You must protect every digital device connected to your company’s enterprise network and each employee’s login credentials from hackers.
Whether it’s people using their own laptops at work on bring-your-own-designated-device (BYODD) day or reusing weak passwords like 111111 or abc123, potential entry points for bad actors are steadily increasing.
Windows Azure Active Directory is a sprawling identity and access management (IAM) solution — the Walmart of IAM software — with features and options to satisfy almost everyone.
We’ll take a look at its core features, pricing, and support options, so you can decide if it’s a good choice for protecting access to your company’s digital assets.
Who is Windows Azure Active Directory for?
Azure Active Directory is web-based, enterprise identity management software. Its single sign-on (SSO) and multifactor authentication (MFA) features help protect your network and prevent cyberattacks.
Azure Active Directory for workplace environments is designed for information technology (IT) administrators and application developers to secure users’ access.
Azure Active Directory is similar to but separate from Azure Active Directory Domain Services. Both provide identity management functionality, but the former is cloud-based, while the latter is for on-premises use.
You need at least 50 employees — but likely more! — to make Azure Active Directory cost-effective. Current users include Walmart, BP, and Amtrak.
Windows Azure Active Directory’s features
Whether your employees are on-site or away from the office, Azure Active Directory gives them seamless, secure access to their work-related website and application accounts. You can also automate workflows for user life cycle and provisioning and reduce IT department workloads with self-service password management.
We’ll start with a close look at its SSO and MFA functionality and related reporting features.
Single sign-on (SSO)
SSO technology allows users to sign in once to a portal website to access multiple, authorized third-party applications.
This streamlines the user experience because nobody wants to log in every day into the same company accounts such as MS Outlook, Slack, or Salesforce — or manage the umpteen different passwords for them.
Employees can access SSO apps via Windows Azure portals or enable the Windows My Apps portal with Azure Active Directory. Either way, users log in once to access company-wide Microsoft and third-party apps.
Azure Active Directory’s SSO generates multiple benefits:
- Reduces expenses: Users save time with one portal to access company-wide apps, request resource access, and manage their accounts. IT departments will see a significant drop in routine password-related help requests thanks to automated password management.
- Increases security: Admins can easily change application and resource settings and implement stringent password creation protocols.
- Provides robust analytics: Using SSO provides one entry point to audit user login activities, password strength, and suspicious activities.
Connect authentication-based apps hosted on-premises or in the cloud. Choose from over 3,200 preconfigured Microsoft and third-party apps in the Azure Marketplace, or use the Azure Active Directory App Proxy to build connections with your native apps.
Users can also install the My Apps mobile app on digital devices to access their SSO accounts on the go.
Multifactor authentication (MFA)
A username and password alone don’t distinguish between a user signing in and a hacker with compromised credentials. MFA provides another layer of protection with secondary authentication factors tied to information an attacker shouldn’t have. They are based on something you:
- Know: the answer to a personal security question
- Have: a one-time password (OTP) or sent to another device or email account
- Are: biometrics such as facial recognition or a fingerprint scan
You can also deploy MFA when employees perform self-service password resets. These identification factors use the free Microsoft Authenticator app or verification codes, texts, or calls via your smartphone.
During account onboarding, users can register with one step for both self-service password reset and Azure Active Directory MFA, but admins choose the forms of secondary authentication used.
SSO and MFA are not features you switch on and then get to forget about. Instead, they’re part of your overall network security strategy.
Azure Active Directory has two report categories:
- Activity: audit log and sign-in reports
- Security: risky sign-in and users flagged for risk reports
All Azure Active Directory editions report users flagged for risk and risky sign-ins, but further data granularity depends on your specific plan.
Your IT admins and/or security operations center (SOC) can use this information to configure and enable automated risk policy responses to varying network risk levels. Azure Active Directory also lets you simulate risk-based vulnerabilities to test access policies.
Windows Azure Active Directory’s ease of use
Two different groups will use Azure Active Directory at your business: the IT department and the rest of your employees. The former is concerned with its configuration and operations, while the latter is interested only in the end results when they log in each day.
IT administrators like Azure Active Directory because it has integrated Microsoft security throughout the deployment process, allows centralized administration of users at different locations, and notifies admins about problems with Active Directory database content.
IT techs appreciate it because it reduces help desk requests for new passwords, password resets, and related tasks.
Some IT admins mention the sheer number of features means Azure Active Directory takes more time to learn. It’s not that easy to navigate, and inconsistencies are common. And, because it’s a Microsoft product designed primarily for Windows environments, it doesn’t play well with other operating systems.
Users like moving between applications without multiple sign-ins and find the SSO portal and browser extension easy to use. Azure Active Directory is included with most Office 365 Enterprise plans, and those users need to manage only their Office 365 credentials, which they can do with self-service tools.
Windows Azure Active Directory’s pricing
Azure Active Directory plans include:
- Office 365: Included with most Office 365 enterprise plans — Provides company branding, including customization of login and logout pages and the access panel, service-level agreement (SLA), and device write-back.
- Premium P1: $6/month per user — Adds user access to on-premise and cloud resources, supports advanced administration including dynamic groups, self-service group management, Microsoft Identity Manager, and self-service password resets for on-premise users.
- Premium P2: $9/month per user — Adds Azure Active Directory Identity Protection to enhance risk-based conditional access to apps and company data and Privileged Identity Management (PIM) to further discover, restrict, and monitor administrators, their access to resources, and provide just-in-time access.
The Premium editions are available from multiple sources: your Microsoft representative, Microsoft’s Open Volume License Program, and its Cloud Solution Providers program. Azure and Office 365 subscribers can also purchase Azure Active Directory Premium P1 and P2 online.
Finding your total Azure Active Directory price requires careful research. Many IT admins have commented on the complex licensing options, which make it hard to calculate an accurate upfront cost.
Windows Azure Active Directory’s support
Azure Active Directory’s four support packages include:
- Basic: Provided free to all Azure customers, and includes billing and subscription management support, self-help resources, Azure Active Directory tutorial and portal how-to videos, technical documentation, community support, ability to submit multiple support tickets, and Azure health status and notifications.
- Developer: $29/month — Suitable for trial and nonproduction environments, and adds email support during business hours with an eight-hour response time and general architecture support guidance.
- Standard: $100/month — Suitable for production workload environments, and adds 24/7 support by email and phone with one- to eight-hour response times.
- Professional Direct: $1,000/month — Suitable for business-critical dependence environments, and adds 24/7 support by email and phone with one- to four-hour response times, a single view to manage active support tickets, webinars led by Azure engineers, and architecture support, service reviews, advisory consultation, and proactive guidance from ProDirect delivery managers.
Customer support is provided in English, Spanish, French, German, Italian, Portuguese, traditional Chinese, Japanese, and Korean. Quote-based system-wide enterprise support plans are also available.
Benefits of Windows Azure Active Directory
More benefits come from additional features that aid threat hunting, user experience, and endpoint security. We’ll take a close look at three you’ll use on a regular basis: password protection, browser extensions, and adaptive authentication.
Every password is inherently weak because enough time and computing power will uncover it. Even with MFA, however, you still want your employees to use strong passwords and avoid compromised ones.
Azure Active Directory Password Protection has multiple tools to do this, including a global banned password list and third-party compromised password lists.
Create a customized banned password list based on your company’s brand and product names, locations, and business-specific internal jargon and abbreviations. Block passwords based on baseline terms like your company name, so you aren’t required to block every possible variation such as adding a numeral at the end.
Password evaluation is another key security component. Azure Active Directory Password Protection uses multiple factors, including, to assign a score to each password. If its score is too low, users must create a stronger one.
Nobody wants to go back to their My Apps portal multiple times during the day to access company app accounts. Azure Active Directory addresses this issue with the My Apps browser extension, which provides full portal functionality.
Browser extensions are available for Google Chrome, Mozilla Firefox, Microsoft Edge, and with limited support for Internet Explorer. Safari, Opera, Vivaldi, and Brave users are out of luck.
MFA provides an extra layer of security beyond passwords alone, but it’s intrusive: Nobody wants an extra hoop to jump through at every login.
Azure Active Directory Conditional Access adaptive authentication evaluates each login attempt to determine the appropriate level of security to apply or even block access based on multiple “signals”:
- Application requested
- Real-time risk
Azure Active Directory Conditional Access would, for example, allow me to log into my SSO portal at work on my company computer with only my password.
If I was on the road logging in from a different location, however, it might prompt me to use MFA. And if someone outside the U.S. tried to log in from an unknown device, it could block the attempt even if it used the correct login credentials.
Azure Active Directory Conditional Access helps IT admins balance two critical goals: Allow employees to be productive no matter where they are, and protect the company’s digital assets.
An embarrassment of riches
Most of the software reviews I write have a section detailing what a particular application lacks compared to its competitors. Windows Azure Active Directory has the opposite issue: It has virtually every feature you might want and tons of options for each one.
If your IT department has the expertise and infrastructure to navigate a Windows-centric environment, Azure Active Directory can do what you need.
View more information: https://www.fool.com/the-blueprint/windows-azure-active-directory-review/