If you are an Azure Veteran … what was the first thing you have created in Azure? If you are new to Azure, what are you looking for to create? In many cases the answer is: Virtual Machines An even if you are one of the fancy-new-world-everything-paas-and-serverless gurus … we must be honest and say:…
As promised the „BASIC“ articles on this blog will cover fundamental things you need to know. On of the main fundamentals is the Azure Active Directory, or Azure AD, or AAD.
As I see quite a lot of misconceptions out there when it comes to Azure AD, I would like to make sure that everyone understand the importance. Also it is necessary for everyone to know that Azure AD is not „just there“ it is a service, that has to be configured, maintained, and managed.
What is the Azure AD?
Azure Active Directory is Microsoft’s cloud-based Identity and Access Management (IAM) Solution. It can be used to sign in to different kinds of internal and external applications. So you can use it to sign in into Software as a Service (SaaS) Solutions like Office 365 or you can use it to authenticate you users to one of your own applications.
When you first sign-up for any Microsoft Service like Azure, Intune or Office 365 then your „Tenant“ will be created. This is your trusted and dedicated instance of Azure AD. It contains your Azure AD Directory. The directory includes your users, groups, apps, …
By default there is one Azure AD per organization. When you sign-up you will create a tenant with a name like „mountainit.onmicrosoft.com“. Every user created in the directory can then sign in via „firstname.lastname@example.org“ (or whatever name you had chosen)
Additional to this you can register your own domain, so that for users, they can use their mail address. So the login would change to „email@example.com“ after registering the custom domain „ericberg.de“
And that is pretty much the basic – Azure AD helps to authenticate your users. It has a directory with all your users and groups and handles the authentication.
There are much more features around Azure AD, but this will be a topic later… A nice overview about the options and design decisions for Cloud Identity can be found here: Microsoft cloud identity for enterprise architects
What is Azure Active Directory NOT?
Azure AD is not an implementation of the Windows Server Active Directory Domain Services in the cloud. They have some things in common. Both have a directory for users and groups and take care of authentication and authorization.
But the main difference is how authentication is working. While Windows Server AD is using Kerberos and NTLM, Azure AD was built for web-based authentications like OAuth 2.0 or SAML 2.0.
The other main difference is that with a Windows Server AD you have to take care of the infrastructure. With Azure AD Microsoft is taking care for you.
One thing that you will also miss in Azure AD: Group Policy … but this is another story.
One good thing, you can connect your local Active Directory with Azure Active Directory and make sure that your on-premises users and groups are also provisioned to Azure AD.
Where is my data for Azure Active Directory stored?
If you want to figure out where your data is stored, then go into the Microsoft Trust Center. There you will find a list of services. When selecting Azure AD you will be redirected to a PowerBI report. That lets you filter for your region and specific services.
If you are from Europe … all Personal Identifiable Information (PII) is stored in Europe. Only for MFA, B2C and B2B datacenters outside of Europe are used. More on this can be found in Docs.
The Region will be chosen based on the location where your contract was signed. or if you signed up via website in self-service… it depends on the location you choose during sign-up.
To check you location afterwards you can go into the properties of your Azure AD … there will find your country and the location of PII Data.
Why do I need AAD for Azure?
In Azure you need admins to get access to manage your Azure resources. Instead of having a separate User Directory, Azure is using Azure AD for Authentication. You can use your users and groups from AAD and assign them to scopes and resources in your Azure AD. But more on this next week.
To make this happen, every Subscription is attached to an Azure AD.
the assigned Azure AD for a subscription is the source of trust to access it. So choose wisely 🙂
Managing Azure AD?
To manage your Azure AD there are multiple ways….and this is causing much confusion. As you can see the users and groups of your Azure AD also in the Office 365 console or in the Intune Management, people sometimes think that there are multiple Azure ADs. Or they even think they require multiple Azure Active Directories.
There is only one Azure AD per organization (normally). It can be associated with multiple services and solutions. So you will have one AAD and will use it to sign-in to Office, Azure, and any other SaaS App.
The main management portal for Azure AD is:
Here you can find everything around Identity and Access Management:
So happy authenticating 🙂
Dieser Post ist auch verfügbar auf: Englisch