eugenesergeev - Fotolia


Manage user identity with Windows Azure Active Directory

Azure Active Directory allows admins to manage end-user identities and comes in three versions. Which one depends on your enterprise's size and budget.

Windows Azure Active Directory is a Microsoft service that provides identity and access management in the cloud. Essentially, it allows users to authenticate into services such as an Exchange Online mailbox.

Azure Active Directory (AD) is available in free, basic and premium versions. The free version hosts an Active Directory when there is an Office 365 tenant. The premium edition of Azure AD features more advanced security and reporting features than the free and basic versions. Medium and large-sized companies should look into the basic or premium editions. The free edition of Azure AD is more suitable for small shops that run identity and access management from the cloud. Here's a look at each edition and their associated features.

Azure Active Directory free edition features

The free edition is part of any Azure subscription and does not require a license or installation. It allows administrators to manage user accounts, synchronize Azure AD with on-premises directories and get single sign-on across Office 365, Azure and other software as a service (SaaS) applications such as SalesForce and Dropbox.

The free edition of Azure Active Directory includes:

  • User and group management using either Windows PowerShell or a graphical user interface;
  • A directory synchronization tool for syncing on-premises AD into the cloud;
  • Directory as a Service which is available with a 500,000 object limit for the free edition; however, the object limit does not apply for Office 365, Intune or other Microsoft online services that rely on Azure AD for directory services. There is no object limit for Basic or Premium editions;
  • Self-service password change for cloud users -- This service is not available for synchronized users;
  • Single sign-on to SaaS applications; and
  • Access to standard security reports.

Azure Active Directory basic edition features

Customers can upgrade from the free edition to a paid version at any time using the Azure portal. The basic edition includes all of the features found in the free version, plus the following:

Group based application access -- Instead of configuring applications on a per-user basis, admins can use groups to provision users and assign permissions in bulk to SaaS applications. Groups that are used for this purpose can be synchronized from an on-premises directory or be created in the cloud.

Azure Premium provides detailed logs that show advanced anomalies and inconsistent access pattern reports. These detailed reports can help you gain new insights to improve access security and detect potential threats.

Self-service password reset -- Administrators using Azure Active Directory Basic can give all users in the directory the ability to reset their passwords. This uses the same sign-in experience Office 365 users are accustomed to and can reduce help desk calls.

Enterprise service-level agreement of 99.9% -- Microsoft guarantees an uptime of 99.9% or higher for the Azure Basic and Premium editions.

Azure AD application proxy -- Allows users to securely access on-premises Web applications.

Company branding/customization -- Administrators can add a company logo and color schemes to the sign in and access panel pages to improve the end-user experience.

Azure Active Directory Basic is only available through a Microsoft Enterprise Agreement, the Open Volume License Program and the Cloud Solution Provider program.

Azure Active Directory premium edition features

The premium edition of Windows Azure Active Directory includes all of the features that are in the free and basic editions, plus the following:

Multi-factor authentication (MFA) -- The premium edition takes security to the next level by giving administrators the option to turn on MFA. It can provide secure access to all on-premises and cloud applications that are integrated to Azure Active Directory. As an administrator, you can turn on multi-factor authentication so end users will be prompted to set up additional verification the next time they log on.

Advanced reporting and alerts -- Azure Premium provides detailed logs that show advanced anomalies and inconsistent access pattern reports. These detailed reports can help you gain new insights to improve access security and detect potential threats.

Self-service group management -- Group management has options that allow end users to create new groups, delegate group ownership so that others can approve membership requests, and maintain groups. This option is already available in on-premises Exchange 2010 and higher, but it was not widely adopted because administrators always wanted to maintain groups and their creation.

Microsoft Identity Manager -- Azure Premium comes with the option to grant rights to use a MIM server and client access lists in on-premises deployments to support any combination of hybrid identity environments. This is useful for large organizations that want to sync various directories into Azure AD. In addition, there is no limit on the number of MIM servers organizations can use.

Azure Premium is available through Microsoft Enterprise Agreement for approximately $5.70 per user per month with an annual commitment.

Next Steps

Windows Azure Active Directory takes center stage

Enable single sign-on to cloud apps with Azure Active Directory

Preparing for Active Directory in the cloud

Dig Deeper on Microsoft Azure cloud services