KuppingerCole Report
Executive View
By Richard Hill

Microsoft Azure Active Directory

From small businesses to large enterprises, organizations today require a solid foundation for their Identity and Access Management (IAM) services. These services are increasingly delivered as cloud services or IDaaS (Identity as a Service). Microsoft Azure Active Directory (Azure AD) provides Directory Services, Identity Federation, and Access Management from the cloud in a single integrated solution with extensive integration opportunities.

1 Introduction

The IDaaS market has evolved over the past few years and is still growing, both in size and in the number of vendors. However, under the umbrella term of IDaaS, we find a variety of offerings. IDaaS, in general, provides Identity & Access Management capabilities as a service, ranging from Single Sign-On to full Identity Provisioning for both on-premise and cloud solutions. These solutions also vary in their support for different groups of users - such as employees, business partners, and customers - their support for mobile users, and their integration capabilities back to on-premise environments.

In order to more effectively manage identities, organizations implement access controls and govern access rights. This provides a consistent approach to support the processes and workflows involved, irrespective of the service being used while also being scalable to meet the challenges of digital transformation. It must also coexist and integrate with existing on-premise and cloud-based Identity and Access Management (IAM) processes and tools since it is not practical to rip and replace these.

Identity as a Service (IDaaS) provides a solution to these challenges by delivering traditional IAM services as a cloud service. IDaaS solutions offer cloud-ready integrations to extend an organization’s IAM controls to meet the security requirements of their SaaS portfolio. From a business perspective, IDaaS enables organizations to manage and control access to a diverse range of cloud services in a consistent manner, securely and with lower costs.

From a user perspective, IDaaS makes it easier to get access to the data and applications that they need from whatever device they are using and wherever they happen to be. By providing single sign-on, they don’t need to remember multiple account credentials. Common policies and administration help to limit risks from excessive privileges or outdated access rights to applications.
IDaaS vendors originate from different backgrounds, and their abilities to support different IDaaS use-cases can vary significantly. The capabilities served by most IDaaS vendors can broadly be grouped into three categories. Identity Administration - the capabilities required by organizations to administer the lifecycle of identities. Access Management – capabilities are ranging from authentication, authorization, single sign-on, and identity federation for both on-premises and SaaS applications delivered as a cloud service. Access Governance – capabilities for auditing and enforcing compliant access entitlement are the least mature and largely absent from the portfolio of most IDaaS vendors.

As well as replacing traditional on-premises deployments for workforce IAM, IDaaS is becoming an enabler of Consumer Identity and Access Management (CIAM) by offering the required availability and scalability. With IDaaS now dominating new IAM purchases, many use-cases across the industry verticals, and traditional IAM vendors are gearing up to deliver more cohesive IDaaS capabilities as part of their security services.

IDaaS offers a springboard for most organizations to start using foundational IAM elements delivered from the cloud and move the rest of the IAM functions as they find it appropriate and at a pace that matches the organizational security maturity and cloud strategy. The IDaaS market, with its ease of adoption and cloud-native integrations, is slowly overtaking the on-premises IAM market.

2 Product Description

Microsoft Azure Active Directory is Microsoft’s offering for Cloud IAM. The Microsoft Azure platform, however, is not just a port of the on-premise Active Directory (AD) in Windows Servers to the Cloud but a comprehensive Cloud IAM offering that goes well beyond the capabilities of a Directory Service and focuses on the new challenges of Cloud IAM. Among many of its capabilities, Azure Active Directory includes the ability to address not only traditional IAM (B2E) but also B2B and B2C use cases.
Identity and User Management

Microsoft Azure Active Directory (Azure AD) is much more than an on-premises AD ported to Azure running as a cloud service. It was designed to meet the challenges of hybrid environments seen today. It allows for the integration of on-premises identities with its cloud services and applications, which includes identity management across all categories of their Azure cloud, such as SaaS, PaaS, and IaaS. In the other direction, integration with legacy authentication-based and on-premises web-based applications is also given. Azure AD provides many other identity integration options for on-premises such as the federation and synchronization of identities as well as self-service password resets.

Depending on the edition of Azure AD, the level or depth of features varies. For instance, both user and group management are given at the lowest licensing level as well as user-based provisioning, device registration, and cloud user self-service password changes. At higher editions, advanced group access management policies, group-based provisioning, self-service group and application management, or self-service password resets, change, and unlock with the ability to write back to on-premises are given, as well as automatic password rollover for group accounts, as some examples. Single Sign-On (SSO), and multi-factor authentication is available at the lowest edition (free) of Azure AD.

Authentication and Other Access Controls

Azure AD provides passwords as the one authentication method that cannot be disabled. For Azure AD Multi-Factor Authentication (MFA), Azure AD supports Microsoft Authenticator application for use with Android, iOS, and Windows Phone. OATH based hardware tokens are also supported for both 30 and 60 second OATH TOTP SHA-1 hardware tokens. For users of mobile phones, both code delivery by SMS and interactive phone call authentication are supported. In addition, Azure AD Multi-Factor capabilities can be given as security defaults for users assigned with the Azure AD Global Administrator role even at the Azure AD free level.

Azure AD offers a passwordless MFA option, which is currently in public preview and expected to be Generally Available (GA) in the fall of 2020. It does this by replacing the password with something you have, such as the phone or security keys, or something you are like a biometric or PIN as a second authenticator. Microsoft Authenticator application can be used for passwordless MFA. Windows Hello has supported passwordless MFA since 2015.

Microsoft also integrates with third-party FIDO2-compliant security keys, which combine with the OS and browser to become a strong authenticator. When users sign into a platform, such as a web-based application, a notification is sent to the user’s device. The user will confirm by entering a PIN or the use of touch or face biometric.

Azure AD Identity Protection allows organizations to use the same adaptive machine learning algorithms and heuristics that Microsoft itself uses to detect anomalies and suspicious activity. Azure AD Identity Protection uses behavior and risk-based access controls to monitor and detect both user and sign-in risk levels, then report and alert on these activities giving organizations a chance to take mitigation or remediation actions. Using risk-based Conditional Access policies, organizations are given the ability to respond once a given risk threshold has been reached automatically. Using this approach, some policy actions could be used to block, or secure user accounts deemed risky or required to step up to multi-factor authentication or reset password.

External Identities

Azure AD offers a single solution to manage identity for any user, including customers, partners, suppliers and distributors, contractors, and other external constituents. The simplified admin experience makes it easier to manage employees, customers, and partners all, including switching between Azure AD and Azure AD B2C directories from within the Azure AD portal.

Built-in B2B collaboration capabilities enable collaboration scenarios between both organizations and individuals. These features allow partners to collaborate on documents, data, and applications at the enterprise level. Organization members can send email invitations that external partners can redeem to access the organization’s resources. Additionally, external users can ‘bring your own identity’ using an email one-time passcode (OTP), and social IDs including Google, Facebook, and Microsoft, using a self-service sign-up flow. Organizations can also create a customized authentication experience for Line-of-Business (LoB) apps with Company Brand, and customize and localize the user attributes collected during the sign-up process. Admins can keep B2B collaboration secure with Identity Protection, Conditional Access, and by conducting regular access reviews for external users.

For B2C scenarios that require high levels of customization and white-label, Azure AD provides a stand-alone service that gives IDaaS capabilities for an organization’s external-facing API, web or mobile applications. By using Azure AD B2C’s orchestration engine, organizations can build custom policies to build their own profile editing, user registration, or authentication flows. Combinations of orchestration steps and policy rules can be defined to allow for such things as federation with other identity providers, MFA challenges, or integration with external systems using REST API calls. The Azure AD B2C service also uses open standards such as OpenID Connect, OAuth 2, and SAML v2 to support the integration of other applications.

Licensing Options

Depending on the licensing model chosen, a customer will get some or all of the Azure AD features discussed above. Each licensing option builds onto the capabilities offered in the lower offerings. Starting with the free edition, customers can expect basic directory management capabilities for users and groups. Also given at the free level is on-premises directory synchronization, cloud user self-service, SSO across Azure products, and SaaS applications, to name a few. The first tier Premium P1 level begins to allow hybrid user access across the cloud and on-premises.

All P1 features are included with Microsoft 365 Business and Office plans. Premium P1 also gives advanced administration capabilities as well as other features. At the Premium P2 level, more advanced features such as Identity Protection provide risk-based conditional access to applications and data as well as core cloud-based identity governance with privileged identity management, access reviews, and entitlements management. For External Identities capabilities, later this year Microsoft plans to announce simplified pricing that enables customers to pay only for what they use, per monthly active user (MAU).

Azure AD with Microsoft Enterprise Mobility + Security Suite

Microsoft’s ‘Enterprise Mobility + Security’ (EMS) brings together several solutions in the IAM, information protection, threat analytics, UEM, and CASB space to provide a comprehensive approach to data protection. Azure AD Identity Protection services take user account management to a new level, employing a risk management approach that evaluates events on a user’s account to determine anomalies and potential compromise. Advanced threat analytics leverages the Azure AD functionality to protect corporate assets from anomalous activity. EMS E3 includes Azure AD Premium P1 features, while EMS E5 Azure AD Premium P2 capabilities. Azure AD integration with Microsoft’s EMS offering also provides a flexible External Identities monthly active user (MAU) based billing.

Azure AD with Microsoft Graph

A significant number of organizations have opted for Microsoft Office 365, which relies on Microsoft Azure Active Directory (Azure AD). Microsoft continues to extend the capabilities of Azure AD and making those capabilities available through Microsoft Graph. Microsoft Graph provides a single API endpoint to access all Microsoft 365 services.Currently in public preview is an improved ability to query directory resources and relationships using queries such as count, filter, search, or sort capabilities. Beyond what is generally available such as identity and access capabilities like MFA configurations, password protection, or Conditional Access policies are upcoming access to features such as Azure AD B2C user flows, and B2B collaboration setting policies, or device registration.

3 Strengths and Challenges

Built from the ground up to work in hybrid environments, Microsoft’s Azure AD meets the IAM requirements on several levels that address the corporate, partner, and customer use cases.

Azure AD provides a wide range of identity and user management options. Their hybrid environment support gives the organization the ability to move to the cloud while maintaining on-premises directories with automatic user provisioning and deprovisioning and write-back capabilities using features such as self-service password reset, change, or unlock. The level of depth or capabilities depends on the Azure AD edition licensed, but even at its lowest edition, sufficient support is given.

Authentication options extend from passwords to MFA to behavior and risk-based access controls to passwordless authentication, depending on the Azure AD edition licensed. Azure AD Identity Protection allows for more advanced access control features using adaptive machine learning capabilities. Another more innovative option is the FIDO2 based passwordless MFA, which promises to give a more frictionless and secure authentication option to users.

Azure AD B2B collaboration feature set gives organizations both the ability to collaborate seamlessly on different levels, whether its data, document, or applications. Using Azure B2B collaboration, all Azure AD capabilities at the premium licensing level are given, although UI customization capabilities are limited.

Azure AD B2C standalone service facilitates both B2B and B2C commerce uses cases by providing IDaaS functionality. Support for external-facing applications is given through the use of social identities, local accounts, and the federation of government or corporate IDs. Currently for Azure AD B2C, there is no support for 1st party Microsoft applications or Office 365. The Azure AD B2C orchestration engine provides organizations great flexibility in customizing their customer’s experience and workflows.

Microsoft provides a variety of licensing options to fit a customer's needs depending on where they are on their IAM journey. Azure AD free introductory option allows an organization to gain basic AD capabilities while adding features using their layered licensing model with the exception of B2C capabilities that require a “Pay-as-you-go” feature license.

Microsoft’s EMS leveraging of Azure AD integration extends their cybersecurity offerings in a coherent way, while emphasizing benefits for customers.

Microsoft Azure Active Directory is an obvious solution for many organizations when selecting their solution for authentication and single sign-on to services, and as a central element within their future Identity Fabric, a logical architecture for delivering a consistent set of Identity Services, across all types of applications and users.

Microsoft Azure Active Directory is a leading offering in the market segment of Cloud IAM with cutting edge capabilities making it a logical choice for cloud and hybrid by extending on-premise Active Directory infrastructures to the Cloud.

Strengths

  • Comprehensive feature set that cover B2E, B2B, and B2C use cases
  • Capable of scaling to extremely high workloads
  • Flexible schema, overcoming limitations of traditional directory services
  • Resilient against cyber attacks
  • Wide range of pre-configured integrations to cloud services and SaaS apps
  • FIDO2 and app-based passwordless MFA options
  • Broad standards support
  • Integrated into Microsoft’s EMS offering

Challenges

  • Limited LDAP support out-of-the-box, might be a challenge for backwards compatibility
  • Efficient administration often requires relatively complex Microsoft PowerShell scripting, while most other features are available via the web UI
  • Usage for External Identities, including the Azure AD B2C service, charges per monthly active user (MAU), requiring customer to go outside the layered license offerings of P1, P2

Copyright

©2020 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksTM or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded back in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.

top