Azure Active Directory (Azure AD)

It’s a cloud-based identity and access management service, to help you authenticate and authorize (based on roles) users so they can have access to Azure Resources, third party resources used by your company and on-premises resources using the same username and password.

It’s used by IT Admins to control access to apps and resources based on their business requirements, by app developers to provide a standards-based approach for adding functionality to apps that they build (like SSO functionality), by users so they can manage their identities and take maintenance actions (like self-service password reset), and by online service subscribers like Microsoft 365, Microsoft Office 365, Azure, and Microsoft Dynamics to authenticate into their account.

Services provided by Azure AD:

• Authentication: Verifying identity to access apps and resources with functionalities such as: self-service password reset, MFA, custom list of banned passwords and smart lockout services.
• Single sign-on (SSO): A single identity is tied to a user, so there’s only one username and one password to access multiple apps.
• Application Management: Manage your cloud and on-premises apps, with features like Application Proxy, SaaS apps, the My apps portal for a better user experience.
• Device Management: It supports accounts for individual people, as well as the registration of devices, so they can be managed through tools like Microsoft Intune (manages user access to organizational resources and simplifies app and device management across devices).

<aside> 💡 Use Azure AD Connect to connect Azure AD with your on-premises AD, as it synchronized user identities between both, as well as changes between both identity systems.

</aside>

Azure Active Directory Domain Services (Azure AD DS)

Service that provides managed domain services (Allow the use of tools to handle domain registrations, delete unused and unneeded domains and maintain domain security), such as domain join (allows a computer to connect to a domain, which is a network of computers that share a common directory), group policy (allows a network admin in charge of Microsoft AD to implement specific configurations for users and computers), Lightweight directory access protocol (LDAP: provides means ****for accessing and modifying directory services over a network) and kerberos/NTLM authentication (ticket-based protocol that uses a trusted third-party authentication service/Challenge-response protocol used during workgroup and local authentication)

Azure authentication methods

Authentication is the process of establishing the identity of a person, service or device, who has to provide some type of credential to prove who they are.

Single sign-on (SSO)

When using it, users can access corporate resources at their companies, just by being authenticated with the credentials they supplied when logging into the computer they’re using.

The users sign-in one time and uses that credentials to access multiple resources and apps from different providers.

<aside> 💡 Access is tied to a single identity, so it simplifies the security model, as users can change roles or leave an organization, so it’s easier for IT to manage users.

</aside>

Multifactor Authentication (MFA)