Azure Active Directory: Finding Harmony in an Ever-Changing world!
As an instructor, I deliver Microsoft courses to many delegates worldwide. However, at times I have to question, why on earth would someone learn a particular course. For me it was less than a year ago and the course was Windows Server 2016 Identity. I had 6 students in my class, and I have to tell you that it was one of the most difficult deliveries ever. Don’t get me wrong, the students were great, the course materials were spot on and I was teaching fine. So, what could have possibly made me feel that the course had been a failure?
As the course progressed, I realised that the material being taught was from an exact same course I had delivered ten years earlier. Active directory, domain controllers, global catalog servers etc. The problem was that the world had moved on and this material had not. Now, although active directory is not dead, it’s definitely being measured for its coffin. So, I decided to make the course more relevant for the students and we pretty much covered Azure Active Directory for the rest of the week.
So now you’re probably wondering what on earth this story has to do with you. I mean you already know Azure AD, or already work with it, so what more do I need? Well, like the first part of this story, time moves on and so does technology. Azure AD is changing. In its humble beginnings, it was comprised of nothing more than SQL Server and ADAM or Active Directory Application Mode, which later became Lightweight directory services or LDS. Although similar in architecture to Windows Server AD, it differed in a number of significant ways, primarily being that it could handle multiple tenants. Easiest way to picture this is think Windows File Explorer. Imagine that the C drive is Azure and each of the folders represent each of your tenant’s. Add an extensible schema, a selection of next generation authentication protocols to support identity federation, i.e. SAML (Secure Accounts Mark-up Language) and Oauth 2.0
That was then, nowadays Azure AD handles millions of accounts and processes billions of signals every day. Early on in Office 365, it was all about connecting your on-premises infrastructure to the cloud. Of course, the two technologies are generally incompatible. So, a connector was conceived to bridge the gap. Dirsync or Azure AD Connect as it’s now known by synchronizing an on-premises server to Azure AD. That means, users, devices, groups, and if Exchange exists on site, mail enabled contacts. The Azure AD tool also provides the ability to simply identity federation and provide Single Sign on or SSO to users and devices. More details on Azure AD Connect and how it works can be found here. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-roadmap
The next stage in your Office 365 transition might involve Migrating mail from your current server to Exchange Online. Again, this has been well documented and is covered in detail in various Microsoft courses. You also have the option to go with a hybrid solution (On-Premises Servers essentially see the cloud as an extension to themselves. More details on Exchange Migration / Hybrid can be found here. https://docs.microsoft.com/en-us/exchange/mailbox-migration/mailbox-migration
Next, is securing your on-line infrastructure. I recently wrote a dedicated article on the plethora of security tools and feature which you can find here https://www.andymalone.org/post/using-microsoft-365-security-essentials-to-enable-now So what’s next for Microsoft 365? Well if you’ve still got any physical servers left at all on premises, I’ll bet they’re running old applications. So, to finally say goodbye to these support nightmares you have some options. Firstly, you can simply upgrade. Most vendors no longer produce on-premise software with a perpetual licence. They tend to develop and host their applications on-line as part of a subscription service. This provides numerous benefits to subscribers including free support, free upgrades and of course improved compatibility with other vendors, for example Microsoft, Salesforce, Google and so on. Microsoft 365 has some great features to help you migrate your apps into Azure.
To get started visit the Azure Migration centre, this portal contains everything you need to get started https://azure.microsoft.com/en-gb/migration/ One question I’m often asked is, what if I have an application on-premise. Can I provide access to my users remotely? The answer of course is yes! For this you simply install the Azure WebApp Proxy agent onto a server in your location. Once installed, you then map to your on-site apps and then publish them into Azure / Microsoft 365, easy peasy. Details here. https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy
So finally, when next for Azure AD? Well, if Microsoft continues on its current journey, the need for on-premise servers will be no more. Just like the Azure AD Web App proxy agent, I’ll bet the next step is to produce a lighter weight version of the connect tool into agent form with management from the web. With ADFS moving out of fashion and looking like that old pair of corduroys that you used to wear. WebAuthN is the new kid on the block in terms of authentication. So much in fact is that Microsoft’s vision of Passwordless Authentication is now upon us and we can finally put those antiquated usernames and passwords to rest. For more details of Passwordless Authentication solutions and Microsoft Azure check out this article https://www.microsoft.com/en-us/security/technology/identity-access-management/passwordless. In terms of WebAuthN, I’ll be posting a step by step guide soon.
I hope you found this short article useful, and as always please leave your comments below. You can also follow me on Twitter @AndyMalone
Copyright 2019 Andy Malone