What is Azure AD?

Azure AD is a cloud-based Microsoft-managed multi-tenant directory and identity management service. Even if you do not have on-premises AD integration with Azure AD, if you are using cloud applications such as Office 365, Dynamic CRM, or applications from the Azure marketplace (most of them), you are already using Azure AD in the backend.

There are three main ways which we can handle identities in cloud-only or hybrid environments:

  • Windows AD only: It's still a great tool. If you'd still like to manage organization identities only using on-premises solutions, it can be done using one of the following topologies:
    • Use site-to-site VPN or Azure ExpressRoute to connect on-premises networks with Azure directly and manage identities using a corporate AD setup.
    • Deploy additional domain controllers in an Azure virtual server and replicate on-premises AD changes periodically and manage them as an AD site.
    • Deploy domain controllers in Azure virtual servers and use those as Flexible Single Master Operation (FSMO) role holders. Additional domain controllers will be deployed in on-premises networks and will replicate changes from Azure servers via VPN or ExpressRoute.

However, this solution still requires additional investment to ensure connectivity, and it will also not remove the operational costs of managing an on-premises AD environment.

Azure ExpressRoute is similar to a leased line, and you can have a private link between your on-premises network and Azure datacenters. More details can be found at https://azure.microsoft.com/en-gb/services/expressroute/.
  • Cloud only: If you do not have any workloads running on on-premises except for the endpoints, you can use a Microsoft-managed Azure AD instance to manage identities for the organization. All the user accounts and group memberships will be created, deleted, and managed by Azure AD. As long as it is on the same Azure virtual network, workloads and applications can use the same directory for authentication and authorization. By using Microsoft-managed Azure AD:
    • Administrators do not need to deploy, patch, or manage domain controllers.
    • Administrators do not need to plan for AD upgrades. Version upgrades will be seamless to tenants.
    • Administrators do not need to face issues related to AD replications.
By default, Azure AD Domain service is only available for the virtual network it belongs to. However, if required virtual networks can connect together using Azure VNet-to-VNet connections. This is useful if company using Azure resources from different geographical locations or different subscriptions.

However, since it's a managed solution, tenants will not have Domain Admin or Enterprise administrator privileges on the domain. Also, users and groups are created in a flat structure without organizational units (OUs) or group policy objects (GPOs):

  • Hybrid setup: If workloads are in Microsoft Azure and on-premises and both workloads need to be managed using the same identities, we can use Azure AD in a hybrid setup. When I explained Azure AD in a hybrid setup earlier, I mentioned that it allows us to extend our on-premises identity infrastructure to Azure, but it is not an extension to an on-premises Windows AD environment. Azure AD DS provides managed domain services such as domain join, Group Policy, LDAP, Kerberos/NT LAN Manager (NTLM) authentication that are fully compatible with Windows Server Active Directory. It is not similar to deploying an additional domain controller in Azure:

In a hybrid setup, the Azure AD instance is responsible for managing identities for its connected workloads; on-premises identities, group memberships, and credentials are synced to the Azure AD instance using Azure AD Connect. The Azure AD instance will be managed (patching and upgrades) by Microsoft, and engineers only need to manage Azure AD Connect.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.137.213.128