You hear a lot about the cloud recently, do you? Mostly from sales people. They have their goals and targets, so that is the hot thing. You may hear about it from your peers or your colleagues.
Among these cloud things, there are some common concerns – security and control. Of course. We all need to grasp that, though. Can we control what is outside of our boundaries? Not protected by the network firewall? Speaking of future changes in on-premises and possible cloud deployments, it will inevitably lead you to the topic of user management and authentication. And this will take you to identity providers. There are many – Microsoft, Ping, Auth0, Centrify… many other products.
Today, let’s focus on one – Azure Active Directory (or in short, Azure AD, mostly searchable on the web). Sounds pretty familiar? Most likely we have something for that – it is called Active Directory, and we’ve had it for years now. And it is working! So do we need another one? Or is it just sales speak?!
Let’s get some quick facts on this
Active Directory Domain Services (or AD DS for short), it is what we all call Active Directory. It is an on-premises directory which provides authentication and authorization for your users and services. You can manage your on-premises users, access to resources like applications and file shares. Simple!
AD DS relies on Kerberos protocol for authentication and SSO. Yes! AD DS can provide SSO for applications. It requires just proper applications configuration. It supports LDAP. And LDAP is a data access protocol, but many apps are using it for user authentication.
Tip: If anyone tells you that these pop-up windows with a request for username and password in the domain are by design – CHALLENGE IT! They are not! Mostly it comes down to proper Kerberos configuration.
What AD DS can’t do for you: Authentication of users outside of your network. Well, technically you can do it, though! It will require some additional efforts – software or hardware for publishing applications (reverse proxy, F5, Netscaler – does it ring a bell?).
So, here comes Azure Active Directory. In Q&A
Is Azure Active Directory the same as Active Directory you know?
No, it isn’t. It is using technology with roots in AD underneath. In a strict technological sense, Azure Active Directory is sharing some technology roots with on-premises AD, but it is not working in the same way.
Will it replace my domain controllers?
No, it won’t. Azure Active Directory is cloud-based Identity as a Service offering. It is not something that will replace your current AD. Its goal is to extend your current AD to external applications and services.
If it is not the same and it can’t replace my current AD, why I should be bothered?
When you stay on-premises completely – you don’t have to bother.
If you go for some external provided applications or SaaS applications like CRM, Google Apps or Office 365 – here is where it comes into play.
Does your organization want to develop applications hosted outside of your network (think AWS, Azure, hosting provider) or go mobile? Again, you may want to take a look at this service.
What can Azure AD do for me that a local AD can’t?
Azure Active Directory is designed from scratch for the SaaS world. It supports protocols like OpenID Connect, OAuth or SAML to provide SSO and access control for those applications. A simple scenario – your organization wants to go for external hosted CRM (think SalesForce, MS CRM or Hootsuite) and you need simple access to it. This is where Azure Active Directory comes into play.
Can’t a local AD provide access to those?
It can, but it will always require some additional solution acting as Azure AD (simplification is intentional ;)) – you will just maybe deploy it on-premises and manage on your own.
What Azure AD can’t do for me (and local AD does right now)?
You can join your computers to Azure Active Directory, but it is not the same as AD domain join. You can’t currently use Azure AD to secure your file shares, on-premises applications using standard AD model or apply GPO on users. Local groups or printers – it is not for Azure Active Directory right now. Well, we’re waiting for both environments to blend, but it is coming with Windows Server 2016.
We plan to use Azure IaaS or AWS – do I need Azure Active Directory for that?
In general – no, this isn’t a pre-requisite. If you use Azure infrastructure (VMs, websites), you will get Azure AD as it is underlying Azure security. In that sense, you will use it for controlling access to the infrastructure, but you don’t have to use it for anything else. However, it adds a security layer so you may consider evaluating its features – you may use it to allow access to Amazon AWS as well. In this case, you have the one solution to control user access to both clouds.
How much will it cost me to use it?
As usual – things come in flavors. The same is with Azure AD. We have following editions:
- Free: no costs attached, basic functionalities, no SLA
- Basic: basic features for standard users
- Premium: full-service features divided into two levels
- P1: all service functionalities for IAM, SSO, and reporting
- P2: additional features focused on security and information protection
The cost will depend on your company agreement with Microsoft. You can start with a free version and then expand it. You can also mix license types within a single Azure AD.
In the end – do I need it?
If you are not going for SaaS apps or you are not handling external and mobile users – no.
In another case, sooner or later you will need Azure Active Directory or a similar solution. Our experience tells us it is better to check existing platforms first before considering building your solution in this area. It is also good to define your requirements and expectations at the very beginning and develop your strategy. A good starting point for this might be reading our whitepaper on the subject.
And as usual, if you have further questions – < contact us! >