The benefits of using Microsoft Azure AD with Office 365

Office 365 users can now use Azure Active Directory for identity management solutions. Expert Brien Posey explores how that product differs from Active Directory Domain Services.

One of the main factors driving Office 365 adoption is that the platform helps reduce complexity. After all, it's...

a lot easier to set up an Office 365 subscription than it is to deploy and maintain your own in-house, multi-tier SharePoint farm.

Of course, Office 365 has been adopted by plenty of organizations that already have Active Directory environments. In those cases, Microsoft has provided two main options: Subscribers can either set up identity synchronization (which synchronizes on-premises Active Directory accounts to the Office 365 cloud), or they can set up Active Directory Federation Services, which allows for single sign-on (SSO), but is more complex to set up than identity synchronization.

Recently, Microsoft provided customers with a new choice for identity management solutions: Microsoft Azure AD. In fact, Microsoft is making Azure AD free to Office 365 subscribers, although the company still charges a fee to use Azure AD Premium. The only real caveat to the free Azure AD subscription is that it is available to only those who have a paid Office 365 subscription. Those who are working from a free trial subscription or a complementary subscription are not eligible.

It is worth noting that Azure AD differs in several ways from the Active Directory Domain Services that are run on-premises. For starters, Azure AD is used primarily for authentication purposes. In contrast, a traditional Active Directory environment provides authentication services, as well as a number of other features that do not exist in Azure AD. Group policy objects are an example of such features. Similarly, Active Directory Domain Services allows domains to be segmented into organizational units, whereas Azure AD does not.

Another key difference between Active Directory Domain Services and Microsoft Azure AD lies in the way that each environment is accessed. Active Directory Domain Services can be accessed through purpose-built consoles, such as the Active Directory Users and Computers console, or programmatically, through the Lightweight Directory Access Protocol. Active Directory is also accessible through PowerShell, which can be used to access Azure AD. In comparison, Azure AD can be accessed through the REST API, or through a web-based console, which you can see in Figure A.

Azure AD console
Figure A. The Azure AD console

As you can see in the figure above, Azure AD is currently linked to Office 365. This link was established automatically, with no administrator intervention beyond that of simply claiming the free Azure AD account.

In Figure A, the console is arranged in a way that could be used to list applications other than Office 365. The reason for this is that Azure AD supports SSO for cloud applications. Administrators can either set up SSO for apps that exist within the application gallery or they can define custom apps.

The Microsoft Azure AD console can be used to create users and groups, synchronize directories and provide SSO capabilities for cloud apps. Even so, Microsoft recommends that its Office 365 subscribers continue to create accounts within the Office 365 admin center, rather than within the Azure AD console.

When administrators create accounts in Azure AD, they are doing just that -- creating accounts. When administrators create accounts in Office 365, however, they are doing more than just creating accounts: The account creation process is also tied to Office 365 licensing, and to the creation of directory objects related to Office 365 (such as an Exchange mailbox).

This raises the question of how the Azure AD console should be used. From an administrative standpoint, the Azure AD console is useful for establishing authentication for software as a service (SaaS) applications, reporting and for creating groups. From a user prospective, the Azure AD console is useful as a portal for self-service password resets.

Although Microsoft does not necessarily require Office 365 subscribers to leverage Azure AD, it should be considered essential for organizations that have an on-premises Active Directory environment or that leverage SaaS applications other than Office 365. Azure AD can be used as a mechanism for handling identity management across all these environments.

Next Steps

Learn more about managing user identity in Azure AD

Get insights into Azure AD in the cloud

How does Azure's password synchronization work?

Dig Deeper on Collaboration platforms