Azure Active Directory is a comprehensive identity and access management cloud solution. It combines core directory services, advanced identity governance, security, and application access management. Azure AD also offers developers an identity management platform to deliver access control to their applications, based on centralized policy and rules.
In the last few months there’s been significant changes to the Azure Active Directory (AAD) features and capabilities and this post will give you a taste to some of them.
Easier now for large teams to share a single subscription due to increased support for up to 200 co-administrators per subscription, a big change from 10.
Administration Roles include Billing, Service, User, & Password Administrator
Azure Rights Management (ARM)
You can now use custom templates to make it easier for users to apply information protection to files, connect your on-premises servers to use Azure Rights Management by installing the RMS connector, and deploy the Rights Management sharing application that supports protecting all file types on all devices.
Define Custom Templates in Azure Portal –Applicable to Office 365 and On-Premises using RMS Connector. This provides more flexibility and control over the default “Confidential” and “Confidential View Only” policies.
Features and Benefits
- Supports IRM capabilities for Exchange Online, SharePoint Online, and Office 365.
- Protected content easily shared in the same or across organizations.
- Mobile device support for Windows Phone, Windows RT, iOS and Android.
- Included with Office 365 Enterprise E3 and E4
- Delete an Active Directory
Developers and IT Professionals can now create an Active Directory for experimentation or Dev/Test purposes and delete it afterwards.
- Rename an Active Directory
Changing the “friendly” name of the directory does not change the default domain (*.onminicrosoft.com) of a directory
- Security Groups
Create and Delete Security Groups
- Assign User Access to SaaS Applications (AD Premium)
Also applies to groups synced from on-premises Server Active Directory
AZURE AD Premium
- Custom Branding
Customize the user sign-in experience beyond the Application Access Panel.
- Group Based Application Access
Use Security Groups to provision user access for SaaS Applications.
- Self-Service Password Reset
Not just for directory administrators. Regular users can reset passwords, reducing common help desk calls.
- Self-Service Group Management
Empower users to create groups, request access to groups, and even delegate group ownership for others to approve/deny/maintain group membership.
- Advanced Security Reports and Alerts
Machine learning algorithms can identify irregular sign-in activity based on location, time of day, or both.
- Multi-Factor Authentication (MFA)
Not just for directory administrators. Enable for all or specific users to further protect access to critical applications.
- Forefront Identity Manager (FIM)
Grant rights to use a FIM server (and CALs) located on-premises. No limit on FIM Servers, but CALs are granted based on the allocation of an Azure AD Premium User License.
- Enterprise SLA of 99.99%
Users: Login, use Access Panel to launch apps & reset passwords
Administrators: Perform CRUD operations in the directory and provision user access to applications.
How do I get it?
Available through Microsoft’s Enterprise Volume Licensing Programs.
- Azure Active Directory Sync (“AAD Sync”)
New “One Sync” Tool, eventually replacing DirSync. Available through the Microsoft Connect Program
- Onboard Multi-Forest Server AD Deployments to Azure AD
- Advanced provisioning, mapping and filtering rules
- Map multiple on-premises Exchange organizations to a single tenant in Azure AD
Self-Services Password Reset with Writeback
- Write back capability enables password resets (not changes) to be persisted back to on-premises Server AD
- Added to the Azure Active Directory “DirSync” Tool
- Available for Azure AD Premium Customers
- Directory Sync runs on 3 hour intervals.
- Password Sync runs on 2 minute intervals.
- Password Writeback after a Password Reset occurs instantly.
Run ADFS on Azure Virtual Machines
- Typical ADFS on premise
- ADFS in Azure
Azure Internal Load Balancer
- Achieve High Availability for this workload without compromising on security!
- Workarounds such as ACL’s on the public VIP are still a viable path
- Introduces “some” network latency for on-premises users having to go through the Federation Server Proxies.
- Requires potential maintenance of the ACL’s in the event that services are added or modified.
Discover Available SaaS Applications Without Signing into the Azure Management Portal
Access Panel for iOS7
- Provides SSO to Apps integrated with your Azure Active Directory
- Supports iPad and iPhone devices
- Full parity with the web-based Application Access Panel
- Install “My Apps – Azure Active Directory” from the Apple App Store
Cloud App Discovery
Gain visibility into which cloud applications are being used within an organization.
- Assess Risk and Remediate
See usage graphs based on users, requests, volume of data exchanged.
- Identify top cloud applications being used in the organization.
- Proceed with application integration (if appropriate).
Source: TechNet, MSDN, and Azure Team Blog