- In its basic form, it's a free service that provides the ability for Single Sign-On into cloud applications.
- Allows connection with
- consumers (Azure AD B2C)
- business partners (Azure AD B2B) without deploying complex infrastructure or federation.
- Provides the ability to integrate on-premises directories with Azure AD.
- Provide single sign-on to cloud applications such as Microsoft 365, Azure and other SaaS applications.
- Azure AD Connect provides the choice of:
- 1. Password Synchronization only , the ability to synchronize users and groups.
- 2. ADFS , to allow on-premises authentication, 3rd party MFA, etc.
- 3. Pass-through authentication , provides on-premises authentication without deploying ADFS.
- In all 3, you need Azure AD Connect to provide the synchronization engine.
- Additionally, the Microsoft Identity Manager (MIM) can be installed on-premises and used to configure the users, groups and attributes to be synchronized.
- Basic: SLA + self-service password reset for cloud users.
- Premium: MFA + other stuff.
- P2 only: Conditional risk policy, privileged identity management
- Provides managed domain services.
- Windows Server Active Directory compatible.
- LDAP, Kerberos, NTLM, Group Policy, and domain join capabilities are compatible.
- ❗ Not all features available in Windows Server AD are available in Azure AD Domain Services.
- Compatible with both Cloud only tenants and hybrid tenants using Azure AD Connect.
- No additional costs other than underlying Azure IaaS Virtual Machines.
- Managed by Azure.
- All user identities, credentials and groups, including group memberships, are created and managed in Azure AD.
- All the Azure AD objects are available within this domain
- Synchronized to an on-premises directory
- An additional stand-alone Domain is created by the managed service.
- The managed domain is a standalone domain and not an extension to the on-premises directory.
- Management
- Tenant identities are still created and managed within Azure AD
- On-premises identities are still created and managed on-premises.
- All objects from the on-premises domain and the Azure AD tenant are available to the managed service domain.
- Allows users to sign in to cloud services with their on-premises identities
- Azure AD Connect must be configured to allow password synchronization
- Allows resources in the cloud to connect to the managed domain can use Kerberos to authenticate.
- Azure AD Connect must be configured to allow password synchronization
- Managed by Azure
- So domain administrator does not need to
- manage this domain or any domain controllers.
- have has no domain or enterprise admin privileges.
- Available automatically, no need for AD replication.
- So domain administrator does not need to
- Enables users to sign in to both on-premises and cloud applications using the same credentials.
- Azure AD validates users' passwords against on-premises Active Directory.
- passwords are never stored in the cloud.
- No need to deploy ADFS infrastructure.
- No need for complicated certificates or trusts.
- 📝 Azure AD Connect installs Pass-through authentication agent on same server where it is.
- 💡 Install additional agents to make the service highly available.
- Free for all Azure AD tiers.
- Multi-forest environments are supported with some required routing changes.
- Users can be enabled to use self-service password management from the Azure AD directly.
- No additional ports or network configuration is required since the agent communicates outbound, so no perimeter network is required.
- Takes advantage of Azure AD Conditional Access policies, including Multi-Factor Authentication (MFA).