The Azure Active Directory challenge?
Hello, my son James of Get Support IT Services has been doing a series of IT related short videos in plain English, these have been proving very popular. He challenged me to do a 1 minute video explaining what Azure Active Directory is, in plain English. I said I couldn’t do it in 1 minute but I could do a basic technical explanation in under 7 minutes. This content is aim at people with an IT background.
Watch the Video or read the transcript, please let me know how I do…
What is Azure Active Directory?
At its core, Azure AD it is a cloud-based directory of users, groups and devices and an authentication service that is used by Microsoft 365 (previously called Office 365). It authenticates users to the Microsoft 365 services, Exchange, SharePoint, OneDrive, Teams and so on.
But what do we mean by authentication? Authentication is verifying who a user is, and it is up to Azure AD to prove who a user is to all of the different services.
Once we know who the user is, each service can evaluate what the user is allowed to do. This is referred to as authorization and authorization may rely on a user’s group and role memberships or licensing.
Although Azure AD is core to Microsoft 365, it can be used to authenticate users to third-party cloud applications and websites, applications hosted by partners and applications that your organization is hosting. Applications and websites may be hosted on-premises or in the cloud.
So what is special about Azure AD authentication? Azure AD uses federated authentication protocols such as SAML, OpenID Connect and OAuth 2.0. This allows you to securely authenticate to applications regardless of where they are located.
Traditionally, authentication and resources were tightly coupled. A webserver had its own accounts database. On-premises AD had its own directory, users, groups and resources. If you wanted to illustrate a security boundary, you would draw it around the webserver or the on-premises AD resources.
Now through the use of federated protocols, we have a new paradigm, our security boundary is around all the services that we allow the user to authenticate to. Authentication becomes our security boundary. Authentication becomes our most important security control.
You might be wondering how we specify which applications should use Azure AD.
If it’s Microsoft 365, it just happens once you have a license.
If it a third-party application there is a wizard that lets you integrate over 3400 applications.
If it’s your own application, you can register it with Azure AD.
You might think that all of this relies on requiring all applications to use federated authentication protocols. However, Azure AD also provides Secure Hybrid Access where an authentication boundary can be implemented through a proxy device such as the Azure AD Application Proxy or an F5 Big-IP network appliance. The application behind this boundary can use non-federated protocols for authentication.
So now Azure AD authentication is our security boundary. It had better be solid!
The good news is that there a myriad of technologies that Azure AD implements to hone the authentication security boundary. Authentication enhancements includes multi-factor, passwordless, and FIDO2 authentication.
This is further augmented through conditional access where we can define authentication requirements based on a user’s location, the device and application they are using and their evaluated risk profile. Microsoft uses Artificial Intelligence to continuously evaluate security risk based on leaked credential, the location the user is signing in from and other security indicators. The evaluated risk profile influences authentication decisions.
I have talked about authentication. I haven’t discussed where the users are located or how they are managed. An Azure AD user could be cloud-only, a hybrid or a guest user.
Cloud only users are just in your Azure AD, hybrid users are synced from on-premises AD, Azure AD provides all the synchronization mechanisms for this, and guest users can be invited from other Azure ADs or federated domains. There is even the option to authenticate a guest user via a One Time Passcode.
All of the security features rely on proper user administration, and again this is where Azure AD excels with role-based access control allowing different administrative roles to be defined. Privileged Identity Management allowing an administrative role to be time limit and Governance allowing user life-cycle management. And there are other security enhancements.
All of this is available in the Azure AD box, you start with a free Azure AD and purchase the appropriate licensing to unlock the additional services you require.
That’s my quick explanation of Azure AD and I even beat the challenge by a few seconds. If you enjoyed it please like, follow, share and send me a Tweet @john_craddock