As promised the “BASIC” articles on this blog will cover fundamental things you need to know. On of the main fundamentals is the Azure Active Directory, or Azure AD, or AAD.
As I see quite a lot of misconceptions out there when it comes to Azure AD, I would like to make sure that everyone understand the importance. Also it is necessary for everyone to know that Azure AD is not “just there” it is a service, that has to be configured, maintained, and managed.
What is the Azure AD?
Azure Active Directory is Microsoft’s cloud-based Identity and Access Management (IAM) Solution. It can be used to sign in to different kinds of internal and external applications. So you can use it to sign in into Software as a Service (SaaS) Solutions like Office 365 or you can use it to authenticate you users to one of your own applications.
When you first sign-up for any Microsoft Service like Azure, Intune or Office 365 then your “Tenant” will be created. This is your trusted and dedicated instance of Azure AD. It contains your Azure AD Directory. The directory includes your users, groups, apps, …
By default there is one Azure AD per organization. When you sign-up you will create a tenant with a name like “mountainit.onmicrosoft.com”. Every user created in the directory can then sign in via “firstname.lastname@example.org” (or whatever name you had chosen)
Additional to this you can register your own domain, so that for users, they can use their mail address. So the login would change to “email@example.com” after registering the custom domain “ericberg.de”
And that is pretty much the basic – Azure AD helps to authenticate your users. It has a directory with all your users and groups and handles the authentication.
Azure AD is not an implementation of the Windows Server Active Directory Domain Services in the cloud. They have some things in common. Both have a directory for users and groups and take care of authentication and authorization.
But the main difference is how authentication is working. While Windows Server AD is using Kerberos and NTLM, Azure AD was built for web-based authentications like OAuth 2.0 or SAML 2.0.
The other main difference is that with a Windows Server AD you have to take care of the infrastructure. With Azure AD Microsoft is taking care for you.
One thing that you will also miss in Azure AD: Group Policy … but this is another story.
One good thing, you can connect your local Active Directory with Azure Active Directory and make sure that your on-premises users and groups are also provisioned to Azure AD.
Where is my data for Azure Active Directory stored?
If you want to figure out where your data is stored, then go into the Microsoft Trust Center. There you will find a list of services. When selecting Azure AD you will be redirected to a PowerBI report. That lets you filter for your region and specific services.
If you are from Europe … all Personal Identifiable Information (PII) is stored in Europe. Only for MFA, B2C and B2B datacenters outside of Europe are used. More on this can be found in Docs.
The Region will be chosen based on the location where your contract was signed. or if you signed up via website in self-service… it depends on the location you choose during sign-up.
To check you location afterwards you can go into the properties of your Azure AD … there will find your country and the location of PII Data.
Why do I need AAD for Azure?
In Azure you need admins to get access to manage your Azure resources. Instead of having a separate User Directory, Azure is using Azure AD for Authentication. You can use your users and groups from AAD and assign them to scopes and resources in your Azure AD. But more on this next week.
To make this happen, every Subscription is attached to an Azure AD.
the assigned Azure AD for a subscription is the source of trust to access it. So choose wisely 🙂
Managing Azure AD?
To manage your Azure AD there are multiple ways….and this is causing much confusion. As you can see the users and groups of your Azure AD also in the Office 365 console or in the Intune Management, people sometimes think that there are multiple Azure ADs. Or they even think they require multiple Azure Active Directories.
There is only one Azure AD per organization (normally). It can be associated with multiple services and solutions. So you will have one AAD and will use it to sign-in to Office, Azure, and any other SaaS App.
Also this week there were many news around Microsoft Azure! Here as always the overview for you: Public preview: SAP S/4HANA events are now available on Azure Event Grid Forrester Total Economic Impact study: Azure Arc delivers 206 percent ROI over 3 years General availability: Azure Sphere OS version 22.10 Generally available: Azure Communication Services…
Also this week there were many news around Microsoft Azure! Here as always the overview for you: Generally available: SFTP support for Azure Blob Storage Leverage SFTP support for Azure Blob Storage to build a unified data lake Azure Virtual WAN simplifies networking needs General availability: Azure Premium SSD v2 Disk Storage General availability: OpenTelemetry…
Also this week there were many news around Microsoft Azure! Here as always the overview for you: Generally available: Kusto Trender Public preview: Enhanced soft delete for Azure Backup Public preview: Multi-user authorization for Backup vaults Public preview: Immutable vaults for Azure Backup General availability: Azure NetApp Files application volume group for SAP HANA Generally…
Also this week there were many news around Microsoft Azure! Here as always the overview for you: Scalable management of virtualized RAN with Kubernetes Cost optimization using Azure Migrate Public preview: Azure Firewall Basic Generally available: Query Store hints Azure SQL Database, Azure SQL Managed Instance Azure Firewall Basic now in preview Microsoft and INT…
Also this week there were many news around Microsoft Azure! Here as always the overview for you: Public preview: Policy analytics for Azure Firewall General availability: ExpressRoute FastPath support for Vnet peering and UDRs Strengthen your security with Policy Analytics for Azure Firewall Ensure zone resilient outbound connectivity with NAT gateway Azure SQL—General availability updates…
[…] Principals are non personalized accounts. They can get permissions like every other account via Azure AD. The good thing is, that you can assign specific right to this account, needed for the automation / […]