Connecting on-premises Active Directory to Azure AD can give your org these 5 great advantages (+ how to do it)

Azure AD is an identity platform built for the modern world. Of course, Azure AD doesn’t replace your on-prem Active Directory but it does complement and extend its capabilities, solving many traditional on-prem identity problems such as:

  • You need to simplify logon and identity to your primary business productivity platform. Get AAD.
  • You need to simplify logon and identity to your primary business SaaS based apps. Get AAD.
  • Do you need to give access to internal apps without a VPN? Get AAD.
  • You need to stop your developers building random identity platforms and making your life hard. Get AAD.
  • You need MUCH better user activity insight, i.e. breach detection. Get AAD.


Office 365

What came first, the chicken or the egg? If you’re using Office 365 you’re using Azure AD: the two come interconnected out of the box (at least they would if there were a box). Azure AD stores all the identities for everyone in your Office 365 tenant. Even if you’re only using the Office 365 administration experience you’ve already been on-boarded to Azure AD. That makes it very easy to explore some of the adjacent possibilities that Azure AD provides you.

You can be up and running quickly with everything else on this page.

However, one thing you should absolutely be doing if you have Office 365 is integrating it with your on-prem AD through the use of Azure Active Directory sync, or its predecessor DirSync. This gives you something that no other productivity platform can – integrated identity and sign on with your Windows PCs.

Single Sign on to 2400+ UNLIMITED Public SaaS Apps!

One of the huge advantages of Azure AD is that it links you to a gallery of 2400+ SaaS applications for single sign-on (with big names like SalesForce, DropBox, Box and Google Apps). That means that any of your users can access applications that you’ve configured for them with the EXACT SAME username and password that they use to sign in to the Windows PC they use every day. So they don’t need to manage* a username and password combo for each one of those apps.

*managing a username and password for your users involves writing them down on a sticky note, under their keyboard or – worse – keeping them in a searchable text file on their home drive. Users suck at password management –don’t make them do it!

Connecting the SaaS based apps your company uses to the people who use them through SaaS app management in Azure AD is the best of both worlds here. Simple for users, simple to administer. If the app you want to connect is in the store, you basically have a few clicks to get your users connected to it with their AD identity.

Azure AD SaaS Gallery Even if the app that you want to connect to isn’t on the list, you still don’t have to do anything complicated to connect to it. It’s utterly amazing, but we can actually provide single sign on to ANY app now by adding a custom application. It can even be your own, publically accessible site that can be using an authentication directory that IS NOT AD. Heck it could even be a row that’s in a MySQL DB!

Azure AD SaaS Gallery Take a look at this Edge Show that I recorded just a couple of weeks ago with Lead Program Manager Eran Dvir from our Identity team to learn a load more:

Safely Publish Your Internal Apps

Azure AD Application Proxy lets you take an internal HTTP or HTTPS based web app and publish it to groups of your users. The huge advantage here is that you don’t have to go create a bunch of new firewall rules. The advantage to your users is that they get access to the apps without first having to VPN back into the company – they just go to the App Portal and click the app they want. They don’t get prompted for authentication again (as long as it’s using integrated auth) since they have already authenticated to use the application portal.

A single identity platform for your developers to work with

You’ve been there, I’ve been there. Your internal development team comes to you with “AwesomeSauce_V2_ExpenseSystem” and they say “all you need to do is deploy this front end web service and this blah..blah..blah…identity service and oh yeah, can you do a daily export and import of all the user accounts?”. You’ve been there, right? The implementation that turns into a run-the-business project? Comment below!

Azure AD lets you turn right around to them and say “NO!!!!” Azure AD provides rest based APIs (which developers love) that your developers’ apps can use for authentication, but also to reach more information from Azure AD too. By the way, here is the Azure AD API documentation that you can give to them…and yes it includes PHP and Java code samples! Heck it even includes iOS code samples!

What does this really mean for an IT admin? Microsoft have made it easier to talk to with your developers about integrating into Azure AD than with ANY other enterprise identity platform. That makes all aspects of IT service delivery around that application much easier. It will save you time, and money, and make your users’ lives easier. Everyone wins.

Machine learning for security

Everyone has been “hacked”. Every network has been compromised.

If you don’t think you have, you’re probably wrong and certainly your base assumption about security is wrong. You need to assume a breach and have systems to help you identify, manage, control, isolate and report that breach. It has become imperative to know where and when your users have signed into “the system” so that you can tell your auditors what has happened. But how can you take this information and do something even more useful with it?

Azure AD provides you with reporting tools to do just that. It will show you where every login to Azure AD has occurred from, every time someone’s credentials were exercised. Azure AD will remember what devices a user accesses from, when they access, how they work and LEARN how your users behave.

Then, when something out of the ordinary happens, Azure AD will let you know!

You can see that someone in customer services has outsourced their own job to a virtual assistant in another country: Azure AD will let you know when someone did the impossible and travelled between two locations too quickly. Azure AD will let you know when someone has signed in from a device that might have been reported as having malware at some point. Azure AD can do all that by watching sign on patterns; not by being invasive and breaching your users’ privacy.

(+how to do it)

As I was writing I was including some resources but it’s always good to finish on a few ways you can get yourself started:

Free Online Learning

Microsoft Virtual Academy has a great Identity and Access Management training course to get you up and running.


Here’s a great vLab to get you up and testing quickly without having to create your own on-prem AD Lab: Launch the Azure Active Directory Fundamentals Lab

To do everything that I’ve mentioned in this article, you will need Azure AD Premium.

Tags: ,

One Comment

  1. Pingback: Azure AD Sync, beyond the basics

What do you think?