If you’ve spent any time on Skylines Academy’s learning platform studying for the MS-100: Microsoft 365 Identity and Services examination. You’ve likely started to realize the importance that identity plays in your organization’s cloud journey. I mean it’s in the name, right? IDENTITY and Services… Needless to say, I thought that for this blog I would take a moment and go a little higher level with everyone here to help those learning understand exactly what Azure Active Directory (AAD) is and where it fits in this ecosystem.

Let’s keep it simple to start – AAD is just Microsoft’s answer to a cloud-based identity and access management service. It’s used to allow you access to cloud-based services like Azure, Microsoft 365 or other software as a service-based applications and services. Furthermore, it’s also used to access corporate internal resources on your intranet. Whether that means you’re provisioning users, guests, groups, or devices you can do this seamlessly in AAD.

Now you may ask yourself… “but I already have Active Directory already… do I need AAD?”  The short answer is: if you plan on evolving your environment to be more hybrid (meaning you manage both resources on-premises and in the cloud) you need to have an identity and access management solution for those cloud-hosted resources. Now AAD isn’t the only option on the market but it’s Microsoft’s option to fulfill this need. Now if you’re wondering what the comparison is between traditional Active Directory (AD) and AAD – Microsoft developed a good matrix that breaks it down. This is especially helpful if you know on-premises AD works and knows the concepts behind app, user, and device management. I highly recommend you check it out.

Architecture & Use

Let’s take a step back though… We often overlook the architectural challenges that a proper identity ecosystem brings into an organization so each user can login successfully or manage a resource on-premises or in the cloud. So, let’s take a moment and review the architecture of AAD. Similar to how we replicate a catalog in traditional on-premises domain controllers in AD, a similar tactic is conducted in AAD.  As you can see below, we have a primary replica that receives all the data write requests and then those requests are replicated to secondary replicas across multiple geographic regions. This means that AAD is not only scalable based on demand, but it’s also highly available and offers additional supported services like backup protection and health monitoring. I highly recommend you read on the architecture of AAD by reviewing the What is the Azure Active Directory Architecture? Article on the Microsoft Docs page.

So now that we have an idea on how scalable and highly available AAD is, let’s talk about is core use and features. Whether you’re an IT admin, developer, or user that subscribes to cloud services, there’s a LOT you can do with AAD. A complete list of features that work in AAD is too long for the blog but you’ll see that there are some terms that we don’t commonly use in traditional AD environments. For example, business to business (B2B) or business to customer (B2C) access and management. There’s commonality (i.e. external mail contacts or guest users in AD vs B2B in AAD) but it’s important to know that taxonomy and terminology used in AAD (especially if you’re studying for the exam!!!).

Licensing

I’m not a fan of licensing discussions (they’re boring) but it’s important to note that unlike traditional AD, Azure AD has different licensing options and each option (as the price increases) includes additional features and options that can be used to help admins and users both manage and utilize AAD with ease. For example, Privileged Identity Management (PIM) includes the ability to discover, restrict, and monitor admin behaviors and access to resources as well as provide just-in-time administration as needed. PIM is included with the AAD Premium P2 license. A summarized breakdown can be viewed below:

Azure AD Connect

And now that we have an idea on AAD we need to talk about the piece that critically ties AAD to on-premises AD seamlessly so that we can use the same set of identities and passwords to access resources and information (regardless of where they’re hosted). The solution that affords that capability is known as Azure AD Connect or AAD Connect.

Simply put – AAD Connect makes your environment hybrid. Often, I get asked. Do I need AAD Connect? Can’t I just manage my identity solely in Azure AD? Why would I need to manage AD and AAD? Why do my teeth hurt just thinking about all this???

1.       AAD doesn’t require AAD Connect – AAD Connect is only if you require AD to authenticate with apps and services that cannot authenticate using AAD.

2.       You could manage AAD identities without the use of AD or Azure AD Connect - This would require that all users, apps, and services have the ability to login through Azure AD (or your organization could accept that not all apps and services that cannot authenticate through AAD would require a separate means of access (i.e. different account/credentials). However, I wouldn’t personally recommend this as this complicates your architecture and can increase security concerns by leaving gaps in your environment that could remain unprotected or un-managed.

3.       AAD is the hybrid option – It’s a bridge that allows you to sign-on to your environment using the same credentials whether they be in Azure AD our AD on-premises. A few months ago, I wrote a separate blog about the different types of authentication options in AAD Connect (i.e. Passthrough Authentication (PTA), Password Hash Synchronization (PHS), or Federation. You can find that blog here: - Authentication in Microsoft 365.

4.    You need to consult your dentist…

Looking above (say at the 2nd bullet point, for example) – This is why when we talk identity and authentication options that concepts like Seamless Single Sign-On (Seamless SSO) or Multi-Factor Authentication (MFA) options are so critical to the continuity of identity services as well as the continued security of that identity ecosystem as your organization moves to the cloud.

Many organizations don’t have the luxury of consolidating their identity environment exclusively into Azure AD so Azure AD Connect has the ability to bridge the environments, provide you with the flexibility of different authentication options based on your business needs without sacrificing security or functionality in the process.

Installing Azure AD Connect

However, as much as I’d like to say AAD Connect is a check box in Azure AD or in your on-prem AD that you could just click or enable… it’s not. There are prerequisites that you have to ensure inside of Azure AD and in your on-premises AD that you need to ensure are done before you can install the Azure AD Connect server that acts as the foundation that is needed in order to bridge your AD and AAD environments together.

For example, you want to ensure that the AAD Connect Server is treated as a Tier 0 component as captured in the AD administrative tiering model. It goes without saying that when we’re talking building components like AAD Connect Server (or really any identity component for that matter) that we want to ensure we’re following Microsoft’s documented best practices as it pertains to managing and securing your identity ecosystem. Another example would be that the server housing AAD Connect must be on a domain joined member running Windows Server 2012 or later. Again, a complete list of installation prerequisites can be found here – Installation Prerequisites for Azure AD Connect.

The architecture of Azure AD connect requires the use of a SQL Server database to help store the critical identity data. If you decide to use the default option, a SQL Server 2012 Express LocalDB instance is installed. Think of this is as a lighter version of SQL Server Express that you can download for most DB connected apps and services. Now if you have a larger and more complex identity ecosystem where you have a DB sizing larger than 10GB (or approximately 100,000 objects in AD), AAD Connect does support full versions of SQL Server 2012 to SQL Server 2019. If you click the before mentioned prerequisites link, you’ll see additional information about the SQL Server uses and requirements as well.

Once you have the AAD Connect server installed, you’ll be ready to run the synchronization wizard so that the bridge between AD and AAD is not only built but traffic is flowing between them as well. However, that my friends, is for another blog…

If you want to immerse yourself in the material that is going to help you study and prepare for the exam, I highly recommend that you take a look at the MS-100 Certification Course: M365 Identity and Services through Skylines Academy. There you’ll get exposed to 18 different modules and topics covered on the exam (to include what we just went over here).

Please don’t hesitate to reach out to Skylines Academy should you have any questions about your study needs for your next M365 examination! Thank you for your time, stay healthy out there!!!