Azure AD Domain Services

There are four versions of Azure Active Directory as follows:

Free

(Included in Azure Subscription)

[

Limited to 500,000 Directory Objects

[

Identity management capabilities and device registration

[

Single Sign-On can be assigned to 10 apps per user

[

B2B collaboration capabilities (allows you to assign guest users that exist outside of your business)

[

Self-service password change (cloud users)

[

Connect (syncs on-premise AD to Azure AD)

[

Basic security reports

Basic

(Included in Microsoft 365 subscriptions)

[

Unlimited Directory Objects

[

Identity management capabilities and device registration

[

Single Sign-On can be assigned to 10 apps per user

[

B2B collaboration capabilities (allows you to assign guest users that exist outside of your business)

[

Self-service password change (cloud users)

[

Connect (syncs on-premise AD to Azure AD)

[

Basic security reports

[

Group-based access management and provisioning

[

Self-service password reset (cloud users)

[

Ability to brand logon pages

[

Service Level Agreement

Premium P1

(Free with certain Microsoft 365 Plans or €5.06 separately per user per month)

[

Unlimited Directory Objects

[

Identity management capabilities and device registration

[

Single Sign-On can be assigned to unlimited apps per user

[

B2B collaboration capabilities (allows you to assign guest users that exist outside of your business)

[

Self-service password change (cloud users)

[

Connect (syncs on-premise AD to Azure AD)

[

Advanced reports

[

Group-based access management and provisioning

[

Self-service password reset (cloud users)

[

Ability to brand logon pages

[

Service Level Agreement

[

Dynamic groups, group creation, group naming policy, usage guidelines, etc.

[

On-premise writeback for Self-service reset, change, and unlock

[

Two-way sync between on-premise and ADD

[

Multi-factor authentication

[

Microsoft Identity Manager user CAL

[

Cloud App Discovery

[

Connect Health

[

Conditional Access based on health/location.

[

Automatic password rollover (for group accounts)

[

Ability to grant conditional access based on location, device state, and group

[

Integrations with 3rd party identity governance partners

[

ToU

[

Sharepoint limited access

[

OneDrive for Business (limited access)

[

Preview integration for 3rd party MFA partners

[

Cloud App Security Integration

Premium P2

(€7.59 ex vat per user per month)

[

Unlimited Directory Objects

[

Identity management capabilities and device registration

[

Single Sign-On can be assigned to unlimited apps per user

[

B2B collaboration capabilities (allows you to assign guest users that exist outside of your business)

[

Self-service password change (cloud users)

[

Connect (syncs on-premise AD to Azure AD)

[

Advanced reports

[

Group-based access management and provisioning

[

Self-service password reset (cloud users)

[

Ability to brand logon pages

[

Service Level Agreement

[

Dynamic groups, group creation, group naming policy, usage guidelines, etc.

[

On-premise writeback for Self-service reset, change, and unlock

[

Two-way sync between on-premise and ADD

[

Multi-factor authentication

[

Microsoft Identity Manager user CAL

[

Cloud App Discovery

[

Connect Health

[

Conditional Access based on health/location.

[

Automatic password rollover (for group accounts)

[

Ability to grant conditional access based on location, device state, and group

[

Integrations with 3rd party identity governance partners

[

ToU

[

Sharepoint limited access

[

OneDrive for Business (limited access)

[

Preview integration for 3rd party MFA partners

[

Cloud App Security Integration

[

Identity Protection

[

Privileged Identity Management

[

Multi-factor authentication

Free vs Basic vs Office 365

Typically, both of these Azure AD environments will be part of your existing license. So, if you only have an Azure license, you’ll use the free version. Also, if you only have an Office 365 license, you’ll use the Office 365 version.

The Office 365 version has two advantages over the free version – multi-factor authentication and unlimited directory objects.

Of course, having more than one layer of authentication is critical in today’s business environment, so these are not a small feature by any means. Unlimited Objects becomes a necessity for most businesses at a certain point, especially if you have over 20 employees OR you’re using lots of cloud apps. Typically, you won’t be selecting between these two. You’ll either have an Office 365 license or you won’t.

Azure AD P1 vs Azure AD P2

For those that are looking to upgrade into the P1 or P2 space for additional features, Azure AD resources become apparent. These two tiers start to offer some critical components that are not available in the other three versions – which are all extremely helpful for security, compliance, and identity management.

What do P1 and P2 Share in Common?

Both of these options:

[

Provide unlimited directory objects

[

Give you identity management capabilities

[

Provide single sign-on for an unlimited amount of apps and unlimited users for those apps

[

Have B2B collab capabilities – which lets you grant access to guest users for collaborative abilities

[

Give self-service password change capabilities to users

[

Have Connect – which syncs Windows Server AD (or other on-premise AD) and Azure AD

[

Have advanced reports (see how apps are being utilized by users, see where risks exist, and troubleshooting capabilities)

[

Give you branding capabilities for portals/login pages

[

Have multi-factor authentication

[

Have app proxy

[

Include Group-based access management and provisioning

[

Have Microsoft Identity Manager user CAL

[

Come with a Service Level Agreement

[

Have Cloud App Discovery

[

Have Connect Health

[

Give you conditional access based on user location/devices

[

Have automatic password rollover

[

Give you the ability to integrate third-party identity governance partners and MFA partners

[

Have Terms of Use

[

Provide Sharepoint Limited Access

[

Give you limited access to OneDrive Business

[

Have CloudApp security integration

What’s the Difference Between Azure AD P1 and P2

There are three core differences between P1 and P2. Firstly, P2 has Identity Protection, which lets you manage conditional access to apps. Secondly, P2 gives you Privileged Identity Management (PIM). That means you with additional management over privileged accounts. Finally, you get Access Reviews.

All of these features are typically reserved for enterprises, and small businesses probably won’t require any of these features.

What are the Azure Active Directory benefits?

P

Azure AD Benefit 1

Azure AD is not a cloud version of AD as the name might suggest. Although it performs some of the same functions, it is quite different.

Azure Active Directory is a secure online authentication store, which can contain users and groups. Users have a username and a password which are used when you sign into an application that uses Azure AD for authentication. So for example all of the Microsoft Cloud services use Azure AD for authentication: Office 365, Dynamics 365 and Azure. If you have Office 365, you are already using Azure AD under the covers.

P

Azure AD Benefit 2

As well as managing users and groups, Azure AD manages access to applications that work with modern authentication mechanisms like SAML and OAuth. Applications are an object that exists in Azure AD, and this allows you to create an identity for your applications (or third-party ones) that you can grant access to users. Besides seamlessly connecting to any Microsoft Online Services, Azure AD can connect to thousands of SaaS applications (e.g. Salesforce, Slack, ZenDesk etc) using a single sign-on.

When compared with AD, here is what Azure AD doesn’t do:

[

You can’t join a server to it

[

You can’t join a PC to it in the same way – there is Azure AD Join for Windows 10 only

[

There is no Group Policy

[

There is no support for LDAP, NTLM or Kerberos

[

It is a flat directory structure – no OU’s or Forests

[

So Azure AD does not replace AD

AD is great at managing traditional on-premise infrastructure and applications. Azure AD is great at managing user access to cloud applications. They do different things with the area of overlap being user management.

AD vs Azure AD – should you use one, the other or both?

If you have a traditional on-premise set up with AD and also want to use Azure AD to manage access to cloud applications (e.g. Office 365 or any of thousands of SaaS apps) then you can happily use both.

If you are using Microsoft Office 365 then your users will have a username and password for that (managed by Azure AD), as well as a username and password for their network logon (managed by AD). These two sets of credentials are un-related. This is fine and just means that if you have a password change policy that users will have to do this twice (and they could of course choose the same password for both).

Or you can synchronise AD with Azure AD so that the users only have one set of credentials which they use for both their network login and access to O365. You use Azure AD Connect to do this, it is a small free piece of Microsoft software that you install on a server to perform the synchronisation.

If you are a new business or one that is looking to transition away from having any traditional on-premise infrastructure and using purely cloud-based applications, then you can operate purely using Azure AD.

In this case, although you will have all your applications in the cloud, you will of course still have physical devices – PCs and smartphones – that your team will use to access and work with these cloud applications.

So how do you secure and manage these devices?

In the case of PCs (this applies to Windows 10 only) you can Azure AD Join them and login to machines using Azure AD user accounts. You can apply conditional access policies that require machines to be Azure AD joined before accessing company resources or applications. However Azure AD Join provides limited functionality compared to AD Join (as there is no Group Policy) and in order to gain fine-grained control over the PCs, you would then use a Mobile Device Management solution, such as Microsoft Intune, in addition to this.

Other devices (Windows 10, iOS, Android, and MacOS) can be Azure AD Registered (which means you sign into the device itself without requiring an Azure AD account, but can then access apps etc using the Azure AD account) and controlled using Microsoft Intune.

If you can’t get all your applications as SaaS apps and have some that still need to run on your own servers, then you can migrate these to Virtual Machines (VMs) in Azure. If those VMs need to be domain joined, then you can either deploy a Domain Controller on another VM in Azure, or you can use Azure Active Directory Domain Services (Azure AD DS) which is a PaaS service (you don’t have to manage it) for domain joining Azure VMs. Azure AD DS automatically synchronises with Azure AD so all your users get the application access you want.

AD vs Azure AD Summary

In Summary, Azure AD is not simply a cloud version of AD, they do quite different things. AD is great at managing traditional on-premise infrastructure and applications. Azure AD is great at managing user access to cloud applications. You can use both together, or if you want to have a purely cloud-based environment you can just use Azure AD.

Want to know more?

 

If you want to know more about the difference between AD vs Azure AD, Compete366 is here to help.

Contact Tier3Tech today for further consultation on whether or not Azure AD can completely replace your current local AD setup.

We're here to support you. Get started today.






    This form collects the data you enter into it. By checking the I AGREE box you consent to us collecting and storing your data, as well as contacting you. For more info on how we manage your data please review our Privacy Policy. You can opt out or change your settings at any time.