Key benefits of Azure Active Directory include:<\/strong><\/p>\n\n\n\n Single sign-on (SSO): <\/strong>Users can sign in once to Azure AD and then access multiple applications and services without the need for separate credentials. This improves user productivity and reduces password-related issues.<\/p>\n\n\n\n What is single sign-on? – Microsoft Entra | Microsoft Learn<\/a><\/p>\n\n\n\n Centralized identity management:<\/strong> Azure AD allows organizations to manage user identities, groups, and access policies in a centralized manner. It provides features for user provisioning, self-service password reset, and group-based access control.<\/p>\n\n\n\n Multi-factor authentication (MFA):<\/strong> Azure AD supports various MFA methods, such as SMS, phone call, or mobile app verification, to add an extra layer of security to user sign-ins.<\/p>\n\n\n\n Azure AD Multi-Factor Authentication overview – Microsoft Entra | Microsoft Learn<\/a><\/p>\n\n\n\n Application management:<\/strong> Azure AD enables organizations to securely manage access to their applications, whether they are hosted in the cloud or on-premises. It provides features like application registration, single sign-on integration, and user access reviews.<\/p>\n\n\n\n What is application management? – Microsoft Entra | Microsoft Learn<\/a><\/p>\n\n\n\n B2B and B2C scenarios: <\/strong>Azure AD supports business-to-business (B2B) collaboration scenarios, allowing organizations to grant access to external partners or customers. It also offers Azure AD B2C, which is designed for customer-facing applications that require identity management for external users.<\/p>\n\n\n\n Azure Active Directory has several editions, each designed to cater to specific organizational requirements. The editions include:<\/strong><\/p>\n\n\n\n Azure Active Directory | Microsoft Azure<\/a><\/p>\n\n\n\n Free Edition:<\/strong> This edition provides basic identity and access management capabilities for up to 50,000 directory objects (users, groups, and contacts). It includes features like user and group management, single sign-on for cloud applications, and self-service password reset.<\/p>\n\n\n\n Office 365 Apps Edition:<\/strong> This edition is designed for organizations using Office 365 applications. It includes all the features of the Free Edition and provides additional capabilities for Office 365 services.<\/p>\n\n\n\n Premium P1 Edition:<\/strong> This edition offers advanced identity protection, access management, and security features. It includes features like conditional access policies, self-service group management, advanced reporting, and Azure AD Identity Protection.<\/p>\n\n\n\n Premium P2 Edition:<\/strong> This is the most comprehensive edition, providing all the features of the Premium P1 Edition along with additional capabilities such as Azure AD Identity Governance, privileged identity management, and Microsoft Identity Manager.<\/p>\n\n\n\n Azure Active Directory serves as the underlying identity and access management service<\/strong> for various Microsoft cloud services, including Azure subscriptions, Office 365 (O365), Dynamics CRM Online, Enterprise Mobility + Security (EMS), and more. Azure AD acts as the directory service<\/strong> that manages user identities, authentication, and authorization for these cloud services.<\/p>\n\n\n\n Security Assertion Markup Language (SAML):<\/strong> AAD can act as a SAML identity provider (IdP), allowing users to authenticate to applications and services that support SAML-based authentication. SAML enables single sign-on (SSO) between different systems and simplifies user authentication by exchanging XML-based security assertions.<\/p>\n\n\n\n OAuth 2.0:<\/strong> AAD supports OAuth 2.0, an open standard for authorization. It enables applications to obtain access tokens from AAD to access protected resources on behalf of a user. OAuth 2.0 is commonly used for scenarios like granting permissions to third-party applications and enabling delegated access to APIs.<\/p>\n\n\n\n OpenID Connect:<\/strong> AAD is an OpenID Connect (OIDC) provider, which is an authentication layer built on top of OAuth 2.0. OIDC enables clients (such as web or mobile applications) to authenticate users and obtain identity information in the form of JSON Web Tokens (JWTs). It provides features like SSO, user authentication, and identity claims.<\/p>\n\n\n\n WS-Federation:<\/strong> AAD supports the WS-Federation protocol, which is a web services protocol used for exchanging security tokens between a security token service (STS) and a web service. WS-Federation enables SSO across different systems and federated authentication scenarios.<\/p>\n\n\n\n Kerberos and NTLM:<\/strong> AAD supports Kerberos and NTLM authentication protocols for scenarios where users need to authenticate using Windows domain credentials. This allows seamless integration with on-premises Active Directory environments and enables users to access cloud resources without the need for separate credentials.<\/p>\n\n\n\n Certificate-based authentication:<\/strong> AAD supports authentication using client certificates. Applications can use X.509 certificates to authenticate themselves to AAD, providing a secure means of authentication.<\/p>\n\n\n\n AAD provides the foundational identity and access management capabilities for Office 365. It manages user identities, enables authentication and SSO, allows administrators to control access and security settings, and integrates with other Azure services to enhance the overall productivity and security of Office 365 environments.<\/p>\n\n\n\n AAD has several built-in admin roles that provide different levels of access and control over the AAD resources and user accounts.<\/p>\n\n\n\n Azure AD built-in roles – Microsoft Entra | Microsoft Learn<\/a><\/p>\n\n\n\n Self-service Password Change\/Reset (SSPR) allows users to change or reset their passwords without contacting IT support.<\/p>\n\n\n\n Enable Azure Active Directory self-service password reset – Microsoft Entra | Microsoft Learn<\/a><\/p>\n\n\n\n The license requirement for sync users from on-premises Active Directory to Azure AD depends on the features you want to use. Azure AD Premium P1 or P2, or a Microsoft 365 license with Azure AD Premium, typically includes Azure AD Connect for synchronization.<\/p>\n\n\n\n Self-service group management in Azure Active Directory allows users to create and manage security groups without IT support. Basic group management is available to all users, while advanced features may require an Azure AD Premium license (P1 or P2) or a Microsoft 365 license with Azure AD Premium.<\/p>\n\n\n\n Set up self-service group management – Microsoft Entra | Microsoft Learn<\/a><\/p>\n\n\n\n Azure AD Connect is a Microsoft tool used to synchronize on-premises Active Directory (AD) identities and attributes with Azure Active Directory (AAD). It enables organizations to integrate their on-premises AD infrastructure with Azure AD, providing a unified identity and access management experience for both on-premises and cloud-based resources.<\/p>\n\n\n\n The main functions of Azure AD Connect include:<\/strong><\/p>\n\n\n\n Directory Synchronization:<\/strong> Azure AD Connect synchronizes user accounts, groups, and other directory objects from the on-premises AD to Azure AD. This ensures that user identities and attributes are consistent across both environments.<\/p>\n\n\n\n Password Hash Synchronization: <\/strong>This feature synchronizes user passwords from on-premises AD to Azure AD, allowing users to use the same password for authentication in both environments.<\/p>\n\n\n\n Federation Integration:<\/strong> Azure AD Connect supports federation scenarios, enabling organizations to establish trust relationships between their on-premises AD and Azure AD. This facilitates single sign-on (SSO) and seamless access to cloud-based applications.<\/p>\n\n\n\n Seamless Single Sign-On (SSO): <\/strong>Azure AD Connect enables SSO for users accessing Azure AD-integrated applications from domain-joined devices. This eliminates the need for users to enter their credentials multiple times.<\/p>\n\n\n\n Customization and Filtering: <\/strong>The tool provides customization options to filter objects and attributes during synchronization, allowing organizations to control which data is synchronized and which attributes are visible in Azure AD.<\/p>\n\n\n\n Microsoft Account:<\/strong> A Microsoft Account is a personal account provided by Microsoft that allows users to sign into a wide range of Microsoft services, such as Outlook.com, OneDrive, Xbox Live, and Microsoft Store. It is typically associated with a personal email address, such as Outlook.com, Hotmail.com, or Live.com.<\/p>\n\n\n\n Authentication request URL: login.microsoftonline.com<\/p>\n\n\n\n Work Account:<\/strong> A Work Account, also known as an Organizational Account, is an account provided by an organization or employer using Azure Active Directory . It allows users to access organizational resources, such as Microsoft 365, Azure services, and other work-related applications. Work Accounts are associated with the user’s work or school email address.<\/p>\n\n\n\n Authentication request URL: login.live.com<\/p>\n\n\n\n Email as Sign-In Account:<\/strong> Email as Sign-In Account refers to the option of using an email address as the username for signing into Microsoft services. This can apply to both Microsoft Accounts and Work Accounts, where the email address serves as the primary identifier for authentication.<\/p>\n\n\n\n An Azure AD tenant is not subordinate to an Azure subscription, but rather, an Azure subscription belongs to an Azure AD tenant. Users, groups, and applications authorized to access an Azure subscription must exist in the same Azure AD tenant. <\/p>\n\n\n\n The Global Administrator role in Azure AD does not grant access to Azure subscriptions by default. However, a Global Admin in an Azure AD tenant can grant themselves access to Azure subscriptions within that same tenant. <\/p>\n\n\n\n Users can create new Azure AD tenants, and when they do, they become external users in the new tenant’s Global Admin role. The new tenant has no direct relationship with any Azure subscriptions initially. <\/p>\n\n\n\n Referencing the blog post from Microsoft EEE: Demystifying the relationship of Azure AD and Azure Subscription. \u2013 TheIdentityGuy (wordpress.com)<\/a><\/p>\n\n\n\n Please note that transferring an Azure tenant requires assistance from Azure support, as it involves administrative actions that must be carefully managed to maintain data security and access control. <\/p>\n\n\n\n Here is the link to Microsoft’s documentation that provides step-by-step instructions for the tenant transfer process:<\/p>\n\n\n\n Transfer an Azure subscription to a different Azure AD directory | Microsoft Learn<\/a><\/p>\n\n\n\n A verified domain in the context of Azure Active Directory (Azure AD) is a domain that has been confirmed and associated with an organization or customer. When a domain is verified, it demonstrates that the customer has ownership and control over the domain.<\/p>\n\n\n\n To verify a domain, Microsoft employs a variety of methods to ensure that the domain belongs to the customer:<\/strong><\/p>\n\n\n\n Domain ownership verification: <\/strong>Microsoft may request the customer to add a specific DNS record or a TXT record to their domain’s DNS configuration. This record acts as proof of domain ownership. Microsoft’s systems can then verify the presence of this record to confirm that the customer has control over the domain.<\/p>\n\n\n\n Add and verify custom domain names – Microsoft Entra | Microsoft Learn<\/a><\/p>\n\n\n\n Other sort of verification methods may include, Email-based verification, File-based verification, Third-party domain provider verification (Require assistance from Azure support).<\/p>\n\n\n\n By employing these methods, Microsoft ensures that only authorized individuals or organizations can claim and verify domains within Azure AD. This verification process helps maintain security, prevents unauthorized domain usage, and establishes trust between Azure AD and the domain owners.<\/p>\n\n\n\n It’s recommended to refer to Microsoft’s official documentation or the Azure portal for the most up-to-date information on the available reports and their functionality.<\/p>\n\n\n\n What are Azure Active Directory reports? – Microsoft Entra | Microsoft Learn<\/a><\/p>\n\n\n\n Sign-ins:<\/strong> This report provides information about user sign-ins to Azure AD and associated details like sign-in time, location, client application used, and result (success, failure, or conditional access).<\/p>\n\n\n\n Audit logs:<\/strong> This report provides a comprehensive record of activities and events within Azure AD, including sign-ins, user management actions, application access, and more. It allows administrators to monitor and investigate activities in their directory.<\/p>\n\n\n\n Risky sign-ins:<\/strong> This report focuses on sign-ins that are flagged as risky based on Azure AD’s built-in risk detection mechanisms. It helps administrators identify potential security threats and take appropriate actions.<\/p>\n\n\n\n
\n\n\n\nQ2. What’s the relationship between Azure subscription, O365, Dynamics CRM Online, EMS or other Microsoft cloud services with Azure AD tenant?<\/h3>\n\n\n\n
\n\n\n\nQ3. What authentication protocols does AAD support?<\/h3>\n\n\n\n
\n\n\n\nQ4. What’s the relationship between O365 and AAD?<\/h3>\n\n\n\n
\n\n\n\nAAD Identity Management<\/strong><\/h2>\n\n\n\n
\n\n\n\nQ1. How many AAD admin roles does AAD has?<\/h3>\n\n\n\n
\n\n\n\nQ2. What’s Self-service Password Change\/Reset? What’s the license requirement for sync user and cloud user?<\/h3>\n\n\n\n
\n\n\n\nQ3. What’s Self-service group management? What’s the license requirement for this feature?<\/h3>\n\n\n\n
\n\n\n\nQ4. What does AAD Connect do?<\/h3>\n\n\n\n
\n\n\n\nAAD Domain and Tenant Management<\/strong><\/h2>\n\n\n\n
\n\n\n\nQ1. What’s Microsoft account, work account, email as sign in account? What’s the URL handing the authentication request?<\/h3>\n\n\n\n
\n\n\n\nQ2. What’s the relationship of Azure AD and Azure Subscription?<\/h3>\n\n\n\n
\n\n\n\nQ3. How to transfer Azure tenant for an Azure Subscription? <\/h3>\n\n\n\n
\n\n\n\nQ4. What’s verified domain? How does Microsoft know the domain belongs to this customer?<\/h3>\n\n\n\n
\n\n\n\nAAD Reporting<\/strong><\/h2>\n\n\n\n
\n\n\n\nQ1. How many AAD reports under Activity section do we have?<\/h3>\n\n\n\n
![\"\"](\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/06\/image-53.png\")
<\/figure>\n\n\n\n
\n\n\n\nQ2. What’s the retention of each AAD reports?<\/h3>\n\n\n\n
![\"\"](\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/06\/image-54.png\")
<\/figure>\n\n\n\n![\"\"](\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/06\/image-55.png\")
<\/figure>\n\n\n\n