing from on-premises Windows Server Active Directory using Azure AD connect.
- Using the Azure Portal
- Running script using PowerShell
- Programmatically using the Azure AD Graph API.
Azure AD users can have one or more roles assigned. There are many roles, such as Application Developer, Azure DevOps Administrator, Dynamics 365 administrator, Guest inviter, Global administrator, to name a few. It is important to mention that the global administrator is the highest permissions in an Azure AD environment.
About Access Management
Managing authorization in cloud environment is a critical function for any organization. Role Based Access Controls (RBAC) is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources. Permissions assignments are mappings between an Azure AD identity and a Role. Here are some examples of what you can do with RBAC:
- Allow one user to manage virtual machines in a subscription and another user to manage virtual networks
- Allow a DBA group to manage SQL databases in a subscription
- Allow a user to manage all resources in a resource group, such as virtual machines, websites, and subnets
- Allow an application to access all resources in a resource group
- Allow users to only read ( view) resources in a subscription/resource group.
Roles for Providing Access
- Owner can manage everything, including access to resources.
- Contributor can manage everything except access to resources.
- Reader can view everything but not make changes.
Using Azure AD, you can create groups to manage users, devices, and permissions in an effective way.
Types of Groups:
There are two types of groups: Security groups and Office 365 groups. The main difference between the two is that office 365 groups create an email address with the name of the group to distribute to their members the emails that are sent to the address of the group whereas security groups are used to assign permission to a set of users to grant access to resources or services, such as to a SharePoint Site, Web Pages, an entire SharePoint List or Document Library, or even just some files, etc.
The users/devices can be assigned to the groups manually or dynamically. They join the dynamics groups based on the rules. Azure AD provides a rule builder to create and update your important rules more quickly. The system evaluates all dynamic group rules in a directory to see if the change would trigger the addition or removal of any group. If a user or device satisfies a rule on a group, they are added as a member of that group. If they no longer satisfy the rule, they are removed.
You cannot manually add or remove a member of a dynamic group.
You can choose any of the four Azure AD versions depending on the different features that an organization needs to comply with regulations or just to have additional security services.
Azure AD’s Offers
1. Azure Active Directory Free
- Limited to 500,000 Directory Objects
- Connect (syncs on-premise AD to Azure AD)
- Basic security reports
- B2B collaboration capabilities (allows you to assign guest users that exist outside of your business)
- Identity management capabilities and device registration
2. Azure Active Directory Basic:
- Unlimited Directory Objects
- Group-based access management and provisioning
- Self-service password reset (cloud users)
- Ability to brand logon pages
3. Azure Active Directory Premium P1:
- Advanced reports
- Application proxy
- Conditional Access based on health/location.
- Cloud App Security Integration
- Multi-factor authentication
4. Azure Active Directory Premium P2:
- Everything offered in P1
- Identity Protection
- Privileged Identity Management
- Access reviews
With Azure AD you can manage application objects in Azure through the App Registrations experience. This registration process involves giving Azure AD details about your app, such as the URL where it’s located, the URL to send replies after a user is authenticated, the URI that identifies the app, allowing the service to know how to issue tokens to the application based on its settings.
Add and Manage Enterprise Applications
Additionally, by using Azure AD you will have enterprise applications that are applications published by other companies in the AAD gallery that can be used within your organization. Only Global administrators can add enterprise applications to Azure AD.
There are four types of Enterprise applications that can be added and be managed by Azure AD:
- Azure AD Gallery applications
- On-premises applications with Application Proxy
- Custom-developed applications
- Non-Gallery applications
After adding Enterprise applications to the organization’s tenant, administrator can enable single sign-on (SSO) to those apps using the Azure AD capabilities. There are specifics steps that the administrators must follow to add every app. Microsoft has created many tutorials for the most commons applications, therefore, it will be a good idea to check the official Microsoft documentation to see if the app that you want to integrate with your Azure AD is addressed in a tutorial.
As mentioned at the beginning of this post, we should not confuse Azure Active Directory with Active Directory domain service. Azure AD has its own Azure Active Directory Domain Services. To use Azure AD domain services, you do not need to deploy, manage, and patch domain controllers in the cloud. Azure AD DS integrates with your existing Azure AD tenant, which makes it possible for users to sign in using their existing credentials.
To keep in mind:
- Azure AD can be accessed using a dedicated portal here.
- Azure AD plays a very important role in the Microsoft cloud environments; it provides security to the organization. This is why administrators must be well-versed in this service since any misconfiguration can cause substantial damage to the organization.
If you would like to know more about implementing a hybrid environment in your organization, and how to manage the authentication and authorization of users, devices, and apps in cloud with Azure AD feel free to contact as here with any question you might have about or follow our blog here for upcoming posts.