In this article by Jan-henrik Damaschke and Oliver Michalski, authors of the book Implementing Azure Solutions, we will learn about growing cloud services identity management and security as well as access policies within cloud environments and cloud services become more essential and important.

The Microsoft central instance for this is Azure Active Directory. Every security policy or identity Microsoft provides for their cloud services is based on Azure Active Directory.

Within this article you will learn the basics about Azure Active Directory, how you implement Azure AD and hybrid Azure Active Directory with connection to Active Directory Domain Services.

We are going to explore the following topics:

• Azure Active Directory overview
• Azure Active Directory Subscription Options
• Azure Active Directory Deployment
• Azure Active Directory User and Subscription Management
• How to deploy Azure Active Directory Hybrid Identities with Active Directory Domain Service
• Azure Active Directory Hybrid high available and none high available Deployments

(For more resources related to this topic, see here.)

Azure Active Directory

Azure Active Directory or Azure AD a multi-tenant cloud based directory and identity management service developed by Microsoft.

Azure AD also includes a full suite of identity management capabilities including multi-factor authentication, device registration, self-service password management, self-service group management, privileged account management, role based access control, application usage monitoring, rich auditing and security monitoring and alerting.

Azure AD can be integrated with an existing Windows Server Active Directory, giving organizations the ability to leverage their existing on-premises identities to manage access to cloud based SaaS applications.

After this article you will know how to setup Azure AD and Azure Connect. You will also able to design a high available infrastructure for identity replication.

The following figure describes the general structure of Azure AD in a hybrid deployment with Active Directory Domain Services:

Source: https://azure.microsoft.com/en-us/documentation/articles/active-directory-whatis/

Customers who already using Office 365, CRM online or Intune using Azure AD for their service. You can easily identify if you use Azure AD if you have a username like [email protected] (.de or .cn are also possible if you are using Microsoft Cloud Germany or Azure China).

Azure AD is a multi-tenant, geo-distributed, high available service running in 28 and more datacenters around the world. Microsoft implemented automated failover and at least a minimum of two copies of you Active Directory service in other regional or global datacenters.

Regularly your directory is running in your primary datacenter, is replicated into another two in your region. If you only have two Azure datacenters in your region like in Europe, the copy will distribute to another region outside yours:

Azure Active Directory options

There are currently three selectable options for Azure Active Directory with different features to use. There will be a fourth option, Azure Active Directory Premium P2 available later 2016.

Azure AD free

Supports common features such as:

• Directory objects with up to 500,000 objects
• User/group management (add/update/delete)/ user-based provisioning, device registration
• Single Sign-On for up to 10 applications per user
• Self-service password change for cloud users
• Connect and sync with on-premises Active Directory Domain Service
• Up to 3 basic security and usage reports

Azure AD basic

Supports common features such as:

• Directory objects with unlimited objects
• User/group management (add/update/delete)/ user-based provisioning, device registration
• Single Sign-On for up to 10 applications per user
• Self-service password change for cloud users
• Connect and sync with on-premises Active Directory Domain Service
• Up to 3 basic security and usage reports

Basic features such as:

• Group-based access management/provisioning
• Self-service password reset for cloud users
• Company branding (logon pages/ access panel customization)
• Application proxy
• Service level agreement 99,9%

Azure AD premium P1

Supports common features such as:

• Directory Objects with unlimited objects
• User/group management (add/update/delete)/ user-based provisioning, device registration
• Single Sign-On for up to 10 applications per user
• Self-service password change for cloud users
• Connect and sync with on-premises Active Directory Domain Service
• Up to 3 basic security and usage reports

Basic features such as:

• Group-based access management/provisioning
• Self-service password reset for cloud users
• Company branding (logon pages/ access panel customization)
• Application proxy
• Service level agreement 99,9%

Premium features such as:

• Self-service group and app management/self-service application additions/ dynamic groups
• Self-service password reset/change/unlock with on-premises write-back
• Multi-factor authentication (the Cloud and on-premises (MFA server))
• MIM CAL with MIM server
• Cloud app discovery
• Connect health
• Automatic password rollover for group accounts

Within Q3/2016 Microsoft will also enable customers to use the Azure Active Directory P2 plan, includes all the capabilities in Azure AD Premium P1 as well as the new identity protection and privileged identity management capabilities. That is a necessary step for Microsoft to extend it’s offering for Windows 10 Device Management with Azure AD.

Currently Azure AD enable Windows 10 customers to join a device to Azure AD, implement SSO for desktops, Microsoft passport for Azure AD and central Administrator Bitlocker recovery.

It also adds automatic classification to Active Directory Rights Management Service in Azure AD.

Depending on what you plan to do with your Azure Environment, you should choose your Azure Active Directory Option.