Azure AD is Microsoft’s solution to provide identity and access management (IAM) in the cloud. With Azure AD, organizations can provide their employees and partners with secure single sign-on access to many cloud and local apps from any device. Azure AD also helps protect user identities by supporting multi-factor authentication, conditional access policies, and identity protection.
Version of Azure AD
Azure AD comes in various versions, each providing different levels of functionality:
- Free: Provides user and group management, on-premises directory synchronization, self-service password change for cloud users, and single sign-on across Azure, Microsoft 365, and many popular SaaS apps.
- Office 365 Apps Edition: In addition to the Free edition features, it supports self-service password reset for cloud users and company branding capabilities like adding company logo and custom colors to the sign-in pages.
- Premium P1: In addition to the Office 365 Apps edition features, it provides features such as Azure AD Join, password reset with on-premises write-back, group access management, conditional access, and the Microsoft Identity Manager user CAL.
- Premium P2: In addition to the Premium P1 features, it adds Identity Protection to help provide risk-based Conditional Access to your apps and critical company data and Office 365 Privileged Identity Management to help discover, restrict and monitor administrators and their access to resources and provide just-in-time access.
The table below illustrates a comparison of key features across these versions:
Feature | Free | Office 365 Apps | Premium P1 | Premium P2 |
---|---|---|---|---|
User/Group Management | Yes | Yes | Yes | Yes |
Single Sign-On | Yes | Yes | Yes | Yes |
Self-service Password Change | Yes | Yes | Yes | Yes |
Company Branding | No | Yes | Yes | Yes |
Azure AD Join | No | No | Yes | Yes |
Identity Protection | No | No | No | Yes |
Key Features of Azure AD
Single Sign-On (SSO)
Azure AD provides single sign-on capabilities that allow the users to sign in with their username and password once and gain access to multiple application resources.
Multi-factor Authentication
Azure AD Multi-factor Authentication (MFA) is an additional security layer for the identity systems. It requires users to verify their sign-in attempts with a mobile app, phone call, or text message.
Conditional Access
Azure AD Conditional Access allows organizations to enforce controls on the access to applications in their environment based on specific conditions from a centralized place.
Identity Protection
Azure Identity Protection leverages billions of signals to provide risk scores and automate responses, reducing the impact of breaches.
Conclusion
Understanding Azure AD and its suite of features, operations, and integrations is crucial for individuals preparing for the SC-900 Microsoft Security, Compliance, and Identity Fundamentals exam. It plays an essential role in an organization’s overall security strategy, offering a robust cloud-based identity and access management (IAM) solution. Not only does it offer advanced features like Single Sign-On, Multi-Factor Authentication, and Conditional Access but also it provides multiple edition options to suit a variety of organizational needs.
Practice Test
True or False: Azure Active Directory (Azure AD) is an identity and access management service.
- True
- False
Answer: True
Explanation: Azure Active Directory is Microsoft’s multi-tenant, cloud-based directory and identity management service.
Azure Active Directory is the same as active directory on-premises.
- True
- False
Answer: False
Explanation: While Azure AD is an evolution of Windows Active Directory, they are not identical. Azure AD does not have all the same features as Windows Server Active Directory.
Which of the following are features of Azure Active Directory?
- A. Identity Protection
- B. Multifactor Authentication
- C. On-premises directory sync
- D. All of the above
Answer: D. All of the above
Explanation: Azure Active Directory comes with features like Identity Protection, Multifactor Authentication and has the ability to sync on-premises directories.
True or False: Azure AD does not support single sign-on.
- True
- False
Answer: False
Explanation: Azure AD supports SSO (Single Sign-On) to help users access their SaaS applications.
Azure AD offers _____ database scalability.
- A. Limited
- B. Moderate
- C. High
- D. None
Answer: C. High
Explanation: Azure AD offers high database scalability by serving and securing global-scale cloud services amid tens of thousands of requests per second.
Which of the following is not a feature of Azure Active Directory?
- A. Azure DevOps Server
- B. Project Server
- C. Salesforce
- D. Google Drive
Answer: D. Google Drive
Explanation: Google Drive is not a feature of Azure Active Directory. It is a file storage and synchronization service provided by Google.
Azure AD allows you to provide ___________ access to your employees, partners, and customers.
- A. Limited
- B. Restricted
- C. Secure
- D. Unsecure
Answer: C. Secure
Explanation: Azure AD allows you to provide secure access to your organization’s resources.
True or False: Azure AD supports B2B collaboration.
- True
- False
Answer: True
Explanation: Azure AD B2B collaboration allows you to share your company’s applications and services with external users.
Azure AD does not support which of the following kind of identities?
- A. Cloud identities
- B. Synchronized identities
- C. Federated identities
- D. Social identities
Answer: D. Social identities
Explanation: Azure AD supports Cloud identities (Azure AD-only accounts), Synchronized identities (accounts that originate on-premises) and Federated identities (on-premises accounts that are synchronized to Azure AD), but not social identities.
True or False: Azure AD allows you to implement two-factor authentication.
- True
- False
Answer: True
Explanation: Azure AD supports Multi-Factor Authentication (MFA) for increased security.
Azure Active Directory is available in how many editions?
- A. Two
- B. Three
- C. Four
- D. Five
Answer: B. Three
Explanation: Azure Active Directory is available in Free, Office 365 apps, and Premium (P1 and P2) editions.
Which of the following is not a role in Azure Active Directory?
- A. User
- B. Local Administrator
- C. Global Administrator
- D. Billing Administrator
Answer: B. Local Administrator
Explanation: Azure AD roles include User, Global Administrator, and Billing Administrator, but not Local Administrator.
True or False: Azure AD can be used to grant access to internal resources like apps on your corporate network and intranet.
- True
- False
Answer: True
Explanation: Azure AD Application Proxy allows secure access to internal applications over the cloud.
Which Azure feature would you use to help protect user accounts against phishing attempts?
- A. Azure Advanced Threat Protection
- B. Azure Identity Protection
- C. Azure Bot Service
- D. Azure Data Factory
Answer: B. Azure Identity Protection
Explanation: Azure Identity Protection uses machine learning and heuristics to detect risky behavior that might indicate that an account has been compromised.
True or False: Azure AD is only for enterprises.
- True
- False
Answer: False
Explanation: Azure AD has benefits for businesses of all sizes, from small-to-mid businesses all the way up to large enterprises.
Interview Questions
What is Azure Active Directory (Azure AD)?
Azure AD is Microsoft’s cloud-based identity and access management service, which helps employees sign in and access resources. Resources can be Microsoft-based like Office 365, or non-Microsoft cloud services like Google Apps, or even internal resources like corporate network.
How is Azure AD different from on-premise Active Directory?
They both provide identity and access management, but Azure AD is a multi-tenant, globally distributed identity management service in the cloud, while on-premise AD is a server-based application.
What are the main functions of Azure Active Directory?
Azure AD provides functions such as user and group management, on-premises directory synchronization, self-service password change, and role-based access control.
What is Azure AD B2B?
Azure AD B2B (Business to Business) is a service that allows organizations to share app resources with external users. It simplifies management and improves security of external user accounts.
What is Azure AD B2C?
Azure AD B2C (Business to Consumer) is a customer identity access management solution. It can scale to hundreds of millions of identities and supports sign-in via social networks, email addresses, etc.
What are Azure AD tenants?
Azure AD tenants are dedicated instances of Azure AD service, associated to a single organization. It’s similar to an apartment in Azure AD service wherein you own it and can set up users, groups or applications according to your requirements.
What is the Azure AD Connect?
Azure AD Connect is a tool that connects and creates a secure pipeline for synchronization of on-premise Active Directory data to Azure AD.
Can Azure AD replace a traditional on-premises AD?
No, Azure AD is not a replacement for on-premises AD. While they have some similar functions, Azure AD does not include all features of on-prem AD and is generally considered a supplement to on-prem AD, not a replacement.
What are the editions of Azure AD available?
Azure AD comes in free, Office 365 apps, Premium P1, and Premium P2 editions. Each of these editions offer a different set of features and capabilities.
What is Conditional Access in Azure Active Directory?
Conditional Access is a capability of Azure AD that allows you to enforce controls on the access to apps in your environment based on specific conditions from a central location.
How does Azure AD protect user’s identities?
Azure AD protects user identities using features like multi-factor authentication, Conditional Access, Identity Protection which detects potential vulnerabilities and automatically responds to suspicious actions, and Privileged Identity Management which helps to control and manage administrator access.
What is an Azure AD Security Group?
Azure AD Security Groups are a collection of users created for easy administration and to apply access permissions or policies at once to all members of the group.
What is Azure AD Privileged Identity Management (PIM)?
Azure AD Privileged Identity Management (PIM) is a service that offers just-in-time privileged access to Azure AD and Azure resources, along with access reviews, and other governance features.
Can I customize branding Azure AD login page?
Yes, Azure Active Directory offers branding capabilities to customize the appearance of sign-in pages and Access Panel.
How do licenses get assigned in Azure AD?
In Azure AD, licenses can be assigned to a user directly or can be assigned to a group. When a user is added to the group, they will automatically receive the licenses assigned to the group.