As part of the AZ-600 exam preparation, one needs to understand how identity and access management operates within the Azure ecosystem. Two crucial components that can be utilized for this are Azure Active Directory (Azure AD) and Active Directory Federation Services (AD FS). It’s vital to understand the differences between these two, as well as their individual strengths and limitations.
Azure Active Directory (Azure AD)
Azure AD is a multi-tenant, cloud-based directory, and identity management service. It offers better integration for managing users on a hybrid cloud setup. Azure AD is particularly beneficial in scenarios where you have to manage user identities across multiple devices and applications.
Azure AD’s main strengths come from the following features:
- Single sign-on (SSO) across multiple applications including thousands of pre-integrated software as a service (SaaS) applications.
- Multifactor authentication for data protection.
- Device registration to help with securing mobile device access and enforcing compliance policies.
- API access to customize the service and automate tasks.
- Availability of B2C (Business to Consumer) and B2B (Business to Business) collaboration options.
Example: If you have a mobile app that requires user sign-in, and you want to provide users with a single sign-on experience throughout all applications, then using Azure AD for user identity management would be the best choice.
Active Directory Federation Services (AD FS)
AD FS, on the other hand, is a Windows Server role that provides access control and single sign-on across a wide variety of applications in an organization. AD FS uses a claims-based access control authorization model. This model involves authenticating users via cookies and passing their rights and privileges as claims.
The main strengths of AD FS are:
- It provides SSO access to systems and applications across organizational boundaries.
- It can be used to extend your existing AD to external users like business partners, clients etc.
- AD FS does not store any credentials, instead it authenticates users against your existing identity store such as Active Directory.
- It uses a claims-based access control system to manage rights and permissions.
Example: If you need to provide single sign-on to an existing legacy application that supports SAML-based authentication and that application is not integrated with Azure AD, then AD FS might be the viable choice.
The Comparison
| Azure AD | AD FS | |
|---|---|---|
| Deployment | Cloud-based, easier to scale and manage | Self-hosted in your datacenter, more effort to manage |
| User Identity Source | Built-in user storage or federate with external directory | Federates user identities from external directory |
| SSO with SaaS Apps | Excellent, with thousands of pre-integrated apps | Limited, depends on the SAML/P-based support in the app |
| MFA | Built-in support | Requires additional implementation |
| B2B and B2C features | Yes | No |
While deciding whether to use Azure AD or AD FS, you should consider the specific user identity requirements, supported features, and complexities involved in your application environment. Choosing the right tool can help your organization stay secure while still maintaining accessibility and enhancing user experience in your hybrid cloud environment.
Remember, the key to your selection between Azure AD and AD FS hinges on your organization’s specific needs and objectives, as well as the inherent capabilities of these two services.
As you prepare for the AZ-600 exam, having a clear grasp of these components, how they function, and how to implement them in various scenarios will give you a strong foundational understanding of Azure’s hybrid cloud platform.
Practice Test
Azure Active Directory (Azure AD) is a cloud-based, identity-as-a-service solution. True/False?
- True
- False
Answer: True
Explanation: Azure AD is a multi-tenant, cloud-based directory and identity management service that offers a rich, standards-based platform for developers.
AD FS does not support modern authentication protocols like OAuth True/False?
- True
- False
Answer: False
Explanation: While AD FS is a Windows Server role, it supports modern protocols like SAML, WS-Federation, and OAuth
Which of the following supports password hash synchronization?
- a) Azure AD
- b) AD FS
Answer: a) Azure AD
Explanation: Azure AD supports password hash synchronization. This feature syncs a hash, of the hash, of a user’s password from an on-premises AD to Azure AD.
Applications that use LDAPS can be published in Azure AD. True/False?
- True
- False
Answer: False
Explanation: Azure AD does not currently support LDAP or LDAPS protocols. Therefore, applications that use LDAPS cannot be published in Azure AD.
AD FS requires an internet-facing server to support external access. True/False?
- True
- False
Answer: True
Explanation: AD FS needs an internet-facing server (AD FS Proxy) to support access from the internet. It is usually deployed behind a firewall which helps route the necessary ports to your federation servers.
Both Azure AD and AD FS can be used for single sign-on (SSO) operations. True/False?
- True
- False
Answer: True
Explanation: Single sign-on (SSO) enables users to authenticate themselves in a variety of systems and services using one set of login credentials. Both Azure AD and AD FS provide SSO capabilities.
Which of the following supports Multi-Factor Authentication (MFA) in the cloud?
- a) Azure AD
- b) AD FS
Answer: a) Azure AD
Explanation: Azure AD supports Multi-Factor Authentication. AD FS can support MFA, but it sometimes requires an additional server for the same.
Azure AD requires server maintenance. True/False?
- True
- False
Answer: False
Explanation: Azure AD is a cloud-based service, and Microsoft takes care of the server maintenance.
AD FS supports smart lockout functionality. True/False?
- True
- False
Answer: False
Explanation: Smart Lockout functionality that protects accounts from brute force attacks is only supported by Azure AD and not AD FS.
Which of the following is a rich, standards-based platform for developers and should be chosen for new cloud-based applications?
- a) Azure AD
- b) AD FS
Answer: a) Azure AD
Explanation: Azure AD is a multi-tenant, cloud-based directory and identity management service that offers a rich, standards-based platform for developers. It should be chosen for new cloud-based applications considering its advanced features and cloud capabilities.
Interview Questions
What is Azure Active Directory (Azure AD)?
Azure Active Directory (Azure AD) is a cloud-based multi-tenant directory and identity service provided by Microsoft for use with cloud applications.
What is Active Directory Federation Services (AD FS)?
Active Directory Federation Services (AD FS) is a Microsoft feature that extends your Active Directory configuration to services outside of your infrastructure.
What is a key difference in deployment between Azure AD and AD FS?
Azure AD is hosted in the cloud and managed by Microsoft, while AD FS is hosted and managed on-premises by your own organization.
What is SSO, and which of the two services support it?
Single Sign-On (SSO) is a feature that allows a user to log in with a single ID and password to any of several related yet independent software systems. Both Azure AD and AD FS support SSO.
How does Azure AD integrate with on-premises directories?
Azure AD integrates with on-premises directories via Azure AD Connect, which can combine multiple directories into a single directory.
Does AD FS provide Multi-Factor Authentication (MFA)?
Yes, AD FS supports MFA. However, setup and management can be complex compared to Azure AD, where MFA is built-in and easily configurable.
How does Azure AD handle authentication?
Azure AD handles authentication by validating user credentials against the user directory in the cloud.
In terms of scalability, which is more advantageous, Azure AD or AD FS?
Azure AD offers more scalability than AD FS, because it is hosted in the cloud and can scale to accommodate large numbers of users and requests.
What are the primary functions of ADFS in a Hybrid Cloud?
ADFS provides a secure way to authenticate users, devices, and applications over the network, allowing access to applications on-premises, in the cloud, and in hybrid scenarios.
Can you use both Azure AD and ADFS at the same time?
Yes, Azure AD and ADFS can be used together. You can use ADFS to authenticate users inside your organization’s network, and Azure AD for authenticating external users or applications.
Can Azure AD synchronize changes made to an on-premises directory?
Yes, with Azure AD Connect, changes made to an on-premises directory can be synchronized to Azure AD.
What is the recommended identity method for SaaS applications like Office 365?
For SaaS applications like Office 365, Microsoft recommends Azure AD for identity management.
How much technical expertise is required to manage Azure AD compared to AD FS?
Managing Azure AD requires less technical expertise than managing AD FS because Azure AD is hosted and managed by Microsoft.
Which service allows users to self-manage their passwords?
Azure AD supports self-service for password reset and manage group membership.
Can I use a combination of the two services?
Yes. For a hybrid approach, Azure AD can be used for cloud-based apps and AD FS for on-premises applications.
extutorials.com