Azure Active Directory is the new Identity Provider. On-Premises environment and the way they are provisioned, maintained and updated will soon become the old way of working with computers.
Because mostly all new web applications support SAMLv2 or Direct integration to Azure Active Directory. The Identity and Access Management for the user credentials is changing.
Azure Active Directory exists in three different plans :
– Basic
– Premium P1
– Premium P2
Basic is the plan you get when activating Office365. This plans allows you to manage users and set the branding images and logos for your tenant.
Premium P1 is the plan you need when looking for advanced Group management. You can create dynamics groups of users, attribute licenses automatically to users.
Premium P2 is the most advanced Plan for Azure AD. You are able to define Privileged Identity Management, Risky sign-in policies, get security reports.
How Identity was planned before Azure
Identity is the main thing when you think about an IT infrastructure. Giving your employees the ability to use a username and set their own password is the first thing you had to plan for your infrastructure.
In the old times, we used to think this way : users are going to the main building and connect on the company network with their company computer. BAM! We need a Username and a Password. Job done!
HR were responsible for the “Human-oriented stuff” and all administrative tasks using their own ERP. They asked IT for every single user entering and leaving the company.
How we need to plan identity today
Automation. Many ERP allows to connect to Azure and bring plenty of useful data to allow user creation as an automatic task.
Times may be difficult for IT staff and HR that have no automation because of what we call the Great Reshuffle. What is the Great Reshuffle and how is it affecting jobs? | World Economic Forum (weforum.org).
First part when you think about identity is where do you want your main identity? You can leave the identity task to Azure and federate with all the applications you need or you can use your own Active Directory on-premises infrastructure and federate to cloud services like Azure AD and other web applications or just trust both and let the data sync automatically.
Depending on your industry and your production requirements, you may be in need to be able to work in any case like an internet failure. Depending on your requirements, you may need an identity server on-premises.
The mobility challenge
Nowadays, users connect from anywhere in the world. With their laptop or their mobile phones. Using plenty of cloud applications with their work email. IT crowd may not even know users are using the same password as windows for every web platform they use for work. This lead to a new problem : weak passwords. Because you can find plenty of password databases in the darknet, hackers were using these databases to correlate a non-professional account with the work account of the person. You may just have a look at this website and check if your password was once stolen on a big data leak : https://haveibeenpwned.com/Passwords . Then it results that most of the time, people are using the same password everywhere. This is human.
Users at home are using weak hardware or old assets connected to a poorly secured network by wifi. The wifi password didn’t changed for the last 10 years. The printer is 10 years old and not receiving security patches anymore. The children laptops never get updates.
When they travel, they usually go to secured access points with no computer interactions (isolated assets in the access point). But sometimes, they just connect to a free wifi with plenty of people using it without any security. I remember once when I connected to an access point and having access to a playstation in the same network from the youtube application. -_- What a mess!
How to choose the right plan for every user
Depending on the user, you may choose different plans.
I would recommend to choose Azure Basic for a small Business. This is because you don’t need all the automations yet and MFA is now supported by default.
Once you business is growing and your are hiring a lot of people and using a lot of web applications, I would recommend to use Azure AD P1 which is the minimum requirement for using some cloud security services like conditional access and starting automating licensing and group management.
Azure AD P2 should be bough by default for every cloud Admin. It allows you to use and set identity protection. You also will be able to get reports about risky users and risky sign-ins and connect the logs to Azure Sentinel.
Curious?
Discover Microsoft ENTRA and start talking about decentralized identity!
Microsoft Entra – Secure Identities and Access | Microsoft Security