Azure Active Directory is a identity management solution, and is the pivot point for most of Microsoft's cloud offerings. In this video, Sharon will explain what Azure Active Directory is and how you can leverage it to for single sign-on to thousands of cloud SaaS applications, use it for multifactor authentication, and integrate with Windows Server Active Directory.
- [Instructor] Azure Active Directory is our Cloud control panel. It helps manage users, devices, and applications. It is the backbone of identity management in Azure. If you are already using Office 365 or CRM Online, you are already using Azure Active Directory, but you may not be aware of it. Azure Active Directory can integrate with your on-premise server active directory or control access to thousands of SaaS services. We can also use Azure Active Directory for multi-factor authentication, and if you are using Windows 10, you can authenticate to Azure Active Directory from your Windows 10 device.
Traditionally, we used Server Active Directory to control our users and access, and this was fine because our users were also on premise and using the equipment we provided to them. We were in control. Then Cloud-based offerings started to appear like Dropbox and Office 365, and our users started using those applications so they could work from other locations or avoid the constraints of IT. This is great for our users, but now IT lost control over what our users were doing with our data and what they were doing with that data on whatever device.
Also in this scenario, IT and the users were having to manage different credentials for different services. Everything was isolated. Azure Active Directory solves these issues by providing single sign-on, or near single sign-on capabilities to Office 365 and to our on-premise environment. We can also control access to SaaS applications and enable the user to become self-sufficient with self service capabilities. Azure Active Directory enables IT to manage how users access corporate Cloud resources such as Office 365 or LinkedIn.
And depending on the Cloud application, IT can provide the account credentials or the user can use their own corporate credentials. Group access to a Cloud application can ease management of single users and allow for faster on-boarding, and if a user leaves, we can quickly and easily disable their access to those SAS applications. Let's see this in action. So we have a new employee who's being on-boarded. Let's say he is part of the social media marketing team and he needs access to Twitter and Facebook.
He's also provisioned an Office 365 account for email. IT will add the new employee to the social media marketing group in Azure, which already has access to Facebook and Twitter. Now the user also has access to the company pages, but he never has the credentials, as IT has already configured this in the background. I've already mentioned Office 365 already uses Azure Active Directory for identity management. The new user is ready to sign in to Office 365 using the same username and password as his on-premise account.
Now let's say our new user wins the lottery and will be retiring, we don't want that user to still be able to access Office 365 or Twitter or Facebook. In Azure Active Directory, we can disable his access not only to Office 365 but also to Twitter and Facebook with a single click. When we configure applications in Azure Active Directory, those applications are provided to the user within a web portal, this is called the Access Panel. Because this is a web-based panel, users log into it, and from there they can click on the appropriate icon and it will take them to the appropriate SaaS application.
This eliminates users from contacting Help Desk, asking Help Desk, can you provide me with the link to, ABC SaaS application? The Access Panel also allows the users to reset their own passwords, and it provides a list of all the groups users can join within the organization. According to Forrester Research, the average password reset is $70, and the Gartner Group states 20 to 50 percent of all Help Desk calls are for password resets. Allowing users to reset their own passwords reduces cost not only to the Help Desk, but to time lost waiting for Help Desk to reset their password.
Users become self-sufficient and can reset their own passwords at any time from anywhere without the assistance of IT, reducing frustration and down time. Please note, self service password reset is dependent on the Azure Active Directory SKU that you select. Azure Active Directory can be synchronized with Server Active Directory that is on-premise. To do so, we simply install the Azure Active Directory connect tool. Once the tool is installed, we're able to synchronize our on-premise credentials to Microsoft Azure Active Directory, and in turn be able to access our SaaS applications.
I'm using the terms Azure Active Directory and Server Active Directory. When we hear active directory, we get really excited, thinking, oh, great, Azure Active Directory is going to push up group policy and we're gonna be able to control access. Please be aware that there is a limitation with Azure Active Directory Connect. If you do not go for the SKU enabling password write-back, changes to your passwords in the Cloud-based services will not be synchronized to your on-premise environment. When your on-premise credentials are synced to Azure Active Directory, they will overwrite those changes that were made to the Cloud password.
In order to have the credentials sync all the way back to on-premise, you need to have Azure Active Directory Premium which includes the write-back capability. If you are using Azure Active Directory Premium with the write-back capability, your password policies from your on-premise Server Active Directory will be authoritative.
- Understanding cloud technologies
- Why Azure?
- Creating virtual networks and storage
- Using Azure Active Directory for identity management and protection
- Disaster recovery with Azure Backup and Azure Site Recovery
- Working with virtual machines