Azure AD Connect allows you to synchronize your on-premises Active Directory directories with Azure AD. This will then allow you to use a common identity for your users to use with Office 365, Microsoft Intune, and other SaaS applications and on-premises applications, providing a single credential to be across both, allowing for Single-Sign-On (SSO).
Azure AD Connect also provides administrative benefits, providing for alerts and monitors, as well as password synchronization.
Using Azure AD Connect is the simplest way to extend your on-premises directories to Azure to provide SSO with SaaS applications such as Office 365.
There are a number of ways that you can extend your on-premises infrastructure into Azure. As such you need to analyze what your business requirements are, what are you trying to achieve by extending your infrastructure into Microsoft Azure, and what are the needs of the those various elements such as users, internal and customers, applications and your infrastructure.
Extend on-premises AD into Azure
Involves running a Domain Controller in Azure in a virtual machine using Azure IaaS
Would typically be done .to support some applications in Azure, to fulfill a requirement to have Domain Controller availability in a remote part of the world, or perhaps to run a secondary site for recovery operations
Synchronize Active Directory Domain Services (AD DS) with Azure AD
Will put a copy of your credentials in Azure
Would typically be when investing in Office 365, Microsoft Intune or Microsoft Dynamics and to allow users login into those cloud based apps with their domain credentials.
Implement a federated Trust relationship with Azure AD
Credentials only exists in your on-premises AD and Azure AD trusts your on-premises credentials using claims.
Requires the installation of Active directory federation Services (AD FS)
Create a direct trust relationship with Azure AD and on-premises Active Directory using ADFS
Probably the most complex implementation, and we won’t look at it in detail in this course, but would retain all your credentials in your on-premises environment, giving you the greatest level of isolation.
Multi-Factor Authentication (MFA) is the ability to require additional authentication for on-premises or cloud services and applications. It requires the use of more than one verification system:
Something you know (typically a password)
Something you have (a trusted device, such as a phone or smartcard)
Something you are (biometrics)
In addition to your traditional user name and password MFA will require additional authentication associated with one of the following from the user looking to access the service or application.
a phone call
a text message
an email message
Third party OAth token
Azure Multi-Factor Authentication is available as a stand-alone service with per user and per authentication billing options, or bundled with Azure Active Directory Premium, Enterprise Mobility Suite or Enterprise Cloud Suite.
Its possible to have more than 1 directory. There is no parent child relationship between directories, and each directory is a fully independent of any other directories that you may manage in terms of resources, administration, and synchronization. There is also no parent child relationship between the subscription and the directory. So if you cancel or allow your Azure subscription to expire, you can still access your directory data using Azure PowerShell, Azure CLI, the Azure Graph API, or other interfaces such as the Office 365 Admin Center. You can also associate another subscription with the directory.
For example, Michael Smith might have an Office 365 subscription for Contoso.com. He also has an Azure subscription that he signed up for by using his Microsoft account, email@example.com. In this case, he manages two directories.
In order for Michael Smith to manage both directories while he is signed in to Azure as firstname.lastname@example.org, he must add email@example.com as a global administrator in the Contoso directory.
There are several tasks and tools that you can use to manage users and groups in Azure AD. General tasks for users and /or groups include
managing group member ship
resetting user passwords.
Tools that can be used to accomplish these tasks include
Bulk creation and editing using .csv file
The new Azure Portal is currently in Preview mode, however while it is not fully released it still has a lot of functionality that can be completed successfully in the new Portal, such as to manage users, groups, applications, and directory settings. Not all functionality may be available in this portal at this time however. The Azure classic portal is still capable of completing all tasks in the meantime.
Every Azure AD comes with an initial domain name in the form » + onmicrosoft.com«, where is the name of your email address used to sign up for the subscription and «onmicrosoft.com» is a standard domain name that is always added when you sign up in azure AD. So if we take the example “contoso.onmicrosoft.com,” was established when the directory was created, typically by the admin, firstname.lastname@example.org, who created the subscription directory. This initial domain name for a directory can’t be changed or deleted.
A custom domain name is a domain name that is owned and used by that organization, such as “contoso.com,” for uses such as hosting its web site. This domain name is a familiar format for people and helps simplify the sign in process.
It is possible to use a custom domain name in Azure AD. Before a custom domain name can be used by Azure AD, the custom domain name must be added to your directory, in the Domain Names setting in the new portal, and verified.
Azure AD effectively comes in four different subscription models, the free edition which is available by default when you sign up for one of several services. We will call out some of the features available per edition below. A full list of features per edition along with licensing details is available in the URL included in the note at the end of the topic.
Azure Active Directory is a multi tenant, cloud based directory and identity management system.
It is a Platform as a Service (PaaS) Offering and facilitates a lot of different functionality, some of which are
Single-Sign-On across multiple applications in Software-as-a-Service (SaaS) offerings
Role-based access control (RBAC)
It is not the same platform as on-premises Active Directory Domain Services (AD DS). It does not have
Group Policy for managing users and computers
Does not have Organizational Units. It is a flat organizational structure
There are no forests or trusts. Federation is used to allow outside of boundary authentication and authorization
It is possible to integrate AAD into your On-premises Active Directory and provide a hybrid infrastructure, thus leveraging some of the benefits of cloud based identities within your organization, such as facilitating single-sign-on with Office 365.
Azure Active Directory (Azure AD) supports several of the most widely used authentication and authorization protocols. However, as authentication takes place over the internet and via browsers or applications, some on-premises Active Directory protocols will not be applicable, such as Kerberos authentication. Instead, Azure Active directory can use a variety of different authentication protocols such as OAuth 2.0, OpenID Connect, WS-Federation, or SAML 2.0.
When it comes to transferring very large amounts of data to or from the cloud you will want to consider using the Azure import and export service. The Azure Import/Export Service allows you to:
Import. Securely transfer large amounts of data to Azure blob storage by shipping hard disk drives to an Azure data center.
Export.Transfer data from Azure blob storage to hard disk drives and ship to your on-premises site.
This service is suitable in situations where you want to transfer several TBs of data to or from Azure, but uploading or downloading over the network is not feasible due to limited bandwidth or high network costs. Scenarios where this would be useful include:
Migrating data to the cloud. Move large amounts of data to Azure quickly and cost effectively.
Content distribution. Quickly send data to your customer sites.
Backup. Take backups of your on-premises data to store in Azure blob storage.
Data recovery. Recover large amount of data stored in blob storage and have it delivered to your on-premises location.