This video presents a high-level overview of Azure Active Directory (AAD), including the advantages of using AAD. Plus, it discusses the differences between the three SKUs and touches on Windows 10 and AAD.
- [Narrator] Azure Active Directory is your identity management solution in the cloud, and in my opinion, one of the coolest things within Azure. I like to think of Azure Active Directory, or AAD as a backbone of Microsoft's online services. You may not realize it, but you're probably already using Azure Active Directory. If you're using Office 365 you're using Azure Active Directory. If you're using Dynamics CRM, then you're definitely using Azure Active Directory, as well as if you're already using Azure you have Azure Active Directory but you may not be leveraging it.
Azure Active Directory allows for single sign-on for cloud apps. There are over 2,600 SaaS applications already available to you, SaaS being Software as a Solution. These SaaS apps can include Facebook, LinkedIn, Twitter, Netflix, just to name a few. You can also use Azure Active Directory for single sign-on your internal line of business applications, and with this comes reporting on our application usage.
Azure Active Directory also integrates with our on-premise server active directory. You can synchronize accounts between server active directory and Azure Active Directory. In this model, passwords are not synchronized. Therefore, users must maintain two passwords, one for on premise, and one for Azure Active Directory. You can enable password synchronization to provide that single sign-on option. You can also use single sign-on when you configure AD FS.
And this works because of a federation trust between Azure Active Directory and the on premise active directory. Keep in mind though, when you're using AD FS, the authentication does not happen in Azure Active Directory as it does for our other options but via the on premise active directory. And we can also use Azure Active Directory for identity management, including enforcing multifactor authentication. We can provide a self-service password reset for our users.
Did you know it can cost up to $40 to reset a password for a user? Think about the time and resources you'll save by having users reset their own passwords. You also have the option of allowing self-service group management. Devices can be registered within Azure Active Directory. Azure Active Directory also allows for role-based access control, or RBAC. I've already mentioned the application usage monitoring. There's auditing and alerting available to you as well, and security monitoring.
And finally, we can set up a privileged account management. So how does it work? As I've already said, Azure Active Directory is the backbone of Microsoft's online services. From our diagram here, we can see over to the far left we have our traditional on premise active directory. And we can add in a sync server. This we configure using Azure Active Directory connect. We'll talk more about that a little bit later. Now we can use single sign-on from our on premise users all the way through to our SaaS applications, including Microsoft Office.
Remote users can also go ahead and authenticate To Azure Active Directory. And we also have our device registration. Azure Active Directory comes in three SKUs. There's the Basic, Premium 1, and Premium 2 SKUs. We're going to look at these in a little bit more detail but first, let's go ahead and see what is common among all the SKUs. User and group management is provided in all SKUs. So is device registration and user-based provisioning.
And all SKUs include self-service password change for cloud users. Azure Active Directory Connect is available in all the SKUs, and you'll have some basic security and usage reporting across all SKUs. Next, let's take a look at the Basic SKU. We have company branding in the Basic SKU. We also have application proxy available to us through the Basic SKU. We'll talk a little bit about application proxies a little later in the course. And we have group-based access management and provisioning in the Basic SKU.
When we move into the Premium P1 SKU, we have that self-service password reset plus password write-back. We can write our passwords back to our on premise active directory. We have the self-service group management. We have self-service app management. We also have dynamic groups. We'll be spending some time on dynamic groups a little bit later, they're really cool. We also have multifactor authentication. Also included in our P1 is our MIM CAL. MIM is our Microsoft Identity Manager.
You can install MIM on any Windows server that has a valid server license when you opt for the P1 SKU. We also have cloud app discovery. A really cool tool, but something you may want to use with a little bit of caution. We'll talk about that a little bit more later in the course. We also have connect health, which allows us to monitor our on premise integration health. And finally, we can allow for automatic password rollover for group accounts. And finally, we have our P2 SKU, which includes everything we already covered, plus additional identity protection including we can discover compromised accounts.
When those accounts are discovered, Azure Active Directory can react and secure those compromised accounts and then provide extensive reporting for further analysis. The example I like to use here is you have someone who signs in from LA. 20 minutes later, they sign in from Tokyo. We know we don't have transporters as of yet. In this case, we could have a rule set up that indicates when this happens, the user will be prompted for a multifactor authentication again. We also have privileged identity management.
This provides time-bound privilege or just-in-time administration. We can have reporting activity on what our administrators are doing, as well as notification of access to privileged roles. And finally, Windows 10 and Azure Active Directory. This again is really cool stuff. Our company assets can be configured to join Azure Active Directory automatically. Or we can still use our familiar domain join. And finally, Windows 10 personal devices, or that BYOD movement, Bring Your Own Device.
We can allow our users to connect into Azure Active Directory, use our resources but we can still manage those corporate assets. And we can also revoke them as required. Windows 10 and Azure Active Directory is out of scope for this course, but I highly recommend if you are using Windows 10 and you'd like to average Azure Active Directory, there's a lot you can do with Windows 10 and Azure Active Directory. This provides a quick overview of Azure Active Directory. We'll be exploring and demonstrating the power of Azure Active Directory throughout this course.
- Azure AD
- Adding company branding
- Adding a custom domain
- AD Connect configuration
- AD Connect Health
- Administering users and groups
- Configuring SaaS applications
- Granting conditional access
- Revoking access
- Application proxy and discovery
- Integrating web and desktop applications
- Creating an Azure AD B2C directory
- Registering an application
- Creating a Microsoft identity