You hear a lot about cloud recently? Do you? Mostly from sales people. They have their goals and targets, so that is the hot thing. You may hear about it from your peers or your colleagues at work.
Among these cloud things, there are some common concerns – security and control. Of course. We all need to grasp that, though. Can we control what is outside of our boundaries? Not protected by the network firewall? Speaking of future changes in on-premises and possible cloud deployments, it will inevitably lead you to the topic of user management and authentication. And this will take you to identity providers. There are many – Microsoft, Ping, Auth0, Centrify… many other products.
Today let’s focus on one – Azure Active Directory (or in short – Azure AD, mostly searchable on the web). Sounds pretty familiar? Most likely we have something for that – it is called Active Directory, and we’ve got it for years now. And it is working! So do we need another one? Or is it just sales speech?!
Let’s get some fast facts on this.
Active Directory Domain Services (or short AD DS), it is what we all call Active Directory. It is an on-premises directory which provides authentication and authorization for your users and services. You can manage your on-premises users, access to resources like applications and file shares. Simple!
AD DS relies on Kerberos protocol for authentication and SSO. Yes! AD DS can provide SSO for applications. It requires just proper applications configuration. It supports LDAP. And LDAP is the data access protocol, but many apps are using it for user authentication.
One tip: if anyone tells you that these pop-up windows with a request for username and password in the domain are by design – CHALLENGE IT! They are not! Mostly it comes down to proper Kerberos configuration.
What AD DS can’t do for you: Authentication of users outside of your network. Well, technically you can do it, though! It will require some additional efforts – software or hardware for publishing applications (reverse proxy, F5, Netscaler – does it ring a bell?)
So, here comes Azure Active Directory. In Q&A’s
Is Azure Active Directory same as Active Directory you know?
No, it isn’t. It is using technology with roots in AD underneath. In a strict technological sense, Azure Active Directory is sharing some technology roots with on-premises AD, but it is not working in the same way.
Will it replace my domain controllers?
No, it won’t. Azure Active Directory is cloud-based Identity as a Service offering. It is not something that will replace your current AD. Its goal is to extend your current AD to external applications and services.
If it is not the same and it can replace my current AD why I should be bothered?
When you stay on-premises completely – you don’t have to bother.
If you go for some external provided applications or SaaS applications like CRM, Google Apps or Office 365 – here is where it comes into play.
Does your organization wants to develop applications hosted outside of your network (think AWS, Azure, hosting provider) or going mobile? Again, you may want to take a look at this service.
What Azure AD can do for me what local AD can’t?
Azure Active Directory is designed from scratch for SaaS world. It supports protocols like OpenID Connect, OAuth or SAML to provide SSO and access control for those applications. A simple scenario – your organization wants to go for external hosted CRM (think SalesForce, MS CRM or Hootsuite) and you need simple access to it. This is where Azure Active Directory comes into play.
Can’t a local AD provide access to those?
It can, but it will always require some additional solution acting as Azure AD (simplification is intentional 😉 ) – you will just maybe deploy it on-premises and manage on your own.
What Azure AD can’t do for me (and local AD does right now)?
You can join your computers to Azure Active Directory, but it is not the same as AD domain join. You can’t use currently Azure AD to secure your file shares, on-premises applications using standard AD model or apply GPO on users. Local groups or printers – it is not for Azure Active Directory right now. Well, waiting for both the environments to blend, but it is coming with Windows Server 2016.
We plan to use Azure IaaS or AWS – do I need Azure Active Directory for that?
In general – no, this isn’t a pre-requisite. If you use Azure infrastructure (VMs, web sites), you will get Azure AD as it is underlying Azure security. In that sense, you will use it for controlling access to the infrastructure, but you don’t have to use it for anything else. However, it adds a security layer so you may consider evaluating its features – you may use it to allow access to Amazon AWS as well. In this case, you have the one solution to control user access to both clouds.
How much will it cost me to use it?
As usually – things come in flavors. The same is with Azure AD. We have following editions:
Free: no costs attached, basic functionalities, no SLA
Basic: basic features for standard users
Premium: full-service features divided into two levels
P1: All service functionality for IAM, SSO, and reporting
P2: Additional features focused on security and information protection
The cost will depend on your company agreement with Microsoft. You can start with a Free version and then expand it. You can also mix license types within single Azure AD.
At the end – do I need it?
If you are not going for SaaS apps or you are not handling external and mobile users – not.
In another case, sooner or later you will need Azure Active Directory or similar solution. Our experience tells us it is better to check existing platforms first before considering building your solution in this area. It is also good to define your requirements and expectations at the very beginning and develop your strategy. A good starting point for this might be reading our whitepaper on the subject.