Set up identity with Microsoft Azure Active Directory
The second in a seven-part series on the effectiveness and efficiencies of a feature-rich, cloud-connected Windows 10 environment for small businesses
Previously in Building and growing your business with Windows 10 and the cloud…
In the first blog post of this series, we described how Windows 10 and Microsoft cloud services can provide you with powerful, scalable IT services without the need to configure, deploy, and maintain costly on-premises equipment. Now we're ready for step 1 of the road map: a comprehensive cloud-based deployment for your small business.
The foundation of your organization's IT services: identity, single sign-on, and Microsoft Office 365
Your cloud-connected infrastructure starts with user identities stored in Azure Active Directory (Azure AD), so we'll focus on setting it up first. Azure AD is an integral part of Office 365, a suite of cloud-based productivity applications and services. Office 365 is built around cloud-based user authentication in Azure AD, giving users a single identity based on your corporate email domain and a single sign-on to the applications and services they need. Online storage, email, file sharing, and additional applications and services are also available once users are authenticated by the online domain-based credentials they entered when they signed in to their device. No on-premises servers are required, and you manage users and their accounts in the Office 365 admin center, your single point of access to manage all your services, including Microsoft Exchange Online email and calendaring, Skype for Business Online audio and video conferencing, SharePoint Online collaboration services, and your service-specific dashboards.
Users can use their company email address and password for Office 365 services by signing in to their device. You have the option of enabling them to use a device-specific PIN for enhanced security, and they can change their own passwords at any time without requiring your help.
Beyond this, your Office 365 subscription gives you a host of powerful Azure Active Directory features to help manage your IT services.
Don't buy a domain controller; use online directory services
Azure AD is your directory in the cloud—it provides you with the essentials of what could be a much more costly and complex on-premises domain-based Active Directory infrastructure. With Azure AD, you gain identity management, access control, and cloud-based storage for your company data.
When you sign up for Office 365, it includes a free subscription to Azure AD (also known as Azure Active Directory Free edition). If you need more features, you can add paid capabilities using the Azure Active Directory Basic and Premium editions. Azure AD paid editions offer enhancements to the free directory service that is bundled with Office 365, providing enterprise-class capabilities spanning self-service, enhanced monitoring, security reporting, Multi-Factor Authentication, and security-enhanced access for your mobile workforce.
Set up your corporate domain in Office 365
In the past, your first step may have been to deploy one or more domain controllers to begin configuring your corporate domain and associated directory services, but with Office 365, most of this work is already done for you—in the cloud.
When you're ready to use your domain (such as contoso.com) with your email (for example, email@example.com), just follow the steps in the Office 365 setup wizard to add your domain and get your essential services set up.
Start by using the wizard to verify that you own the domain name, and then go through the guided steps to add and configure services for users. Visit set up Office 365 for business for further information on the following steps:
- Visit the Office 365 admin center.
- Verify your company domain in Office 365.
- Add users to your online directory service.
- Assign Office 365 licenses to users.
- Configure policies for user authentication, device management, and domain services.
- Import, migrate, or set up email for your users.
- Verify that mail is flowing to your new Office 365 domain.
- Download Office 365 applications and set up Skype for Business Online.
up online storage using Microsoft OneDrive for Business.
- Add optional
SharePoint Online collaboration services.
Use self-service and Multi-Factor Authentication to reduce admin intervention
During installation and at any time thereafter, your users can change or reset their passwords on their own. This takes a common task off the admin's plate, and only requires that users have configured Multi-Factor Authentication details in the form of alternate personal information in their Office 365 account to confirm their identity.
With Multi-Factor Authentication, users can choose one of the following verification methods to confirm their identity and perform self-service tasks such as password resets:
- Office phone voice call
- Mobile phone text message or voice call
- Alternate email message
- Security question responses
Sign on is successful only after the required acknowledgment has been received. By setting up Multi-Factor Authentication, you can help secure not only user access, but also single sign-on to your business-critical Office 365 applications and services.
Configuration is straightforward. To set up Multi-Factor Authentication in Office 365, you:
- Select one or more users in the admin center.
- Enable the Multi-Factor Authentication option for those users.
- Manage user settings for contact methods, device and application passwords, and suspended device policies.
Multi-Factor Authentication is included with Office 365, but you can also purchase enterprise-level Azure Multi-Factor Authentication that includes extended functionality.
Simplify user and device onboarding with Windows 10 and Azure self-managed domain join
Just as large on-premises-based enterprises use domain join to get the best user experience, Azure AD join is optimized for organizations and users that primarily access cloud-based domain resources.
Windows 10 devices also support self-service domain join for your Azure-hosted domain, using single sign-on credentials in Azure AD, with no requirement for admin intervention.
As with Multi-Factor Authentication, you use the admin center to configure users for domain join. You can set the maximum number of devices and whether Multi-Factor Authentication is required to join a new device.
The most likely scenario is a user who receives a new Windows 10 device and joins it to Azure AD the first time they start it up. This enables you to distribute shrink-wrapped devices to users with no need to image or use the Sysprep tool ahead of time.
Users joining your Azure-hosted domain start their device and:
They enter their domain-based username.
- Azure AD looks for your matching organization.
- Their device is then registered in the organization's hosted domain in Azure AD.
- The device is optionally enrolled in mobile device management.
- From then on, signing in to the device using the organization username connects the device to your domain.
- Users enjoy single sign-on to Office 365, online storage, and any other applications and services you have configured for their use.
If you have set a standardized device configuration, or policies around restricted management and reconfiguration of the device, then these are also pushed at this time so that you can be sure your chosen configuration is maintained for the duration of device enrollment.
Your domain is set up and you have configured users and devices in your online directory service. In the next post, we will set up your email service, deploy Office 365 to users, and offer users easy configuration and a consistent Office 365 experience across all their devices.
Still can't wait? More about Windows 10, Office 365, Microsoft Enterprise Mobility Suite, and Microsoft Intune
Visit the following sites to learn more about the Windows 10 and Azure-based technologies and services that work together to provide a compelling solution for your cloud-connected devices and services.
© Microsoft Corporation 7/7/2016