In this blog post I would like to show you my favorite Azure Active Directory Premium features with some use cases how you can use these in your environment.

In a mobile-first, cloud-first world, Enterprise Mobility Suite helps to ensure that only authorized users are permitted to access corporate email and documents by using security features such as cloud-based authentication and authorization, multi-factor authentication, and advanced security reports that leverage Microsoft Azure machine learning capabilities.

Integrated identity is the control plane of modern enterprise mobility.

All Microsoft Online business services rely on Azure Active Directory (Azure AD) for sign-on and other identity needs. If you subscribe to any of Microsoft Online business services (e.g. Office 365, Microsoft Azure, etc), you get Azure AD.

Below you can find some short comparison about the Azure AD editions:

• Free – The Free edition of Azure AD is part of every Azure subscription. There is nothing to license and nothing to install. With it, you can manage user accounts, synchronize with on-premises directories, get single sign-on across Azure, Office 365, and thousands of popular SaaS applications.
• Basic – Azure AD Basic edition provides application access and self-service identity management requirements for task workers with cloud-first needs. With the Basic edition of Azure AD, you get all the capabilities that the Free edition has to offer, plus group-based access management, self-service password reset for cloud applications, Azure AD application proxy, customizable environment for launching enterprise and consumer cloud applications, and an enterprise-level SLA of 99.9 percent uptime.

In EMS workshops I am always showing the benefits of the Azure AD Premium edition. I describe some scenarios where make sense to use and try to explain why should upgrade to this edition.

To sign up and start using Active Directory Premium today, see Getting started with Azure Active Directory Premium.

If you are using a free or basic edition you can enable the Premium version free for one month. See a how to here.

Azure AD Premium delivers robust identity and access management from the cloud, in sync with your existing on-premises deployments:

• Self-service group management: Azure Active Directory Premium simplifies day-to-day administration of groups by enabling users to create groups, request access to other groups, delegate group ownership so others can approve requests and maintain their group’s memberships.

Scenario 1.: in education, students can request group access for a new semester subject where new information and applications are available. This request has to be approved by the professor.

Scenario 2.: in education, students can create own self Azure AD groups for a semester work.

• Advanced security reports and alerts: Monitor and protect access to your cloud applications by viewing detailed logs showing more advanced anomalies and inconsistent access pattern reports. Advanced reports are machine learning-based and can help you gain new insights to improve access security and respond to potential threats.

Scenario:  sister companies had reports of anomalous logins – turned to reporting to identify potential cross company issues. Security information and event management (SIEM) tool integration was key. “SIEM, forensics, and analysis tools – we have one of everything here”, said my customer.

• Multi-Factor Authentication: Multi-Factor Authentication is now included with Premium and can help you to secure access to on-premises applications (VPN, RADIUS, etc.), Azure, Microsoft Online Services like Office 365 and Dynamics CRM Online, and thousands of Non-MS Cloud services pre-integrated with Azure Active Directory. Simply enable Multi-Factor Authentication for Azure Active Directory identities, and users will be prompted to set up additional verification the next time they sign in.

Scenario:  customer wants to use MFA for access to critical applications except in the office network.

• Conditional Access: Azure AD checks the specific conditions you choose when authenticating a user, before allowing access to an application. Once those conditions are met, the user is authenticated and allowed access to the application.

Scenario 1.:  customers wants to set some conditions for access to SaaS application more than the orthers. For example he wants to protect one application with MFA.

Scenario 2.: in BYOD world, if users are coming from outside, corporate network needed to have a higher level of assurance. It’s needed to address PCI compliance for access to sensitive customer data. 

• Microsoft Identity Manager (MIM): Premium comes with the option to grant rights to use a MIM server (and CALs) in your on-premises network to support any combination of Hybrid Identity solutions. This is a great option if you have a variation of on-premises directories and databases that you want to sync directly to Azure Active Directory. There is no limit on the number of FIM servers you can use, however, MIM CALs are granted based on the allocation of an Azure Active Directory premium user license.
• Enterprise SLA of 99.9%: We guarantee at least 99.9% availability of the Azure Active Directory Premium service.
• Password reset with write-back: self-service password reset can be written back to on-premises directories.

Scenario:  customer want to reduce Helpdesk cases for password resets. “Sorry, I was on holiday for 1 week and I forgot my password. Could you reset it please?” You already know these stories. 🙂

• Azure AD Connect Health: it helps you monitor and gain insight into your on-premises identity infrastructure and the synchronization services.  You can view alerts, performance monitoring, usage analytics and much more. Azure AD Connect Health enables the single lens of health for your key identity components, all at one place.

Scenario:  IT wants to know in real-time whats going on with the identity synchronisation.

• Cloud App Discovery: find out how many SaaS apps are being used within your organization. Connect unmanaged apps with Azure AD to manage user access and enable user provisioning.

Scenario:  IT wants to know which cloud based applications are used in the environment. After report these activities, IT can easily integrate with Azure AD to bring applications under management.

NEWS: gateway based discovery is coming soon.

• Windows and iOS
• Devices configured thru MDM/SCCM/Group Policy
• Collects data only when within corp network
• Provides information on application and location 

• Azure AD Identity Protection with Privileged Identity Management (PIM): secure your organization by managing and restricting the privileged access into your organization. Using Azure AD Privileged Identity Management you are able to:
  1. Discover the Azure Active Directory privileged admin roles and their assignments
  2. Revoke permanent privileges access and enforce on-demand, time-limited admin access for Azure Active Directory privileged admins
  3. Get reports on admin access history and changes in admin assignments

  This extension provides a simple way for admins to activate their privileged role.

Scenario:  your audit colleagues and the CSO will just love this feature. 🙂

Fazit:

“People think about on-premises and big bang approach because of the cost of the deployment and the intricacies – now IT can begin to re-think how they approach projects to get to value in smaller chunks more rapidly.”

I can just really recommend to use these features or just start a proof of concept with this AAD edition and test some use cases. If you are good enough you can show some reports and benefits to your boss and I think he will be excited as well, as mine was. 🙂

Related links:

1. Cloud App Discovery

2. Securing access to Office 365 and other apps connected to Azure Active Directory

3. Monitor your on-premises identity infrastructure and synchronization services in the cloud

4. Azure Active Directory editions

5. Azure AD Privileged Identity Management