Azure Active Directory (Azure AD) is a cloud-based directory and identity management service that offers a more streamlined set of services than Windows Server Active Directory. Intended primarily for authenticating users to cloud-born apps (i.e., applications that have been developed to provide cloud services, such as Office 365) Azure AD offers a convenient and cost-effective way to get many of Windows Server AD’s most important features without having to invest in a complete AD cloud infrastructure.
Through identification Azure AD improves security ensuring only authorized users access your IT environment:
1. Cloud Credentials and Single Sign-On
Azure AD offers three types of identities, and it can be integrated with on-premises AD for a hybrid cloud/on-premises solution. Cloud identities are ideal for organizations that don’t have Windows Server Active Directory and that just need to give employees access to cloud services and apps. Azure AD’s cloud identities cannot be synchronized with Active Directory, so the Azure AD user names and passwords must be managed separately if Windows Server Active Directory is deployed.
Synchronized identities allow user accounts and passwords to be synchronized between Azure AD and Windows Server Active Directory using a tool called Azure AD Connect, which replaces DirSync and AD Sync. However, synchronized identities don’t provide a true single sign-on because users are required to reenter their credentials to access cloud services.
For true single sign-on capability, you’ll need to set up Windows Server Active Directory and connect it to Azure AD using Active Directory Federation Services (ADFS). Federated identities are compatible with multifactor authentication, and their password hashes are never synchronized to the cloud. ADFS allows users to be blocked instantly, and the log-on restrictions from Windows Server AD are also applied when accessing cloud services.
2. Secure Access to Cloud Apps
Windows 10 introduces the Windows Store for Business; in this store, organizations can buy bulk licenses for business apps and create a private store from which employees can install apps. Because the Windows Store for Business is a cloud-born app, its users are authenticated using Azure AD. In addition, Office 365 also uses Azure AD for user authentication (along with many other third-party cloud services).
Developers can also utilize Azure AD for their cloud apps, eliminating the need to implement a database of usernames and passwords. This not only reduces the cost of deploying apps but also allows organizations to leverage a proven security solution.
3. Microsoft Passport
Passwords have long been considered to be insecure, as they can easily be compromised using social engineering and can be replayed or exposed if a server is hacked. Instead of issuing user names and passwords, Microsoft Passport allows Windows 10 users to authenticate using a gesture.
The Windows 10 device needs to be enrolled with Azure AD; to unlock the device, the user needs to input a PIN or provide biometric authentication in the form of Windows Hello. A Windows 10 mobile device can be used as a second factor when logging into a PC, potentially making this implementation of two-factor authentication cheaper than other solutions. However, this feature is currently limited to Technology Adoption Program (TAP) participants.