In post I’m going to take a closer look at Azure Active Directory and Azure Accounts. Granting other accounts access to Azure subscriptions and controlling the permissions they have is not a great experience at the moment. When you add someone to your Azure subscription they have co-admin access, which doesn’t help much if you want to prevent accidents.
Luckily we now have Azure Role Based Access Control to grant fine grained access to users. I started looking into RBAC and saw you need Azure Active Directory since the users are you assigning to roles must come from a directory and Azure Resource Manager since you will be assigning role permissions at resource level. There are tons of very detailed information about Azure AD but not in one place for a quick overview so I am writing this one.
If you look at Azure AD you will see there are different versions and I was wondering which one you need for which scenarios. You can get a very good and detailed comparison of the different versions here. I’m going to give a quick explanation for those who like it short and sweet.
All editions: You get sync with on-prem AD using Azure AD Connect, SSO for SAAS web and custom apps, user management, self-service password change (not reset) and some basic reports.
Azure AD Free: This is the edition we all get by default when you sign up for Azure or Office 365, you are limited to 10 SSO applications per user and you only have the most basic reports, the number of AD objects is limited to 500K.
Azure AD Basic: You get more reports, self-service password reset, company branding, SSO for on-prem applications using Application Proxy, 99.99% SLA
Azure AD Premium: Enterprise features, more reports, password unlock and reset with on-prem write back, Multi-factor Authentication for on-prem and cloud via phone call, text message, smart app with optional verification code, Cloud App Discovery, Microsoft Identity Manager licenses.
Some extra bits around Azure AD
Azure AD Connect makes it easier to manage users so you don’t have to create the same users on-prem and in Azure, it syncs the users in Azure AD with your on-prem AD.
Looks to me like you can’t use Azure AD instead of your local AD, it is not Active Directory as a service for on-prem. At the moment you can only add Windows 10 devices to Azure AD. Please let me know in the comments if I’m wrong.
When Azure started you could only login with Microsoft Live accounts, with Azure AD you can login to Azure using your Azure AD account which saves the hassle of managing Microsoft accounts for everyone. That said, if you only have a few people accessing Azure you can manually create users in your Azure Directory from existing Microsoft Live accounts or from scratch as Azure AD users or from other Azure Directories or external users for instance granting consultants access.
Your default Azure Directory will have the onmicrosoft.com domain name, if you want to use your own one you can add a custom domain like mycompany.com, this way you can create Azure AD users using your existing email addresses for example [email protected].
You can have both a Microsoft Live and Azure AD account with the same username but you will have to choose which one you are singing into when you login to the portal.
Each Azure subscription trusts one Azure Directory and you can change the default one. Many subscriptions can trust the same Azure Active Directory, a subscription can expire but the directory will still remain there.
