Oleksiy Mark - Fotolia

How does Active Directory in the cloud work?

Administrators responsible for cloud management can use Active Directory in Azure to set limits on the amount of resources and app availability.

Microsoft introduced Active Directory in 1999 with Windows Server 2000. It has evolved through each subsequent...

Windows Server release to encompass every directory-based service related to user authentication and identity management in a Windows environment. Microsoft also provides Active Directory in the cloud for companies that require access control permissions across software as a service applications.

Active Directory (AD) assigns and enforces security policies for all users and limits the scope of tasks those users can perform. For example, AD will check the credentials of a user and determine if that logon is a normal user or administrator and what, if any, access will be granted to services, applications and rights accordingly.

With the release of Microsoft's cloud services, Azure AD appeared to provide the same essential suite of directory and identity management for Azure's multi-tenant cloud environment. Azure AD can provide single sign-on (SSO) for cloud applications such as Salesforce, Dropbox, Office 365 and countless other software as a service (SaaS) applications. Cloud developers can even integrate Azure AD with software developed for cloud deployment to let other Windows AD-based organizations more easily integrate and use those applications.

But the real power of Azure AD lies in its suite of identity management features such as user account and privileged account management, device registration, user authentication -- including multifactor authentication -- password management, group management, role-based access control (RBAC), application usage tracking, auditing, reporting and more. Taken together, AD helps secure a Windows-based -- and now Azure-based -- enterprise to ensure users and groups get access to the services and rights they need. Azure AD also integrates with Windows AD deployed in local data centers to allow on-premises AD to manage cloud-based assets.

When an Azure subscription is created, one Azure AD database is associated with it. IT staff responsible for cloud management will then use Azure AD to grant users, groups and applications access to the resources in that Azure subscription.

Taken together, AD helps secure a Windows-based -- and now Azure-based -- enterprise to ensure users and groups get access to the services and rights they need.

Access to Azure's resources is based on RBAC. This means a variety of AD roles are first created that define the assets or resources each role should have access to within the Azure subscription. Azure provides three basic roles: owner, contributor and reader. An owner can access all resources and control access for others -- an administrator. A contributor can create and manage Azure resources, but can't change access for others. A reader can view existing resources only. There are additional vanilla roles that are specific to Azure resources and other roles can be created or tailored to meet the needs of the enterprise.

As user accounts are created, groups are established and populated, and applications are deployed, an appropriate AD role is applied. Roles can also be applied according to scope to permit access to the entire subscription, particular groups, or individual resources -- such as specific virtual machines (VMs), websites, storage instances and so on.

As with Windows AD, Azure AD operates as a hierarchy. This means access that is granted at one (parent) level will extend to all lower (child) levels. For example, by creating a group and assigning a reader role at the subscription scope, all group members can view every resource group and resource in the subscription. By comparison, if an administrator assigns a user as a contributor at a resource group scope, the user can manage any resources within that resource group -- such as creating new VMs -- but not other resource groups in the subscription.

This kind of role-based management is flexible and powerful, but it is important for administrators to assign roles and scopes carefully to maintain a suitable security posture. Many organizations implement policies that govern how users and groups are assigned rights, and those policies are usually updated to reflect Azure subscription use.

Next Steps

What's the best version of Azure Active Directory for your organization?

What are some of the key features in Azure Active Directory Connect?

How can you prepare to implement Azure Active Directory?

Dig Deeper on Microsoft Azure cloud services