Identify the various types of Active Directory objects and technologies, when it relates to Microsoft Azure Active Directory.
- [Instructor] In this video, we will discuss Azure Active Directory or specifically, the terminology that we'll be using throughout this course. We need to get our terminology right because I will be referring to lots of different technologies and aspects of both Azure and Active Directory throughout this course, so I want to make sure we're all on the same page and we understand those terminologies. So, first, what is Microsoft Azure? Well, Microsoft Azure is Microsoft's cloud offering that is made up of redundant data centers throughout the world.
Those data centers are located throughout North America, Europe, and Asia, and those data centers host highly redundant servers that host all of the resources of Microsoft Azure. That includes Office 365, by the way. Microsoft Azure provides Software as a Service, Platform as a Service, Infrastructure as a Service, and many other X as a Service solutions for both small and large enterprises. These solutions provide the ability of a company to no longer have to host its own hardware solutions and be able to use Microsoft's platform and Microsoft's hardware infrastructure.
In this case and for this course, we will be talking a lot about the Directory-as-a-Service solution where Microsoft Active Directory is provided as a solution on Microsoft Azure. Microsoft Azure is continuously updated and maintained, and this is a tremendous benefit for organizations where you have this infrastructure that is maintained by specialists, by a core team of individuals that are experts in maintaining that hardware and the software, as well when Microsoft releases a new software, a new patch, a new update, or a new solution, it is always updated and released first in Microsoft Azure.
As part of its cloud solution, it's able to have a redundant deployment and a safe deployment of patches and updates. Microsoft Azure provides solid SLAs and this is probably the biggest value proposition for organizations to move to these cloud solutions, is a service level agreement where Microsoft guarantees the availability of its infrastructure in Microsoft Azure. The SLA varies based on the services and the subscription that you purchase, but they are very high in ensuring that you maintain uptime of your solution.
Now, what is Azure Active Directory? Well, first of all, Azure Active Directory is a directory. A listing, a grouping of users, resources, that are listed together in this directory listing. Now, Azure Active Directory is specifically built on top of Microsoft Azure and has some differences from the Active Directory you may be familiar with, the one that comes with Windows Server and we'll be talking a lot about those differences throughout this course. Azure Active Directory is an identity and management solution, so it provides the ability to assign identities, user objects, and manage those identities as part of this directory listing using native Azure tools, management tools.
It's an authentication solution, so it provides an ability to provide access authentication to resources such as applications, for example. You can deploy your applications and then manage who is allowed to authenticate to those applications using your Active Directory authentication mechanism. Now, Azure Active Directory, of course, is built into Microsoft Azure, but it's really tied at the hip to Microsoft Azure, which means that whenever you're accessing any resources in Azure, likely you're using some form of Azure Active Directory.
If you have Office 365, you already have Azure Active Directory, you're just not necessarily exposed to it and we will expose those, access, and extend Office 365 for Azure Active Directory today. Now, there's different flavors of Active Directory. Again, you may be familiar with Active Directory as it relates to Windows Server. This is what we call on-premises Active Directory or the Active Directory Domain Services role, which is installed on a Windows Server.
In Azure Active Directory, we have two flavors. We have Azure Active Directory Basic and we also have Azure Active Directory Premium. Azure Active Directory Premium contains all of the functionality of Azure Active Directory Basic, plus additional enhanced functionalities which we'll look at in a few minutes. Azure AD Premium is a subscription-based solution that you need to purchase on top of Azure AD Basic. When it was first released, you needed to have an enterprise agreement in order to purchase Azure AD Premium.
That is no longer the case, you can now purchase Premium solution using a per user basis. So, what the primary differences between the two? Well, Azure AD Basic provides most of the services required for Azure AD such as authentication, identity management, as I've been discussing earlier in this video. It is included as part of Office 365, so when you deploy your Office 365 tenant, you have an Azure AD directory that is created for you automatically.
You don't need to create it and you don't necessarily configure it unless you start to use the Azure AD management tools, which we'll look at again in this video. Azure AD Premium provides enhanced functionalities, more enterprise-level functionalities, the kind of functionalities you would want to see for a larger organization, such as the self-service features. The ability for a user to reset his own password instead of having to call a help desk. The ability for a user to request access to an enterprise application without the application needing to be deployed to the user's desktop.
Branded log-on pages where you can create the logo of your enterprise, create a branded log-on page so that whenever a user goes to access any company resources from a web browser, they feel familiar in the environment and see that they are in their corporate environment, they're accessing secured resources. A cloud application integration is definitely one of the enhanced features of Azure AD Premium which gives you access to any cloud application, whether it's an application that your organization has built or an application that is a standard cloud application such as Google Apps or Dropbox.
Those cloud applications could be fully-integrated with Azure AD and what that means is that you could actually use your user accounts and your authentication mechanism of Azure AD to access those cloud applications. There's different mechanisms, as well, to synchronize and provide access to your on-premises infrastructure to Azure AD. Many organizations are moving from Active Directory that is on-premises to Azure AD, if that's the solution of choice and in that case, they may want, and likely would want, to synchronize their directory listings from on-premises to Active Directory, Azure Active Directory.
In order to do that, there's different tools that are available. Now, the primary tool that we typically talk about in Azure is Azure AD Sync, or it used to be known as DirSync. It's now included in a tool or a Wizard-based tool in Azure called the Azure AD Connect. Azure AD Connect is a fully-integrated Wizard which allows you to deploy this Azure AD synchronization solution as well as other functionalities for integrating with your Active Directory.
As well, organizations that have a more complex solution with multiple Active Directory forests may want to use Active Directory Federation Services. This is something that requires a much more complex on-premise deployment with additional servers and configuration, however, it provides a more integrated solution of on-premises and Azure AD. Most organizations will look at number two, Azure AD Connect. That will be the Wizard that will provide you the most simple integration of your on-premise solution with your Azure AD.
It will provide the ability of users to have single sign-on, and I'll discuss single sign-on in a couple minutes. One of the benefits of Azure AD is multifactor authentication. Multifactor authentication is one of these highly-secure solutions that are now available in Azure AD that is becoming a requirement by most organizations to secure access to their resources. Now, what is multifactor authentication? I want to make sure that that terminology is clear.
Essentially, it is forcing a user to authenticate using multiple methods. We all know about passwords, all your user accounts have passwords, of course, but imagine a world where a password is not enough. You also have to authenticate using a pin, both a password and the pin. Now, the pin gets automatically generated by a text message that is sent to your mobile device. There are different mechanisms for multifactor authentication and depending on the platform, the tool that you use, the secondary method of authentication differ.
When we talk about Azure AD, typically we're talking about a pin that is going to be sent to a user via an email, via a text message, or even over a voice call. Those multifactor authentication solutions are then going to be added on to the user's requirement of a password. So, now we have two methods for the user to authenticate and they need to use both in order to access the resources, so it provides a more secure solution. Another term that I brought up earlier, single sign-on.
Now, single sign-on is a solution where we want to provide a user an experience where authentication to an application is integrated and easy. Single sign-on means I only need to sign-on once, I only need to log-on once, and then my log-on is going to be used to access multiple resources. Now, a single sign-on requires a certain type of integration between the mechanism that's going to authenticate me and the mechanism that's going to authorize my access to a resource, and Azure AD will provide that.
I mentioned earlier Azure AD Connect, it will provide this single sign-on experience for users that have an account on-premises and then integrate with Azure AD. Single sign-on is one of the benefits of integrating Azure AD with your on-premises infrastructure and with other resources such as cloud applications. Single sign-on is one of the biggest requests that most users have, but that can sometimes be a headache for administrators to implement. So, we'll look at how we implement single sign-on for both applications and coexistence between on-premises and Azure AD as part of this course.
Now, let's see how all of this works and let's see how all of this integrates between Azure AD, on-premises Active Directory, and all of the management tools that we use to manage and implement Azure AD solution as part of subscription to Microsoft Azure.
David shows how to implement and manage user and group accounts, join client computers, and implement single sign-on and multi-factor authentication. (Industry standard protocols such as SAML 2.0, WS-Federation, and OpenID Connect make sign-on possible on a variety of platforms.) To wrap up the course, David reviews the more advanced features in Azure AD and Azure AD Connect, including syncing on-premises Active Directory and Azure AD, and troubleshooting an Azure AD deployment.
- Directory as a service (DaaS)
- Using Azure AD management tools
- Creating an Azure Active directory
- Managing users and groups
- Enabling Active Directory self-service
- Implementing Azure AD authentication
- Running Active Directory reports