Azure Active Directory (Azure AD) is a cloud-based access management and identity platform that provides a secure, single sign-on (SSO) experience across both on-premises and cloud applications. With enterprise-grade scaling and availability, Azure AD is designed to support your internal, business-critical solutions. Yet Azure AD also integrates with Office 365, Google Apps, Salesforce, DropBox and thousands of other external cloud apps. Here we look at how your business can get started using Azure AD to achieve best-of-breed user and access management with SSO across the internal and external apps your team uses every day.
Azure AD comes in four editions: Free, Basic, Premium P1 and Premium P2.
Azure AD already serves as the foundation for the access management and identity feature set used by all of Microsoft Online business platforms, including Office 365, Azure and Dynamics CRM. The free version of Azure AD comes with the capacity to manage your users and groups; synchronize with your active user directories on-premises, and to make use of SSO not only across Microsoft Online business services but across thousands of other cloud applications.
Azure AD Basic is a self-service, cloud-focused edition that includes an enterprise-grade 99.9% SLA as well as three features not found in the free version:
- Password reset on cloud apps (self-service)
- Group access management
- Active AD Application Proxy for publishing on-premises web apps
Azure AD Premium P1 builds on the basic version to encompass a richer feature set that addresses the on-premises needs of hybrid users. A few highlights include the following:
- Dynamic groups (for automatically adding users to groups)
- Microsoft Identity Manager (for on-premises access and identity management)
- Cloud write-back functionality (enabling self-service, on-premises password reset and other solutions)
Azure AD Premium P2 adds two new services on top of Premium P1’s feature set:
Azure AD also offers two pay-as-you-go services for business users:
This identity and access management service addresses the needs of businesses with consumer-facing software.
This service addresses the needs of businesses that require the additional level of security provided by two-step verification.
Azure AD is currently offering a 30-day free trial of their premium service. To get started, you can use your Azure subscription, an Office 365 subscription, your Microsoft Volume Licensing plan, or your Enterprise Mobility + Security plan. If you’re an Office 365 or Azure subscriber, then the process for buying Azure AD depends on whether or not you’re an existing customer or a new customer.
If you are an existing Office 365 or Azure subscriber, then you can sign up for Azure AD Premium P1by visiting the Office 365 sign-in page, then logging in with your global administrator account. Once you have arrived at the Office 365 main page, follow these steps to create your Azure AD account:
- Mouse-over Admin on the Office 365 main menu.
- Select Office 365 from the drop-down menu, which will take you to the Office 365 administration page.
- Click Purchase services in the left-hand sidebar, which will bring you to the commerce catalog.
- Scroll down to Azure Active Directory Premium, and click the add-to-cart icon. A window will appear giving you the option to buy more than one license. Adjust the number if necessary.
- Click Add to cart.
- Click Checkout, which will bring you to the payment summary page.
- Click Next, then enter your payment information.
- Click Place order, which will take you to the payment confirmation page.
- Click Continue, which will return you to the Office 365 administration page.
- Click Admin (as before)
- Select Azure AD from the drop-down list.
At this point, if you have never used Azure before, then you will need to pass through a brief phone-verification step before reaching the Azure AD administration portal.
If you do not already have an Azure or Office 365 subscription or free trial, then you are considered a new customer with respect to Azure AD. In this case, the quickest way to get started is to sign up for an Azure AD premium free trial. The three-step process requires that you first provide location, business and contact information; create a user ID, and pass a simple human verification test. With those three steps completed, you will arrive at the Office 365 administration page. Click Purchase services from the left-hand sidebar, then Buy now beside the Azure Active Directory Premium description at the top of the page. The rest of the process is the same as it is for existing customers, outlined above.
Creating directories, users, and groups
Creating a new directory
Creating a user directory from the Azure AD portal is the natural first step to take as you explore the functionality of Azure AD. To proceed, navigate to the Azure AD portal, then click on Add directory. A window will appear with three fields required to specify your directory:
- Domain (i.e. EXAMPLE.onmicrosoft.com)
- Country or region
There is also a checkbox to specify that the directory is B2C.
Once you have completed the fields and checked the box (if applicable), click Create. The system will take a few seconds to activate your directory’s domain. Once it’s ready, click on the link to your new directory.
Creating a new user
To add users to your new directory, click the Users link in the main menu of your directory’s page. Then click the Add user icon. There are three steps to adding a new user:
Your first step is to specify whether the new user you are creating corresponds to a user within your organization, a partner organization, or another Azure AD directory. You also have the option of creating a new user whose only relation to you is that they have an existing Microsoft account.
Once you have specified the type of user, and given them a username, click the arrow to continue.
The next step requires that you enter the new user’s first and last name, display name, and role. Each user role corresponds to a different set of permissions. Choices include the following:
- User Admin
- Billing Admin
- Password Admin
- Service Admin
- Global Admin
With the exception of Global Admin, the admin roles, such as Billing Admin and Password Admin, grant permissions for administering specific ranges of functionality. A Password Admin, for example, will have the ability to reset passwords, which is often helpful in the context of customer service.
Once you have specified a role and clicked the arrow to continue, the system will provide you with a temporary password for the corresponding user, which you will need to provide to them in a secure fashion.
Creating a new group
To create a group of users, click on the Groups link in the Azure AD main menu. Then click the Add group icon in the toolbar at the bottom of the page. A window will appear asking you to name the group, specify the group type, and provide a group description. Once you’ve filled in the details, click the arrow to continue. The system will take you to a page for your new group while it processes the change. This may take several minutes. Once processing is complete, you are ready to add members. If you have already created one or more new users for your directory, you can now add them as new members to your group. To proceed, click Add members. A window will appear with a list of your current users, which you can filter by user role. Click on the user you wish to add to your group, then click the checkmark icon to confirm the addition.
Leveraging Azure AD for a single sign-on experience
With your directories, users and groups in place, you can now begin to leverage Azure AD’s full range of solutions, most of which pave the way for a seamless, single sign-on experience. The end-goal of best-of-breed SSO promises to greatly streamline and accelerate your enterprise’s workflows by empowering your team to use a single set of credentials—not only across your internal on-premises and cloud apps but across the external business apps your team relies on every day.
At Applied Innovations we’ve been helping businesses get the most from the cloud for over 19 years. For more information on Azure AD and other innovative Azure services, contact us or visit Azure services for your business.