Employees in a company can access Azure Services with the help of Azure Entra ID. Cloud Technology requires users and groups to have proper Identity, Authentication & Authorization. For this Azure Cloudprovides Microsoft Entra ID (Earlier known as Azure AD) which is an extension of Active Directory.
A Domain Controller is a server that manages access for users, PCs, and servers on the network. It is done using Active Directory(AD).
This post covers:
- What is Azure AD?
- Difference between Windows AD and Azure AD
- How Does Windows Azure Active Directory Work?
- Azure AD Concepts
- Benefits of Azure Active Directory
- Azure AD Connect
- Azure AD Join
- Access to Azure Resources
- Conclusion
- Faq’s
What is Windows Active Directory?
Active Directory (AD): Active Directory is a database and a set of services connecting users with the network resources required by them to get their work done. The database (or directory) has critical information related to your IT environment, including what users and computers there are and who’s allowed to do what. The services control most of the activity going on in your IT environment so basically, Windows AD provides authentication and authorization to applications, file services, and other resources in a network.
What is Microsoft Entra ID?
Microsoft Entra ID: If we want to manage access to the Azure Cloud application and associated resources then we need Microsoft Entra ID. This helps your employees to access external resources, such as Azure services, Azure portal, And other applications.
Microsoft Entra ID is a Microsoft cloud-based identity and access management service, which helps your employees sign in and access resources in:
1) External resources, such as Microsoft Office 365, the Azure portal, and thousands of other SaaS applications.
2) Internal resources, such as apps on your corporate network and intranet, along with any cloud apps developed by your own organisation.
If we have a traditional on-premise setup with AD and want to integrate it with Azure Entra ID so that we can manage access to the Cloud application, we can do it easily by using AD Connect.
In layman’s terms, the Microsoft Entra ID is not an extension of an on-premises directory. Rather, it’s a copy that contains the same objects and identities.
How Does Microsoft Entra ID Work?
Microsoft Entra ID a cloud-based service for identity and access management that falls into the identity as a service (IDaaS) category, is a secure online authentication store for both individual user profiles and groups of user profiles.
It manages access through user accounts, which have a username and a password. Users can be organized into different groups, which can have different access privileges for individual applications. Identities from Microsoft or third-party software as a service (SaaS) can also be created for cloud applications to grant user access.
To connect users to SaaS applications, Microsoft Entra ID uses SSO which allows each user to access the full suite of applications they have permission for, without having to repeatedly log in each time. It creates access tokens (that may be created with expiry dates) that are stored locally on employee devices.
Windows AD vs. Azure Entra ID
| Concept | Windows Active Directory | Microsoft Entra ID |
|---|---|---|
| Provisioning Users | Organizations create internal users manually or use an in-house or automated provisioning system, like the Microsoft Identity Manager, to integrate with an HR system. | Existing AD organizations use Azure AD Connect to sync identities to the cloud. It adds support to automatically create users from cloud HR systems and provision identities in SCIM-enabled SaaS apps to automatically provide apps with the necessary details to allow access for users. |
| Admin Management (AKS) | Organizations will use a combination of domains, organizational units, and groups in AD to delegate administrative rights to manage the directory-monitored resources. | Microsoft Entra ID provides built-in roles with its Microsoft Entra ID RBAC system, with limited support for creating custom roles to delegate privileged access to the identity system, the apps, and the resources it controls. |
| Infrastructure Apps | Active Directory forms the basis for many infrastructure on-premises components, like DNS, DHCP, IPSec, WiFi, NPS, and VPN access | In a new cloud world, Azure AD is the new control plane for accessing apps and relying on networking controls. When users authenticate, Conditional access (CA) controls which users have access to which apps under required conditions. |
| Traditional and legacy apps | Most on-premises apps use LDAP, Windows-Integrated Authentication (NTLM and Kerberos), or Header-based authentication to control access to users | Azure Entra ID can provide access to these types of on-premises apps using Azure AD application proxy agents running on-premises. With this method, Azure Entra ID can authenticate Active Directory users on-premises using Kerberos while you migrate or need to coexist with legacy apps. |
| Mobile | Active Directory doesn’t natively support mobile devices without third-party solutions. | Microsoft Intune (mobile device management solution) is integrated with Azure Entra ID. It provides device state information to the identity system to evaluate during authentication. |
| Windows desktops | Active Directory provides the ability to domain join Windows devices to manage them using Group Policy, System Center Configuration Manager, or other third-party solutions. | Windows devices can be joined to Azure Entra ID. Conditional access can check if a device is Azure Entra ID joined as part of the authentication process. Windows devices can also be managed with Microsoft Intune wherein conditional access will consider whether a device is compliant (up-to-date security patches and virus signatures) before allowing access to the apps. |
Azure Entra ID Concepts
1) Identity: Anything that can be authenticated. It can be a user with a username & password, applications, or other services that require authentication.
2) Account: Identity with data associated.
3) Azure Entra ID Account: Identity created using Azure Entra ID or other Microsoft cloud services.
4) Azure Tenant: An Instance of Azure Entra ID is created when an organization signs up for a Microsoft Cloud service subscription.
5) Azure AD Directory: Each Azure Tenant has a dedicated and trusted Azure Entra ID Directory.
6) User Subscription: To pay for Azure cloud services used.
Check out: An overview of Azure traffic manager and its different types of traffic-routing methods.
Benefits Of Azure Entra ID
- Azure Entra ID is highly available and spread across 32 data centres in different geographies.
- Using Azure Entra ID access to applications on the cloud or on-premise can be simplified.
- Single Sign-On to access thousands of SaaS applications & On-premise applications.
- Multi-Factor Authentication, Conditional Access, Privileged Identity Management, and Dynamic Group.
Check outthis video blog that covers end-to-end Azure Kubernetes Service.
Azure Entra ID Features & Licensing
Azure Entra ID works on a licensing model. You can access Azure Entra ID with these two licenses:
- Microsoft Online Services
- Azure Entra ID Premium Licenses
If you have Office 365 or Microsoft Azure license, then you will get all the non-paid Azure features, otherwise, you can get Azure premium features through Power BI premium licenses:
- Premium P1
- Premium P2 licenses
Features of Azure Entra ID
- Application Management: It Manages your cloud and on-premises apps using services like Application Proxy, the My Apps portal, single sign-on, and Software as a Service (SaaS) apps.
- Authentication: Users can manage Azure Entra ID self-service password reset feature, Multi-Factor Authentication, custom banned password list, and smart lockout.
- Azure Active Directory for developers: It builds apps that can sign in all the Microsoft identities, and fetch tokens to call Microsoft Graph, and other Microsoft or custom APIs
- Business-to-Business: You can manage your guest users and external partners while also maintaining control over your own corporate data at the same time.
- Business-to-Customer (B2C): With Azure Entra ID users can customize and control how others sign up, sign in, and manage their profiles when using their apps.
- Managed identities for Azure resources: Provide your Azure services with an automatically managed identity in Azure Entra ID that can authenticate any Azure Entra ID-supported authentication service, including Key Vault.
- Reports and monitoring: Users can gain insights into the security and usage patterns in their working environment.
- Privileged identity management (PIM): This feature includes access to resources in Azure Entra ID and Azure, including some other Microsoft Online Services, like Microsoft 365 or Intune. Users can manage, control, and monitor access within their organization.
- Identity protection: Detect potential vulnerabilities affecting your organization’s identities, configure policies to respond to suspicious actions, and accordingly take appropriate steps to resolve them.
- Identity governance: Manage your organization’s identity through employee, business partner, vendor, service, and app access controls.
- Enterprise users: Manage license assignments, app access, and setting up delegates using groups and administrator roles.
Azure Entra ID Connect
It is used to integrate the on-premise directories (Active Directories) with Azure Active Directory which provides a common identity for accessing both cloud and on-premise resources.
There are various features of Azure AD Connect:
1) Password Hash Synchronization: Sign-in method that synchronizes a hashed user on-premise AD password with Azure Entra ID.
2) Pass-through authentication: Sign-in method that provides access to users to use the same password on-premise and on the cloud.
3) Synchronization: Responsible for creating users, groups, and other objects and also validating if the identity information of your on-premise users and groups match with the cloud.
4) Health Monitoring: A central place to view the activity and also provide monitoring.
Also, read our blog post on the Azure Virtual Network.
Azure AD Join
- Azure AD join is used to connect devices directly to Azure Entra ID and we need not join to the on-premises AD.
- Azure AD joined devices are signed in for using an organizational Azure Entra ID Account
- Devices that are Azure AD joined can still authenticate to on-premises servers like file, print, and other applications.
Also Read Azure ExpressRoute vs VPN, to know the major differences between them.
Creating And Managing Users & Groups In Azure AD
There are many ways to add users and groups to Azure Active Direct.
- By syncing from an on-premises Windows Server Entra ID using AAD Sync. This is how most enterprise customers will get their users added to the directory and requires some additional server configuration on-premises to setup.
- Manually using the Azure Management Portal.
- Using PowerShell and the Azure Active Directory cmdlets
- Programmatically using the Azure Entra ID Graph API. This is an extremely powerful option that essentially gives you full control of how users are added to the directory.
Also Check:Our blog post on the Microsoft Azure Administrator certification exam az 104: Everything you need to know
Access To Azure Resources
It is a very difficult and important task for any organization to manage access to Azure resources.
- Role-based access control (RBAC) helps you manage who has access to Azure resources, what they can do with those resources, and what areas they have access to.
- RBAC is an authorization system built on Azure Resource Manager that provides fine-grained access management of Azure resources.
- We can segregate duties and the amount of access to the users in a team that they need to perform their tasks using RBAC.
- It’s a best practice to grant users the least privilege to get their work done.
Also Read: Our previous blog post on Convolutional Neural Network(CNN). Click here
Conclusion
Azure Entra ID is not simply a cloud version of AD, they do many different things. AD is great at managing traditional on-premise infrastructure and applications while Azure AD is great at managing user access to cloud applications. You can use both together, or if you want to have an experience of a purely cloud-based environment you can just use Azure AD. And it mostly depends on your need of service that for which you want to go and we have already discussed the difference between their services.
Faq’s
Q.1 What is Azure Active Directory?
Microsoft Azure Entra ID is a cloud-based identity and access management solution. It acts as a centralized directory for managing user IDs, authentication, and authorisation in the Azure cloud environment as well as other linked applications and services. Organizations may use Azure AD to restrict resource access, enforce security standards, and provide single sign-on for users across many cloud and on-premises apps. It includes functionality such as user provisioning, multi-factor authentication, role-based access management, and connection with major software as a service (SaaS) applications. In essence, Azure AD is a critical component of Microsoft's cloud ecosystem for securely managing user identities and access to digital resources.
Q.2 What is difference between Azure Active Directory and Active Directory?
AD is an on-premises directory service used to manage resources within a local network, whereas Azure AD is a cloud-based service intended to manage identities and access to cloud services and apps.
Q.3 What is an Active Directory used for?
Active Directory (AD) is a Microsoft directory service that is primarily used for managing and organizing resources in a networked environment. It stores user accounts, groups, machines, and other network objects in a centralized database. AD supports various critical functions, including authentication, authorization, and domain services. Administrators can use it to restrict user access to resources, enforce security policies, and manage user permissions. AD also makes administration easier by allowing the deployment of group rules to specify settings across several machines, providing consistent setups and network security. Overall, Active Directory is critical in Windows-based environments for simplifying user management, improving security, and optimizing network administration.
Q.4 Is Azure Active Directory SaaS or PaaS?
Azure Active Directory (Azure AD) is a Microsoft cloud-based service that falls under the Software-as-a-Service (SaaS) category. SaaS refers to the internet-based distribution of software applications in which the provider hosts and administers the underlying infrastructure, which includes servers, databases, and networking. With Azure AD, enterprises can use the SaaS model to access and use Microsoft's identity and access management features without having to manage the underlying infrastructure. User authentication, access control, single sign-on, and connection with other SaaS apps are among the features and functionalities provided by Azure AD. As a result, Azure AD is categorized as a SaaS solution under the Microsoft Azure cloud platform.
Q.5 What is tenant in Azure?
An Azure AD tenant is a reserved Azure AD service instance that an organization obtains and owns after signing up for a Microsoft cloud service such as Azure, Microsoft Intune, or Microsoft 365. Each tenant represents an organization and is distinct from other Azure AD tenants.
Q.6 What is DNS in Active Directory?
Active Directory Domain Services (AD DS) makes advantage of Domain Name System (DNS) name resolution services to allow clients to discover domain controllers and the domain controllers that host the directory service to communicate with one another.
Q.7 What is Azure LDAP?
The Lightweight Directory Access Protocol (LDAP) is an application protocol that allows users to interact with various directory services. Active Directory, for example, stores user and account information as well as security information such as passwords.
Related/References
- [AZ-104] Microsoft Azure Administrator Certification Exam: Everything You Need To Know
- Microsoft Azure AD Connect
- Virtual Networks In Microsoft Azure: VNet Peering, ExpressRoute, VPN Gateway
- Azure ExpressRoute Vs Azure VPN Gateway
- Microsoft Azure VNet Peering (Microsoft Official)
- [AZ-104] Roles And Responsibilities Of A Microsoft Azure Administrator
Next Task For You
Begin your journey towardMastering Azure Cloud and landing high-paying jobs. Just click on the register now button on the below image to register for a Free Class on Mastering Azure Cloud: How to Build In-Demand Skills and Land High-Paying Jobs. This class will help you understand better, so you can choose the right career path and get a higher paying job.
