Understanding Azure Active Directory - Features, Services, And Licensing

Active Directory (AD) is a Microsoft technology that manages and organizes users, computers, and other resources in a networked environment. This article will discuss the basic concepts of Active Directory and its different types. We will also explore the differences between Azure AD and on-premises AD and dive into multi-tenant Azure AD, Azure AD B2B, Azure AD B2C, Azure AD Graph API, and the different licensing options available for Azure AD.

Contents

  1. What is an Active Directory (AD)?
  2. Differences between Azure AD and on-premises AD
  3. Understanding Azure AD B2C and Azure AD B2B
  4. Multi-tenant Azure AD
  5. Features and Capabilities of Azure AD
  6. Licensing Options for Azure AD
  7. Azure AD Graph API

1. What is an Active Directory (AD)?

AD stands for Active Directory, a Microsoft technology used to manage and organize users, computers, and other resources in a networked environment. You can summarize AD under the following pointers:

  1. It provides a central directory service for network administrators to manage user and computer accounts, groups, and permissions. 
  2. With AD, users can log in once and gain access to network resources, such as files and printers, without having to provide credentials each time. 
  3. AD also provides features such as Group Policy, which enables administrators to control and manage the configuration settings of computers and users in an organization.

2. Differences between Azure AD and on-premises AD

Azure Active Directory (Azure AD) is a cloud-based identity and access management service provided by Microsoft as a part of the Azure cloud platform. It is a modern, cloud-based version of the traditional on-premises Active Directory (AD) used in many organizations.

Azure AD is a central repository for user accounts, passwords, and access permissions to cloud-based and on-premises resources. It provides authentication and authorization services to cloud-based applications and services, including Microsoft 365, Azure services, and third-party SaaS applications. Azure AD also enables single sign-on (SSO) for users, allowing them to access multiple applications with a single set of credentials.

Azure AD provides many of the same identity and access management capabilities as on-premises AD but with added features such as multi-factor authentication, conditional access policies, and integration with Microsoft's cloud-based security services.

On-premises AD is a server-based service that runs on physical or virtual servers within an organization's network. A key difference is that while on-premises AD requires significant IT infrastructure and management, Azure AD is a fully managed service that Microsoft provides, reducing the operational overhead for organizations.

As we understand the fundamental difference between cloud and on-prem AD. Now we move on to cloud Azure AD and dig deeper.

3. What are Azure AD B2C and Azure AD B2B

Azure AD B2C (Business to Customer) is a service within Azure AD that enables businesses to manage identity and access for their customers. It provides user registration, authentication, and self-service password reset features, allowing businesses to customize the user interface and user experience of their customer-facing applications.

Azure AD B2B (Business to Business) is a feature within Azure AD that allows businesses to share resources and collaborate with users outside their organization, such as partners or vendors. It enables businesses to provide access to their applications and resources to users from other organizations while maintaining control over their data and resources.

The main difference between Azure AD, Azure AD B2C, and Azure AD B2B is their focus and target audience. Azure AD is designed to manage identity and access for employees and partners within an organization. In contrast, Azure AD B2C is designed to manage identity and access for customers accessing business applications, and Azure AD B2B is designed to manage identity and access for external partners and vendors.

4. What is Multi-tenant Azure AD

Multi-tenant Azure AD is a type of Azure AD that allows organizations to manage multiple tenants or customers within a single directory. This can be useful for companies that provide services to multiple customers, such as software-as-a-service (SaaS) providers.

A real-world use case for multi-tenant Azure AD could be a healthcare software provider offering multiple healthcare organizations a patient management system. Each healthcare organization would be a separate tenant in the multi-tenant Azure AD, allowing the healthcare software provider to manage authentication and authorization for each tenant separately.

With multi-tenant Azure AD, each tenant can have their own set of users, groups, and applications and manage their directory data. The healthcare software provider can also set up custom branding for each tenant, so the login pages and other elements of the user experience can be customized to each tenant's brand.

5. Features and Capabilities of Azure AD

  • Azure AD provides user and group management, password management, and multi-factor authentication to help secure access to applications and data.
  • Azure AD enables single sign-on (SSO) for cloud and on-premises applications and integration with thousands of pre-integrated SaaS applications.
  • Azure AD supports conditional access policies, which enable you to enforce access controls based on various conditions such as user, device, location, and risk level.
  • Azure AD offers advanced threat protection, including risk-based conditional access policies, user risk detections, and sign-in risk detections.
  • Azure AD provides a range of reporting and monitoring capabilities to help administrators track user activity, monitor sign-ins, and detect suspicious activity.
  • Azure AD Connect enables synchronization of on-premises identities with Azure AD to support hybrid identity scenarios.

6. Licensing Options for Azure AD

The three main options are:

  • Free: Provides basic identity and access management features for up to 500,000 objects.
  • Basic: Includes SSO for cloud apps, self-service password reset, and group management. They are priced per user per month.
  • Premium: Includes all Basic features plus advanced identity protection and access management features such as conditional access and identity governance. They are priced per user per month.

7. Azure AD Graph API

Azure AD Graph API is a RESTful API that enables developers to access and manage Azure Active Directory resources such as users, groups, and applications. It allows developers to programmatically access and manage user accounts, groups, and other resources in Azure AD. The Graph API can be used to build applications integrating with Azure AD.

With the Azure AD Graph API, developers can perform various operations, such as creating and managing users and groups, managing device registrations, and retrieving user and group information. The Graph API also supports filtering, sorting, and paging operations, which can retrieve only the required data and reduce the amount of data transferred over the network.

A real-world use case for the Azure AD Graph API could be to build a custom application that integrates with Azure AD for user authentication and authorization. For example, a company could use the Graph API to build a custom web application that allows employees to view and manage their information in Azure AD, such as their contact information, group memberships, and application access rights. Another example could be to use the Graph API to build an automated process that creates new user accounts and assigns them to specific groups based on certain criteria, such as department or role.

Check out the simple example of a .NET Core console application that uses the Microsoft Graph API to list the current user's contact information, group memberships, and application access rights in Azure AD.

First, you must register your application with Azure AD and grant it the necessary permissions to access the Graph API. You can follow the instructions in the Microsoft documentation for more information on how to do this: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

Next, install the Microsoft Graph SDK for .NET by running the following command in the Package Manager Console in Visual Studio:

Install-Package Microsoft.Graph

Then, you can use the following code as a starting point for your application:

using System;
using System.Threading.Tasks;
using Microsoft.Graph;
using Microsoft.Identity.Client;
class Program {
    static async Task Main(string[] args) {
        // Replace these values with your own
        string clientId = "<your-client-id>";
        string tenantId = "<your-tenant-id>";
        string[] scopes = new string[] {
            "https://graph.microsoft.com/.default"
        };
        // Authenticate with Azure AD
        var app = PublicClientApplicationBuilder.Create(clientId).WithAuthority(AzureCloudInstance.AzurePublic, tenantId).Build();
        var result = await app.AcquireTokenInteractive(scopes).ExecuteAsync();
        // Create a GraphServiceClient to call the Graph API
        var graphClient = new GraphServiceClient(new DelegateAuthenticationProvider(async (requestMessage) => {
            requestMessage.Headers.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Bearer", result.AccessToken);
        }));
        // Get the current user's profile
        var me = await graphClient.Me.Request().GetAsync();
        Console.WriteLine($ "Name: {me.DisplayName}");
        Console.WriteLine($ "Email: {me.Mail}");
        // Get the current user's group memberships
        var groups = await graphClient.Me.MemberOf.Request().GetAsync();
        Console.WriteLine($ "Group memberships:");
        foreach(var group in groups.CurrentPage) {
            Console.WriteLine($ "- {group.DisplayName}");
        }
        // Get the current user's application roles
        var appRoles = await graphClient.Me.AppRoleAssignments.Request().GetAsync();
        Console.WriteLine($ "Application roles:");
        foreach(var appRole in appRoles.CurrentPage) {
            Console.WriteLine($ "- {appRole.AppRoleId}");
        }
    }
}

This code uses the Microsoft Identity Client (MSAL) to authenticate with Azure AD and acquire an access token for the Graph API. It then uses the Microsoft Graph SDK to call the Graph API and retrieve the current user's profile, group memberships, and application roles.

Note that this is just a simple example to get you started. In a real-world scenario, you would likely want to add more error handling and validation, and support for pagination and filtering large datasets.

See another example of how you could use the Microsoft Graph API to automate the creation of new user accounts in Azure AD and assign them to specific groups based on certain criteria using .NET Core.

using Microsoft.Graph;
using Microsoft.Graph.Auth;
using Microsoft.Identity.Client;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
namespace UserCreationAutomation {
    class Program {
        static async Task Main(string[] args) {
            // Set up the Graph API client
            IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder.Create("<YOUR_APP_CLIENT_ID>").WithTenantId("<YOUR_TENANT_ID>").WithClientSecret("<YOUR_APP_CLIENT_SECRET>").Build();
            ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);
            GraphServiceClient graphClient = new GraphServiceClient(authProvider);
            // Set up some basic parameters
            string department = "Sales";
            string role = "Manager";
            int pageSize = 50;
            // Get all users that match the specified criteria
            List < User > users = new List < User > ();
            var userRequest = graphClient.Users.Request().Filter($ "department eq '{department}' and extension_f59d5564e4f34a4c9b9ac334cd8f2a2f_Role eq '{role}'").Top(pageSize);
            do {
                var batch = await userRequest.GetAsync();
                users.AddRange(batch.CurrentPage);
                userRequest = batch.NextPageRequest;
            } while (userRequest != null);
            // Create new users and add them to a specified group
            string groupId = "<YOUR_GROUP_ID>";
            foreach(User user in users) {
                try {
                    var newUser = new User {
                        AccountEnabled = true,
                            DisplayName = user.DisplayName,
                            GivenName = user.GivenName,
                            Surname = user.Surname,
                            UserPrincipalName = $ "{user.GivenName}.{user.Surname}@<YOUR_DOMAIN>.onmicrosoft.com",
                            MailNickname = $ "{user.GivenName}.{user.Surname}",
                            PasswordProfile = new PasswordProfile {
                                Password = "Pa$$w0rd123",
                                    ForceChangePasswordNextSignIn = true
                            }
                    };
                    await graphClient.Users.Request().AddAsync(newUser);
                    var group = new DirectoryObject {
                        Id = groupId
                    };
                    var member = new DirectoryObject {
                        Id = newUser.Id
                    };
                    await graphClient.Groups[groupId].Members.References.Request().AddAsync(member);
                } catch (Exception ex) {
                    Console.WriteLine($ "Error creating user {user.DisplayName}: {ex.Message}");
                }
            }
        }
    }
}

In this example, we start by setting up the Graph API client using the app client ID, tenant ID, and client secret. We also specify some basic parameters for the script, such as the department and role criteria and the page size for pagination. Using the Filter method, we use the User object to retrieve all users that match the specified criteria. We retrieve users in batches of the specified page size using the Top method and the NextPageRequest property. Finally, we create new users using the AddAsync method and add them to the specified group using the Members.References.Request().AddAsync method. We also include error handling using a try-catch block.

Remember that this is just a basic example that I tried to show, and you should modify the code per your specific requirements.

Conclusion

Azure Active Directory (Azure AD) is a cloud-based identity and access management service that provides authentication and authorization services to cloud-based applications and services, including Microsoft 365, Azure services, and third-party SaaS applications. It is a modern, cloud-based version of the traditional on-premises Active Directory (AD) used in many organizations. Azure AD B2C and Azure AD B2B are two services within Azure AD that allow businesses to manage identity and access for their customers and external partners, respectively. Multi-tenant Azure AD is a type of Azure AD that will enable organizations to manage multiple tenants or customers within a single directory. Azure AD provides a wide range of features and capabilities for managing user identities and access to applications, including identity management, application access management, conditional access, identity protection, reporting and monitoring, and Azure AD Connect. The Azure AD Graph API is a RESTful API that enables developers to access and manage Azure Active Directory resources.


Similar Articles