Welcome to part 1 of this month’s Azure Partner Community blog series.
- Register for the August 20 community call
- Sign up for the Azure Partner email newsletter
- Join the Azure Partners group on Yammer
by Nick Johnson, PMP
I hope your summer has been a productive and exciting one. If you joined us at WPC 2015 in Orlando, thank you. It was wonderful to meet so many partners and hear how you are transforming your businesses, as well as helping customers transform theirs. For a recap of announcements and resources from WPC, I encourage you to check out this blog post by Diane Golshan.
Enterprise Mobility Suite (EMS) was a major topic at WPC. In a mobile first, cloud first world, a customer’s ability manage their user identities and a variety of devices, protect corporate documents, and more, is critical to their success in the cloud.
In this month’s Azure Partner Community blog series, we’ll look at a few components of the EMS. In upcoming posts prior to our August 20 community call, we’ll cover these topics:
- Managing Cloud Identities and Using Cloud App Discovery
- Management, Monitoring, and Reporting in EMS
- Tips for Effective Demo and Sales Scenarios on EMS
In future months, we’ll dive deeper into additional aspects of the EMS to help you sell more and implement faster.
Azure Active Directory and Windows Active Directory
Today, I’m going to cover both Azure Active Directory and Windows Active Directory. Questions I am asked about these services include: Are they the same or is there a difference? How do they work together? Do they both run on Azure? Do they need to be used together or can they function individually? What about Windows 10 integration with Azure AD?
Knowing the key differences and features and when to use them will help you design more effective solutions for your customers. There are times to use Azure AD and Windows AD separately or together.
We’ll start with this simple statement: Azure AD and Windows AD are not the same. It is a misconception that Azure AD is “just Windows AD in the cloud.’' To understand this more, let’s look at each service.
Windows Active Directory
If you have worked with Windows Server for any length of time, you are probably familiar with Windows Active Directory. Windows AD is made up of 5 unique services. They are: Active Directory Domain Services (ADDS), Certificate Services (ADCS), Directory Rights Management Services (ADRMS), Lightweight Directory Services (ADLDS), and Federation Services (ADFS)
The service most commonly associated with Active Directory is the Domain Service. ADDS enables things like users, groups, group policies, domains, domain joined machines, organizational units, trees, forests, domain trusts, DNS, Kerberos Authentication, replication, and more.
So, the question is, can a Windows AD run on Microsoft Azure? The answer is yes. To run a Windows AD on Azure, you’ll set it up in hosted virtual machines, and at least one of the machines will need to be a domain controller. The best practice is at least two DCs in an availability set for fault tolerance.
On the domain controller(s), you can install any of the five services I mentioned above. If you have a domain that already exists in an on premises environment you can use Azure Networkingto connect your VMs in the cloud back to on premises, and set them up as replication partners.
Why choose to run a domain controller on Azure? Here are a few reasons:
- You are running an application that leverages Kerberos authentication. A SharePoint farm would be a great example.
- You are running your entire data center on Azure and no longer have on premises infrastructure, but still require the features ADDS offers.
- You are using Azure as a backup site for your Active Directory. Having AD replicated to a VM on Azure keeps AD running real-time should the primary site ever go offline.
An important distinction to make is that running Windows AD on an Azure VM is not the same as running Azure AD. Azure AD is not needed to run Windows AD on Azure VMs. If you want to know more about setting up and running Windows AD on Azure VMs, check out the links in the additional resources below.
Azure Active Directory
Now, let’s look at Azure AD. What is it, and how is it different from Windows AD?
Azure AD is an identity and access management cloud solution. It allows you to set up cloud users and groups, manage users and their passwords, and establish single sign-on relationships with thousands of SaaS based apps. It differs from Windows AD in that it does not currently act as a domain controller, establish forest trusts, manage group policies, enable Kerberos authentication, etc.
Azure AD comes in three editions: Free, Basic, and Premium. It is included in the Enterprise Mobility Suite, but it can also be purchased and consumed on its own.
For customers running completely in the cloud, Azure AD may be all that is needed to manage their IDs. When used as a part of the full EMS for device management and document protection, it can be a very nice solution.
However, the reality is that most customers already have a Windows AD. Before Azure AD, federating Windows AD users to cloud apps was a common scenario. With the growth of SaaS based apps, maintaining those federations can become burdensome.
This setup allows you to help customers:
- Create a single portal where users can log in and access all their cloud based applications with one set of credentials
- Give individual users or a group of users access to a new application with just a few clicks
- Have users self-manage passwords
- Give delegated access to manage groups of users
- Manage cloud application access from a central location
- Use multi-factor authentication when a user attempts to accesses an app from an outside device
Enabling Azure AD to simplify identity management and application management for users can bring great value to any solution. But, it can still create scenarios where users maintain a separate username and password for their cloud solutions and on premise logins. The opportunity here is to connect them, creating a scenario where usernames and passwords are synchronized.
This solution is enabled through synchronization by using the Azure Active Directory Sync Tool. Note that this is not replication as used in stand-alone Windows AD environments.
As you design solutions for your customers, consider combining Azure AD and Windows AD to provide an enterprise grade hybrid solution for almost every workload.
What about Windows 10?
You may have seen the announcements about Azure AD and the ability to join a Windows 10 device to the AD. Azure AD Join is optimized for users that primarily access cloud resources. Azure AD Join is also great if you want to manage devices from the cloud with a MDM instead of with Group Policy and SCCM.
These blog posts by the Azure product team explain Azure AD Join and some of the deployment scenarios:
- Azure AD Join on Windows 10 devices
- Azure Active Directory and Windows 10: Bringing the cloud to enterprise desktops!
- Azure AD on Windows 10 Personal Devices
- Managing Azure Active Directory joined devices with Microsoft Intune
- Azure AD, Microsoft Intune and Windows 10 – Using the cloud to modernize enterprise mobility!
Your next steps
For partners, helping customers manage identity in the cloud presents a great opportunity to drive new business. To help get you started, are my recommendations:
- Use the resources in this month’s blog posts and community call to help your teams build their skill sets.
- Work with your customers to assess how they are managing cloud identity today. Conduct an assessment to find all the apps in play. If they are using SaaS apps of any kind, there is an opportunity to help them design a solution for identity management.
- If you have Office 365 customers, talk to them about EMS! Their Office 365 logins can be extended to other SaaS apps.
- If you have Windows AD customers, consider Azure Virtual Machines as a backup option for DR. Also consider synchronization solutions with Azure AD.
To help you learn more and equip your teams I’ve captured links to some of the most useful sites and videos on the topics discussed in this post.
- Install a replica Active Directory domain controller in an Azure virtual network (documentation)
- Understanding Active Directory (Microsoft Virtual Academy course)
- Integrating your on-premises identities with Azure Active Directory (documentation)
- Install a new Active Directory forest on an Azure virtual network (documentation)
- Guidelines for Deploying Windows Server Active Directory on Azure Virtual Machines (documentation)
- What is Azure Active Directory
- Identity Solutions: Leveraging Azure Active Directory / Active Directory Premium (Channel 9 video)
- Azure Active Directory Core Skills Jump Start (Microsoft Virtual Academy course)
- Getting Started with Microsoft Azure Active Directory (Microsoft Virtual Academy course)
- Scott Guthrie demos Windows Azure Active Directory in the Cloud (video)
Comments about this post, or questions about the topic? Let us know in the Azure Partners Yammer group.