It is important that customers are configured with a single Identity or Tenant. You should look at the Identity as the Control Plane or the single source of truth. Azure Active Director “AD” has grow 30% in Year-over-Year growth to 12.8 million customers. In addition there are now 272,000 Apps in Azure AD. Ironically the most used application in Azure AD is Google Apps. Customers are using Azure AD to authenticate Google Services.
Azure AD is included with O365 so there is no additional cost. Identity in O365 consists of three different types of users:
- Cloud Identity: accounts live in O365 only
- Synchronized Identity: accounts sync with a local AD Server
- Federated Identity: Certificate based authentication based on an on premises deployment of AD Federation Service.
The Identity can be managed using several methods.
Password Hash Sync ensures you have the same password on-premises as in the cloud. The con to Hash sync is that disabled or user edits are not updated until the sync cycle is complete. In hash sync the hashes on-prem are not identical to those in the cloud but the passwords are the same.
Pass-through Authentication You still have the same password but passwords remain on-premises. There is a Pass-through Agent “PTA” agent that gets installed on your enterprise AD server. THE PTA Agent handles the queuing of requests from Azure AD and sends the validations back once authenticated.
Seamless Single Sign-On works with both Password Hash Sync and Pass-through Authentication. This is done with no additional requirement onsite. SSO is enabled during the installation of AD Connect.
You do not need more than on Azure AD if you have more than one AD on premises. One Azure AD can support hundreds of unique domain names. You can also mix cloud only accounts and on prem synchronized accounts. You can use PowerShell Graph API vs. AD Connect to synchronize and manage users and groups but it is much more difficult. AD Connect is necessary for Hybrid Exchange however.
There are six general use cases for Azure AD:
- Employee Secure Access to Applications
- To leverage Dynamic Groups for automated application deployment. Dynamic groups allow move, join and leave workflow processes
- To federate access for Business-to-Business communication and collaboration (included in Azure AD, 1 license enables 5 collaborations)
- Advanced threat and Identity protection. This is enabled through conditional access based on device compliance.
- To Abide by Governance and Compliance industry regulations. Access Review is in public review which identifies accounts that have not accessed the system for a while and prompts the administrator to review them.
- To leverage O365 as an application development platform
With AD Premium you get AD Connect Health, Dynamic Group memberships, Multi-Factor Authentication for all objects that can be applied when needed vs always on. In addition there is a better overall end user experience.