What is Azure Active Directory (Azure AD)?
Azure Active Directory (Azure AD) is Microsoft’s cloud service that provides identity and access management (IAM). Azure AD is part of the Office 365 system, is compatible with an on-premise active directory, and is useful to provide authentication to multiple cloud-based services via various cloud protocols such as SAML, OAuth2, and WS Security. It provides the ability to manage user identities and access rights. Azure AD combines core directory services, access management, and identity protection into a single solution.
Azure AD allows your users to sign in and access the resources which are in external resources such as Office 365 and thousands of other Software as a service (SaaS) applications. It also allows your users to gain access to internal resources such as applications on your company network and intranet. Azure AD uses Representational State Transfer (REST) APIs to connect with other web-based applications. In Azure AD, the admin has the capability to create groups and add accounts to those groups. Group access to resources can then be assigned to them. Mobile devices and Windows desktops can connect to Azure AD using Microsoft Intune.
Windows Active Directory vs Azure AD:
Windows Active Directory (AD), launched by Microsoft in 2000, is the predecessor to the Azure Active Directory (AD), which has become the standard for enterprise identity management since its launch. Unlike Azure Active Directory, the Windows Active Directory (AD) uses Lightweight Directory Access Protocol (LDAP) to connect with other web-based applications. It also does not manage mobile devices. Group Policies (GPOs) are usually used to govern desktops and servers connected to Windows Active Directory (AD). Finally, Kerberos and NTLM protocols are used to validate user credentials.
How does Azure Active Directory or Azure AD work?
The Azure Active Directory Authentication (Azure AD Authentication), takes place in the following steps:
- The user navigates to the application and requests access.
- An authentication request is sent to the miniOrange Broker Service.
- miniOrange Broker identifies the Azure Active Directory (AD) and sends authentication requests of Azure AD.
- Azure Active Directory authenticates the user and generates the SAML token, LDAP authentication Response is sent to the broker.
- miniOrange broker posts the SAML response to the Service provider (Application) via the user’s browser.
- The service provider (Application) verifies the SAML response and access is granted to the user.
Azure Active Directory or Azure AD Authentication Components
- Service Provider- Service providers are responsible for communications between the user, an identity provider that maintains a user directory. In this case, Azure Active Directory (AD) is an identity provider and the application could be a Service provider.
- Service Provider- A service provider provides services to the end user. Service providers rely on identity providers to assert the identity of a user, and typically certain attributes about the user that are managed by the identity provider. Service providers may also maintain a local account for the user along with attributes that are unique to their service.
- Identity Provider- Here Azure Active Directory (Azure AD) is an identity provider. So here Azure AD as an Identity Provider authenticates the user and provides an authentication token (that is, information that verifies the authenticity of the user) to the service provider.
Click here to learn more about Azure Active Directory.
Limitations of Azure Active Directory Authentication or Azure AD Authentication
- Limited MFA methods: Azure Active Directory (Azure AD) Authentication supports limited Multi-Factor Authentication (MFA) methods.
- No Group policy: Azure AD has few policy tools like conditional access, but it is more focused on granting access.
- No support for NTLM or Kerberos: Azure AD Authentication supports only modern authentication protocols like OAuth, SAML & OpenID Connect.
- Limited OAuth support: Azure AD Authentication does not have support for all OAuth grants.
- No support to extend or customize existing protocols with custom apps.
- Limited support for Device, location, and time-based access policies.
Azure Active Directory VS miniOrange IdP
|Features||Azure AD||miniOrange IdP|
|Multi-Protocol support||Supports only a few modern authentication protocols (OAuth, SAML & OpenID Connect)||Fully supports all protocols for Authentication.|
|Multi-Factor Authentication||Supports limited Multi-Factor Authentication methods.||Supports 15+ Multi-Factor Authentication methods.|
|Pricing Plans||A fixed annual subscription. ( No quote-based pricing plan).||A flexible monthly & quote-based pricing plan for all size organizations.|
|Security||Doesn’t support.||It supports fraud prevention, social login, and cloud security.|
|Adaptive Authentication||Doesn’t support.||It supports Adaptive Multi-Factor Authentication.|