Blog | 11-minute Read
The definitive guide to Azure AD: Everything you need to know
Marcus Idle
Head of External Identity
Published: 06 May 2022
Azure Active Directory is Microsoft’s flagship cloud identity service. We cover its key features, explain how it works, and break down what it can provide for your organisation.
Cloud technology has significantly changed the way organisations operate. Offering new ways to conduct business, interact with customers, and manage your internal IT systems and employees.
Microsoft’s Azure platform is one of the heavy hitters operating in the Cloud arena. And it’s only getting bigger, hitting over 425 million daily users in 2021 (Microsoft FY21 Q2 Results).
This growth is largely powered by the Active Directory component at the heart of Azure. Azure Active Directory (Azure AD) provides an ever-expanding array of features and functionality for the management of identities and security.
But what exactly is Azure AD? What does it provide? How does it function? You’ll find these answers and much more below as we give you everything you need to know about Azure AD.
What is Azure AD?
Azure Active Directory is Microsoft’s multi-tenant, cloud-based identity and access management service. It’s the digital infrastructure that allows your employees to sign in and access external resources held in Office 365 and an ever-growing list of other SaaS applications, as well as those held on a corporate network or intranet.
Azure AD’s strength lies in the flexibility afforded to it by being entirely cloud-based. This means that it can either act as an organisation’s only directory, or it can sync with an on-premises directory via Azure AD Connect.
Either way, it enables both on-premises and cloud-based users to access the same apps and resources, simultaneously benefitting from features such as single sign-on (SSO), multi-factor authentication (MFA), conditional access, and more.
More importantly, it provides a single place from which to manage your identity, security, and compliance controls across your entire IT estate.
What does Azure AD do?
Azure AD provides different benefits depending on what you’re using it for.
For IT admins, it allows complete control over access to applications and resources utilising security controls like MFA and conditional access. They can also use Azure AD’s built-in governance controls to apply automated lifecycle management and privileged access limitations.
In addition to this, Azure AD also provides admins with the ability to automate provisioning between Windows Server Active Directory and cloud apps like Office 365.
For developers, Azure AD can be used as a standards-based approach to enabling features like SSO and for personalising the app experiences using existing organisation data through APIs.
If you’re a user or employee, Azure AD means quick and easy access to work resources, on a multitude of devices, from almost anywhere on the planet.
Free Guide
The Complete Guide to Microsoft Entra [New for 2024]
The most comprehensive guide to Microsoft Entra. Over 40 pages. Plus, Microsoft licensing simplified.
Discover how you can:
- Cut costs by removing 50% management effort
- Elevate security – reduce breach chances by 45%
- Automate provisioning to ensure compliance
How does it work?
Azure AD, as the name suggests, is a directory – a container for your user names, credentials, and access rights (typically to information-based resources).
Cloud-only or hybrid
Azure AD can be operated in ‘cloud-only’ mode, allowing your users to sign in to their Windows PCs using the cloud directory service. Alternatively, if you, like many organisations, are still tied to on-premises legacy infrastructure, Azure AD can use your local Active Directory as a master for account data and operate in a variety of hybrid modes.
Threat detection
Whether in cloud-only or hybrid mode, Azure AD effectively acts as your ‘front door’ for sign-ins. A key benefit of doing so allows you to take advantage of state-of-the-art security measures, such as assessing the threat level of the user attempting access and being able to mitigate that threat – for example, requesting two-factor authentication.
Single sign-on compatibility
One of the most attractive advantages of using Azure AD is its ability to enable single sign-on (SSO) and it supports third-party application integration to help achieve this.
Applications can connect using standard ‘modern auth’ protocols – SAML or OpenID Connect. Application and group assignments (including dynamic groups) in Azure AD determine who has access to what.
Single sign-on means that users will be able to access all of the applications they need by signing in only once using a single user account hosted in Azure AD. Once signed in, they can access those applications without being required to authenticate a second time.
Azure AD has been designed to enable easy integration with many of today’s popular SaaS applications, enabling users to either single sign on to applications directly or discover and launch them from a portal, such as Office 365 or the Azure AD access panel.
What are the benefits of using Azure AD?
Azure AD offers a plethora of incentives for adoption, hence why it’s used by 95% of the Fortune500.
Again, this is driven by its incredible flexibility. Whilst Azure AD is optimised for Microsoft applications, it is also highly compatible with apps developed outside the house that Bill built.
This open standards approach has allowed Azure AD to become the core mechanism by which an organisation can manage all of its different apps, devices, and users across multiple tenants.
Azure AD’s key benefits largely fall into five categories:
1. One place for identity and access management
Azure AD is the heart of your organisation’s IT, giving you one place to go for managing user identities and permissions. You can assign users to groups individually or using rules driven by attributes, and you can use groups to assign licences and application access. You have all the control in one place.
2. One identity for all applications
Whilst your users’ Azure AD identities are perfect for signing into Microsoft applications, it is also highly compatible with apps developed elsewhere. Millions of users use Azure AD to regularly access third-party party applications on a daily basis, streamlining the process and increasing productivity.
3. Security
Organisations want to protect their resources from malicious or accidental harm – and to protect their users from identity theft. Azure AD achieves these aims with a range of measures, including threat detection, conditional access, multi-factor authentication, privileged identity management (PIM), and more.
4. Ease of use
Getting access to resources should be easy for end-users. Single sign-on, using the same sign in for Windows and all your applications, means less fuss with credentials, and fewer demands on the IT help desk.
5. Collaboration
Azure AD allows you to invite external (guest) users into your directory to assign access, while their credentials are managed by their organisation’s IT department.
This gives you immediate and easy collaboration options while not having to worry about user lifecycle.
Azure AD key features
Having all of your disparate environments united under Azure AD offers some significant functionality options and features:
Azure AD vs Active Directory
You may be wondering what Azure AD means for your Windows Server Active Directory (or ‘local Active Directory’). As mentioned earlier, your on-premises directory can be synchronised to Azure AD via Azure AD Connect. Azure AD doesn’t necessarily need to replace it – it can work as the cloud-based counterpart to your local AD.
It’s a common misconception that ADFS has anything to do with syncing users, it doesn’t. ADFS can handle external single sign-on against your on-premises directory, while Azure AD Connect handles the synchronisation. They don’t talk to each other and they each have their own data source. ADFS has been largely superseded by Azure AD.
And Azure AD is not just ‘Active Directory in the Cloud’ either. Although it performs a lot of the same functions (authentication, user management, authorisation, directory query, etc.), it accomplishes these in a very different fashion.
Your local AD wasn’t designed to handle the thousands of web-based services that are now available and, in many cases, are crucial to an organisation’s day-to-day function. Azure AD uses an entirely different set of protocols to work with web apps such as Salesforce, Google, and Office 365.
B2B, B2C, and external users
As highlighted in the key features section, Azure AD has purpose-built functionality designed to support working with external users, but the specifics differ on whether those users are customers or partners.
Azure AD B2B allows businesses to securely share files and resources with partners and contractors for collaboration purposes. Azure AD handles the federation between the business and partner, so users can sign in to shared resources via an invite that can be sent to any email.
Azure AD’s B2C capabilities are first and foremost designed for use in customer-facing applications but can apply in a B2B scenario. Here, Azure AD acts as the identity system for the application whilst also allowing customers to sign in with a previously established identity, such as a Facebook or Gmail login.
You can find out more about the differences between Azure AD B2B and B2C in our comparison blog.
Azure AD licensing options
Thousands of organisations make use of the applications within Office 365, which means that they will automatically have access to Azure AD and all of its free features that come as standard.
There are four licensing options available to those interested in utilising Azure AD:
Azure Active Directory Free
The standard Azure AD package comes with user and group management, synchronisation with your on-premises directory, self-service password reset, basic reporting capabilities and single sign-on across Azure, Office 365, and other SaaS apps (with more added on a regular basis).
Azure Active Directory Premium P1
On top of the base features, the P1 package provides hybrid users with access to both cloud and on-premises resources. You’ll also get more advanced admin capabilities, with dynamic groups, self-service group management and access to Microsoft Identity Manager (MIM) for on-premises IAM features.
Azure Active Directory Premium P2
The P2 licence builds on its predecessors by adding Azure AD Identity Protection into the mix, which provides advanced conditional access features for a risk-based approach to application access.
You’ll also get privileged identity management tools to identify, restrict, and monitor admin access to ensure access privileges are applied accordingly and removed when redundant.
Pay as you go
If you find yourself needing to take advantage of additional features such as Azure AD’s B2C abilities, Microsoft can tailor your subscription with any others you may need on top of the P2 licence.
Alternative options
Azure AD is quite a broad offering and, as part of your research, you’ll likely come across various competitors that address different areas of its functionality.
Here are some of the most familiar faces and what they offer:
Okta
Okta sits on top of Azure AD and offers ‘simplified single sign-on’, user lifecycle management (synchronisation between various user information sources including on-premises), Office 365 license management, and adaptive MFA.
Ping Identity
Ping Identity offers a single sign-on solution and adds an identity governance layer in addition to the usual MFA and security features you would expect.
Auth0
Auth0 is a competitor to Azure AD B2C, and offers customisable user journeys for single sign-on, with protection against malicious logins, and a broad range of integrations for different platforms.
iWelcome
iWelcome is another Azure AD B2C competitor, offering a wide range of out-of-the-box user journeys and easy management tools.
Although Azure AD has the advantage of being an all-encompassing solution built for compatibility and flexibility to your needs, it’s worth being aware of what else is on offer and how they either add to or replicate the functionality found within Azure AD.
Key takeaways
Azure AD is Microsoft’s market-leading cloud-based IAM service.
It provides a single place to manage access and apply cutting-edge security controls.
Azure AD can be deployed either cloud-only or adapted to a variety of hybrid scenarios.
It’s highly compatible with third-party apps and services for easy adoption and future-proofing.
Flexible licensing options are available to suit the demands of your organisation’s environment.
Free Guide
The Complete Guide to Microsoft Entra [New for 2024]
The most comprehensive guide to Microsoft Entra. Over 40 pages. Plus, Microsoft licensing simplified.
Discover how you can:
- Cut costs by removing 50% management effort
- Elevate security – reduce breach chances by 45%
- Automate provisioning to ensure compliance
Great emails start here
Sign up for free resources and exclusive invites
Subscribe to the Kocho mailing list if you want:
- Demos of the latest Microsoft tech
- Invites to exclusive events and webinars
- Resources that make your job easier
Don't Miss
Great identity resources
Microsoft Purview: Enable compliance and enhance Copilot for Microsoft 365 adoption
Navigating CAF 3.2 regulations with Microsoft Entra and Zero Trust
Microsoft make MFA mandatory in Azure: User implications and actions
How does CAF 3.2 impact identity strategies in critical national infrastructure?
Got a question? Need more information?
Our expert team is here to help.