An overview of Azure Active Directory

Overview Technical Article

Microsoft France
Published: December 2013 ​ (updated: June 2016)
Version: 2.0c

Author: Philippe Beraud (Microsoft France)

Reviewers: Arnaud Jumelet (Microsoft France), Christophe
Leroux, Philippe Maurent (Microsoft Corporation)

For the latest information on Azure Active Directory, please see

http://azure.microsoft.com/en-us/services/active-directory/

Copyright © 2016 Microsoft Corporation. All rights reserved.

Abstract: Identity management, provisioning, role

management, and authentication are key services both on-
premises and through the (hybrid) cloud. With the Bring
Your Own Apps (BYOA) for the cloud and Software as a
Service (SaaS) applications, the desire to better
collaborate a la Facebook with the “social” enterprise, the
need to support and integrate with social networks, which
leads to a Bring Your Own Identity (BYOI) trend, identity
becomes a service where identity “bridges” in the cloud
talk to on-premises directories or the directories
themselves move and/or are located in the cloud.
Active Directory (AD) is a Microsoft brand for identity
related capabilities. In the on-premises world, AD
provides a set of identity capabilities and services and is
hugely popular (88% of Fortune 1000 and 95% of
enterprises use AD). Azure Active Directory (Azure AD)
is AD reimagined for the cloud, designed to solve for you
the new identity and access challenges that come with the
shift to a cloud-centric, multi-tenant world.
Azure AD can be truly seen as an Identity Management as
a Service (IdMaaS) cloud multi-tenant service. This
document is intended for IT professionals, system
architects, and developers who are interested in
understanding the various options for managing and using
identities in their (hybrid) cloud environment based on the
Azure AD offerings and how to leverage their related
capabilities.​
Table of Contents
INTRODUCTION ​4
OBJECTIVES OF THIS PAPER ​5
NON-OBJECTIVES OF THIS PAPER ​6
ORGANIZATION OF THIS PAPER ​6
ABOUT THE AUDIENCE ​6
WHAT IS AZURE AD? ​7
EDITIONS OF AZURE AD ​10
ANATOMY OF AZURE AD ​16
CREATING MULTIPLE DIRECTORIES IN AZURE AD ​26
DELETING A SPECIFIC DIRECTORY IN AZURE AD ​29
MANAGING DIRECTORY
CONFIGURATION ​31
EXTENDING YOUR ON-PREMISES IDENTITY INFRASTRUCTURE WITH
AZURE ​31
MANAGING THE INTERNET DOMAINS FOR YOUR
DIRECTORY ​36
SYNCHRONIZING YOUR DIRECTORY WITH THE ON-PREMISES
DIRECTORIES ​39
FEDERATING YOUR DIRECTORY WITH THE ON-PREMISES
DIRECTORIES ​54
MANY APPLICATIONS, ONE IDENTITY
REPOSITORY ​63
DISCOVERING ALL CLOUD APPLICATIONS IN USE WITHIN YOUR
ORGANIZATION ​63
LEVERAGING PRE-INTEGRATED POPULAR SAAS
APPLICATIONS ​67
"BRINGING YOUR OWN APPLICATION" (BYOA) ​75
ACCESSING YOUR ON-PREMISES WEB APPLICATIONS ON THE
INTERNET ​87
PROVIDING IDENTITY AND ACCESS MANAGEMENT TO (YOUR)
MODERN BUSINESS APPLICATIONS ​95
MANAGING ACCESS TO APPLICATIONS ​98
ASSIGNING/REMOVING USERS ​98
USING GROUPS TO CONTROL ACCESS ​101
LEVERAGING DYNAMIC GROUPS ​102
REGISTERING THE DEVICES ​103
USING CONDITIONAL ACCESS CONTROL ​107
MONITORING AND PROTECTING ACCESS TO
APPLICATIONS AND BEYOND ​111
MONITORING SECURITY REPORTS AND BLOCKING USERS ​111
USING AZURE MULTI-FACTOR AUTHENTICATION ​115
LEVERAGING THE PRIVILEGED IDENTITY MANAGEMENT
SERVICE ​116
EMPOWERING USERS ​122
USING THE AZURE AD ACCESS PANEL ​122
EDITING THE PROFILE SETTINGS FOR THE USERS ​123
SELF-SERVICE PASSWORD RESET FOR CLOUD USERS ​125
SELF-SERVICE GROUP MANAGEMENT FOR USERS ​129
ACCESSING APPLICATIONS FROM THE AZURE AD ACCESS
PANEL ​131
SELF-SERVICE FOR APPLICATION ACCESS ​134
CUSTOMIZING THE AZURE AD ACCESS PANEL (AND THE SIGN-
IN PAGE) ​137
USING THE “MY APPS” MOBILE APPLICATIONS ​140
Introduction
The cloud is changing the way in which applications are
written. Accelerated market cycles, multi-tenancy, pure
cloud solutions and hybrid deployments, web
programmability, and the rise of devices (smartphones,
tablets, etc.) as well as rich clients as consumption models
offer without any doubt new opportunities.
Modern business applications also present at the same
time new challenges for the key services both on-premises
and through the (hybrid) cloud that represent the identity
management, the provisioning, the role management, and
the authentication.
With:
• The "Bring Your Own Apps" (BYOA) for cloud and

Software-as-a-Service (SaaS) applications,

• The desire to better collaborate a la Facebook with the

“social” enterprise,
• The need to support and integrate with social
networks, which lead to a "Bring Your Own Identity"
"(BYOI) trend,
• Etc.

Identity becomes a service where identity “bridges” in the

cloud “talk” to on-premises directories or the directories
themselves move and/or are located in the cloud (see
Gartner report 2013 PLANNING GUIDE: IDENTITY AND
PRIVACY).
Identity, like compute, storage and networking, is an
essential platform service. In the same way that identity
played a critical role in the adoption of workgroup
computing, identity services will play a critical role as
organizations adopt the cloud. Organizations will use
cloud services and applications created by ISVs, Platform-
as-a-Service (PaaS) cloud platforms for (Line of Business
(LOB)) custom development, as well as Infrastructure-as-
a-Service (IaaS) cloud environment for specific
workloads, or part of them, to onboard the cloud for IT
optimization reasons.
Kim Cameron, Microsoft Chief Identity Architect, is
convinced that “organizations will find they need new
identity management capabilities to take full advantage of
the cloud. They will also find that the most reliable and
cost-effect way to obtain these capabilities is through
Identity Management as a Service – i.e. using the cloud to
master the cloud.
We can therefore predict with certainty that almost all
organizations will subscribe to identity services that are
cheaper, broader in scope and more capable than the
systems of today.
Enterprises will use these services to manage
authentication and authorization of internal employees,
the supply chain, and customers (including individuals),
leads and prospects. Governments will use them when
interacting with other government agencies, enterprises
and citizens.
Identity Management as a Service will require that we
move beyond the models of identity management that
have guided our thinking to date. A new service-based
model will emerge combining more advanced capabilities
with externalization of operations to achieve reduction in
risk, effort and cost."
Objectives of this paper

Azure Active Directory (Azure AD) is Microsoft’s

vehicle for providing Identity Management as a
Service (IdMaaS) capabilities in a public cloud.
As a complement of the white paper ACTIVE DIRECTORY
FROM THE ON-PREMISES TO THE CLOUD, which is part of the
same series of documents available on the Microsoft
Download Center, this paper provides you with a "guided
tour" of Azure AD to:
• Learn about its various editions and the related

capabilities.
• Learn about its interfaces such as the various endpoints

published to sustain standard-based protocols for

modern business applications.
• Discover its compelling capabilities such as the ones

provided by the Application Access Enhancements

for Azure AD that simplifies managing access to
thousands of pre-integrated SaaS applications. You
can expect to even see additional identity and access
management capabilities in the future.
• Understand how it can work in concert with on-

premises Windows Server Active Directory (AD) (or

non-AD sources), as well as the possible options to
perform federated provisioning and synchronization
of identity information from these sources to Azure
AD.
• Etc.

This paper can be seen a starting point for anyone

challenged with identity, provisioning, federation or cloud
based authentication, interested in leveraging efficiencies
of the cloud and automation to get efficiencies in identity
and access management, and consequently in leveraging
an IdMaaS solution. They will directly tackle these areas.
Note ​For additional information, see the Microsoft
MSDN article GETTING STARTED WITH AZURE AD.
This document is an attempt to present the most important
features and capabilities of Azure AD as available – in
general availability (GA) or in public preview – at the
time of this writing.
Even more Azure AD functionalities will be integrated
over the next year(s) for your identities in the cloud. Since
its general availability in April 2013, Azure AD indeed
keeps continuing to receive enhancements that make
Azure AD even more useful for IT professionals and
developers.
Note ​Please make sure you periodically check the Azure
AD community forum as well as the MSDN Azure blog for
notification of upcoming enhancement and changes that relate
to Azure AD.
This document will thus evolve over the time on a
regular basis to reflect such additions and
enhancements. This document constitutes the third
revision.
Non-objectives of this paper

This document doesn’t discuss the deployment and

configuration of Windows Server AD (WSAD) on-
premises.
This document is intended as an overview document for
the Azure AD offerings, and as such, it doesn’t provide
neither in-depth description nor detailed step-by-step
instructions on how to implement a specific covered
feature or capability. Where necessary, it instead refers to
more detailed documents, articles, and blog posts that
describe a specific feature or capability.
Organization of this paper

To cover the aforementioned objectives, this document is

organized by themes which are covered in the following
sections:
• WHAT IS AZURE AD?

• MANAGING DIRECTORY CONFIGURATION

• MANY APPLICATIONS, ONE IDENTITY REPOSITORY

• MANAGING ACCESS TO APPLICATIONS

• MONITORING AND PROTECTING ACCESS TO APPLICATIONS

• EMPOWERING USERS

About the audience

This document is intended for IT professionals, system

architects, and developers who are interested in
understanding the various options for managing and using
identities in their (hybrid) cloud environment based on the
Azure AD offerings foundation and how to leverage their
related capabilities.
AD, AD in Azure and Azure AD are indeed useful for
slightly different scenarios. We recommend using Azure
AD in addition to on-premises AD (and AD in Azure) in
most cases as one doesn’t replace the other.
What is Azure AD?
As mentioned in the introduction, Azure Active Directory
(AD) is Microsoft’s vehicle for providing IdMaaS
capabilities in a public cloud. Microsoft’s approach to
IdMaaS is deeply grounded in – and extends – the proven
concepts of on-premises Active Directory (AD).
Active Directory (AD) is a Microsoft brand for identity
related capabilities. In the on-premises world, Windows
Server Active Directory (WSAD or simply AD) provides
a set of identity capabilities and services and is hugely
popular (88% of Fortune 1000 and 95% of enterprises use
AD).
The foundational concept of on-premises AD is that the
content of the directory is the property of the organization
deploying it and access to and use of that content is
completely under the organization’s control. This is also
the fundamental concept behind Azure AD.
Azure AD is NOT a monolithic directory of
information belonging to Microsoft, but rather, at the
time of writing, more than four million different
directories belonging to and completely controlled by
different organizations.
This architecture and commitment is called “multi-
tenant” and great care has been provided to insulate
tenants (organizations) from each other and from their
service operator – Microsoft.
We have indeed re-engineered AD , to support massive
scale, devices based on any operating system or
architecture, modern business applications, modern
protocols, high availability, and integrated disaster
recovery.
Since its introduction, Azure AD "has handled 400 billion
identity authentications in Azure AD". "We have 350
million Azure Active Directory users. […] We actually
process 4 billion, with a B, authentications every week
with Azure Active Directory". This is a real testament to
the level of scale we can handle. “At a high level, Azure
AD is a high availability, geo-redundant, multi-tenanted,
multi-tiered cloud service that has delivered 99.99%
uptime for over a year now. We run it across 28
datacenters around the world. Azure AD has stateless
gateways, front end servers, application servers, and sync
servers in all of those data centers. Azure AD also has a
distributed data tier that is at the heart of our high
availability strategy. Our data tier holds more than 500
million objects and is running across 13 data centers.”

Since we first talked about it in November 2011, and with

such above numbers in mind, Azure AD has shown itself
to be a robust identity and access management service for
Microsoft cloud services. No other cloud directory
offers this level of enterprise reliability or proven scale.
Quoting from the report KUPPINGERCOLE LEADERSHIP COMPASS
CLOUD USER AND ACCESS MANAGEMENT: "Looking at the
Market Leadership chart, we see Microsoft being the clear
leader. This is based on the fact that their Azure Active
Directory on one hand shows good direct acceptance and
on the other builds the foundation for widely used
Microsoft Office 365. Furthermore, Microsoft has an
exceptionally strong partner ecosystem."
Furthermore, last year, Gartner in their Magic Quadrant
(MQ) for Identity Management as a Service (IDaaS)
[Gartner, June 2015] has placed Azure AD after its only
first year of availability in the “Visionaries” MQ.
As of this writing, Gartner has just released their MQ
for IDaaS for 2016 [Gartner June 2016] and Azure AD
Premium has been placed in the “Leaders” quadrant,
and positioned very strongly for our completeness of
vision.

Important note ​The above graphic was published by

Gartner, Inc. as part of the larger research document - a
complimentary access is provided here- and should be
evaluated in the context of the entire document. Gartner does
not endorse any vendor, product or service depicted in its
research publications, and does not advise technology users to
select only those vendors with the highest ratings or other
designation. Gartner research publications consist of the
opinions of Gartner's research organization and should not be
construed as statements of fact. Gartner disclaims all
warranties, expressed or implied, with respect to this research,
including any warranties of merchantability or fitness for a
particular purpose.
As Alex Simons, Director of Program Management,
Microsoft Identity and Security Services Division, says,
“we’re thrilled with the result. It really validates our
vision of providing a complete solution for hybrid identity
and access for supporting employees, partners and
customers all backed by world class security based on
Microsoft’s intelligent security graph. This result says a
lot about our commitment in the identity and access
management space but more importantly about our
customers, implementation partners and ISV partners who
have worked together with us. They have been awesome
about sharing their time and energy every day, to make
sure that the products and services we build meet their
needs and are helping them position their companies to
thrive in the emerging world of cloud and devices.
You might be surprised to know that Microsoft also is the
only vendor in the Leader quadrant across Gartner’s
Magic Quadrants for IDaaS, Cloud Infrastructure as a
Service (IaaS), Server Virtualization, Application
Platform as a Service, Cloud Storage Services, and as a
leader across the data platform and productivity services.
This really shows you why customers are choosing
Microsoft across the full spectrum of cloud computing –
our services are well integrated and also among the best
available in their individual categories.”
Alex Simons adds: “our effort doesn’t stop here. We have
a lot of hard work ahead of us and we are planning to
deliver more innovative capabilities to further improve
our position in the “leaders” quadrant.”.

This said, a number of people are (still) surprised to find

out that every Office 365 customer already has an Azure
AD directory. Azure AD is the directory behind
Microsoft Online Services subscriptions like Office
365, Dynamics CRM Online, Intune, etc. and is used to
store user identities and other tenant properties. Just
like the on-premises AD stores the information for
Exchange, SharePoint, Lync and your custom LOB
applications, Azure AD for instance stores the information
for Exchange Online, SharePoint Online, Lync Online and
any custom applications build in the Microsoft’s cloud (or
in another cloud).
It is possible to extend the usage of these directory tenants
to other LOB based applications you’re developing and/or
to thousands of cloud pre-integrated SaaS applications
like ADP, Concur, Google Apps, Salesforce.com and
others, regardless of the public cloud they are hosted on.
The pre-integrated SaaS applications are preconfigured
via an application gallery with all the parameters needed
to at least provide a seamless sign-in experience with
them, thanks to the Application Access Enhancements for
Azure AD (see later in this document).
Editions of Azure AD

Azure AD is available in three different editions to choose

from:
1. Azure Active Directory (Free). With the Free edition

of Azure AD, you can manage user accounts,

synchronize with on-premises directories, and get
single sign-on across Azure, Office 365, and
thousands of popular SaaS applications.
Note ​This is a free edition as being used by the above
Microsoft Online Services subscriptions. If you’ve already
subscribed to a Paid Office 365 subscription, you can benefit
from an Azure $0 subscription that you can use to access the
Azure management portal with your existing Office 365
subscription in order to directly manage the related Azure AD
tenant with all the access management and security feature set
and thus empower your Office 365 subscription. For example,
the aforementioned Application Access Enhancements for
Azure AD can be only managed today by accessing the
directory through the Azure management portal. You can sign-
up for this $0 subscription by following the link
https://account.windowsazure.com/PremiumOffer/Index?
offer=MS-AZR-0110P&whr=azure.com.
Note ​Independently of any Microsoft Online Services
subscriptions, you can sign-up for your free Azure AD tenant
and trial Azure account by following the link
https://account.windowsazure.com/signup?offer=MS-AZR-
0044P.
The first user you generate as part of the sign-up process
based on the fields below will also be an administrator of the
directory. This user will be declared in the default domain of
the directory tenant <domain name>.onmicrosoft.com. You
will sign in to Azure with this account.
Note ​Contrary to other Azure resources, your Azure AD
directories are not child resources of an Azure subscription.
So if you cancel or allow your Azure subscription to expire,
you can still access your directory data using Windows
PowerShell, the Azure AD Graph API (see later in this
document), or other interfaces such as the Office 365
administration console.

2. Azure Active Directory Basic. Azure AD Basic

provides the application access and self-service
identity management requirements of task workers
with cloud-first needs. With the Basic edition of
Azure AD, you get all the capabilities that Azure AD
Free has to offer, plus group-based access
management, self-service password reset for cloud
applications, customizable environment for launching
enterprise and consumer cloud applications, and an
enterprise-level SLA of 99.9 percent uptime.
An administrator with Azure AD Basic edition can
activate an Azure AD Premium trial.
Note ​For additional information, see the blog post AZURE
ACTIVE DIRECTORY BASIC IS NOW GA!.
3. Azure Active Directory Premium. With the Premium
edition of Azure AD, you get all of the capabilities
that Azure AD Free and Azure AD Basic have to
offer, plus additional feature-rich enterprise-level
identity management capabilities.
The edition in part of the Enterprise Mobility Suite
(EMS) offering, a comprehensive and cost effective
solution for enterprise mobility needs.
Note ​The EMS offering is not only available with an
Enterprise Agreement (EA) but also through the Microsoft’s
Cloud Solution Provider (CSP) and Open programs. For
additional information, see the blog post AZURE AD AND
ENTERPRISE MOBILITY SUITE NOW AVAILABLE WITHOUT AN
ENTERPRISE AGREEMENT.

Note ​For a description of each edition below and a

comparison table, see the Microsoft MSDN article AZURE
ACTIVE DIRECTORY EDITIONS. For more information on usage
model, see the Microsoft MSDN article AZURE ACTIVE
DIRECTORY PRICING. For information on the usage constraints
and other service limits for the Azure AD service per edition,
see the Microsoft MSDN article AZURE AD SERVICE LIMITS AND
RESTRICTIONS.

To sign-up today for Azure Active Directory Premium

features, proceed with the following steps:
Note ​For additional information about how to sign up and
start using the Premium edition, see the Microsoft MSDN
article GETTING STARTED WITH AZURE AD PREMIUM. You can
also watch the Channel 9 demo videos ENABLING AZURE
ACTIVE DIRECTORY PREMIUM TRIAL, HOW TO PURCHASE AZURE
ACTIVE DIRECTORY PREMIUM - NEW CUSTOMERS, and HOW TO
PURCHASE AZURE ACTIVE DIRECTORY PREMIUM - EXISTING
CUSTOMERS.
1. Sign into the classic Azure management portal as the
global administrator of the directory you wish to
customize.
2. Click ACTIVE DIRECTORY, and then select the

directory where you want to assign licenses.

3. Select LICENSES.

4. Click TRY AZURE ACTIVE DIRECTORY

PREMIUM NOW.

5. Click the check mark icon to activate the trial.

6. Once activated, you can start assigning premium

licenses to your users.

Click ASSIGN.

7. In the Assign licenses for Azure Active Directory

Premium dialog box, select the users you want to
assign licenses to, and then click the check mark icon
to save the changes.
You can alternatively set the view filter to group (all
groups) in SHOW, and then select the groups that
you want to assign. Confirm the selection by clicking
the check mark icon to save the changes.
Note ​For additional information, see the blog post
SIMPLIFIED LICENSE ASSIGNMENT WITH AZURE AD AND EMS. You
can also watch the Channel 9 demo videos HOW TO ASSIGN
EMS/AZURE AD PREMIUM LICENSES TO USER ACCOUNTS and
ASSIGN EMS/AZURE AD PREMIUM LICENSES WITH POWERSHELL.
The premium edition of azure AD provides a dashboard
for the directory, which is the one place to manage all of
your services. It also makes it easy for you to keep up
with new features and events.

Note ​For additional information, see the blog post AZURE

AD PREMIUM DASHBOARD IS IN PREVIEW!.
The rest of this section describes the main characteristics
of Azure AD (regardless of the "flavor", i.e. the edition)
that organizations and cloud-based applications can
leverage, as well as the core functionalities that Azure AD
provides for the users of these applications and for the
developers of these applications to be successful.

In terms of key scenarios, Azure AD can:

• Be a centralized "organization-owned" repository

for all identities and cloud hosted applications.