Sei sulla pagina 1di 920

TTaabbllee ooff CCoonntteennttss

Overview What is Azure Active Directory? Choose edition About Azure identity management Preview the Azure portal experience Get started Get an Azure AD tenant Sign up for Azure AD Premium Associate Azure subscriptions Manage AD licensing Get Azure for your organization FAQs SaaS app tutorials How to Manage users Add users Add users from other directories Delete users Manage user profiles Reset a password Manage user work information Share accounts Manage groups and members Manage groups Manage group members Manage group owners Manage group membership View all groups Enable dedicated groups

Add group access to SaaS apps Manage group settings Create advanced rules Set up self-service groups Troubleshoot View access and usage reports Azure AD reporting Known networks Reporting guide Understand reports Manage passwords Update your own password Understand password management Understand policies and restrictions Reset passwords Set expiration policies Enable Password Management Manage devices Register your device Register a Windows 10 device Conditional access Azure AD Join Certificate-based Authentication Manage apps Overview Getting started Cloud App Discovery Give remote access to your apps Understand SSO for apps Integrate SaaS apps Manage enterprise apps Develop

Manage access to apps Use SCIM provision users Document library Manage your directory Custom domain names Customize the sign-in page Administer your directory Multiple directories O365 directories Self-service signup Enterprise State Roaming Integrate partners with Azure AD B2B Integrate on-premises identities using Azure AD Connect Delegate access to resources Administrator roles Administrative units Resource access in Azure Role-Based Access Control Configure token lifetimes Secure your identities Azure AD Identity Protection Privileged Identity Management Deploy on Azure VMs Windows Server Active Directory on Azure VMs Replica domain controller in an Azure virtual network New forest on an Azure virtual network Deploy a hybrid identity solution Determine requirements Plan for data security Plan your identity lifecycle Next steps Tools comparison

Deploy AD FS in Azure High availability Change signature hash algorithm Troubleshoot Reference PowerShell cmdlets Java API Reference .NET API Service limits and restrictions Related Multi-Factor Authentication Azure AD Connect Azure AD Connect Health Azure AD for developers Azure AD Privileged Identity Management Resources Pricing MSDN forum Stack Overflow Videos Service updates Azure feedback forum

What is Azure Active Directory?

1/17/2017 • 5 min to read • Edit on GitHub

Azure Active Directory (Azure AD) is Microsoft’s multi-tenant cloud based directory and identity management service.

For IT Admins, Azure AD provides an affordable, easy to use solution to give employees and business partners single sign-on (SSO) access to thousands of cloud SaaS Applications like Office365, Salesforce.com, DropBox, and Concur.

For application developers, Azure AD lets you focus on building your application by making it fast and simple to integrate with a world class identity management solution used by millions of organizations around the world.

Azure AD also includes a full suite of identity management capabilities including multi-factor authentication, device registration, self-service password management, self-service group management, privileged account management, role based access control, application usage monitoring, rich auditing and security monitoring and alerting. These capabilities can help secure cloud based applications, streamline IT processes, cut costs and help ensure that corporate compliance goals are met.

Additionally, with just four clicks, Azure AD can be integrated with an existing Windows Server Active Directory, giving organizations the ability to leverage their existing on-premises identity investments to manage access to cloud based SaaS applications.

If you are an Office365, Azure or Dynamics CRM Online customer, you might not realize that you are already using Azure AD. Every Office365, Azure and Dynamics CRM tenant is actually already an Azure AD tenant. Whenever you want you can start using that tenant to manage access to thousands of other cloud applications Azure AD integrates with!

of other cloud applications Azure AD integrates with! How reliable is Azure AD? The multi-tenant, geo-distributed,

How reliable is Azure AD?

The multi-tenant, geo-distributed, high availability design of Azure AD means that you can rely on it for your most critical business needs. Running out of 28 data centers around the world with automated failover, you’ll have the comfort of knowing that Azure AD is highly reliable and that even if a data center goes down, copies of your directory data are live in at least two more regionally dispersed data centers and available for instant access.

For more details, see Service Level Agreements.

What are the benefits of Azure AD?

Your organization can use Azure AD to improve employee productivity, streamline IT processes, improve security and cut costs in many ways:

Quickly adopt cloud services, providing employees and partners with an easy single-sign on experience powered by Azure AD’s fully automated SaaS app access management and provisioning services capabilities.IT processes, improve security and cut costs in many ways: Empower employees with access to world

Empower employees with access to world class cloud apps and self-service capabilities from wherever they need to work on the devices they love to use.access management and provisioning services capabilities. Easily and securely manage employee and vendor access to

Easily and securely manage employee and vendor access to your corporate social media accounts.wherever they need to work on the devices they love to use. Improve application security with

Improve application security with Azure AD multifactor authentication and conditional access.and vendor access to your corporate social media accounts. Implement consistent, self-service application access

Implement consistent, self-service application access management, empowering business owners to move quickly while cutting IT costs and overheads.Azure AD multifactor authentication and conditional access. Monitor application usage and protect your business from

Monitor application usage and protect your business from advanced threats with security reporting and monitoring.owners to move quickly while cutting IT costs and overheads. Secure mobile (remote) access to on-premises

Secure mobile (remote) access to on-premises applications.advanced threats with security reporting and monitoring. How does Azure AD compare to on-premises Active Directory

How does Azure AD compare to on-premises Active Directory Domain Services (AD DS)?

Both Azure Active Directory (Azure AD) and on-premises Active Directory (Active Directory Domain Services or AD DS) are systems that store directory data and manage communication between users and resources, including user logon processes, authentication, and directory searches.

AD DS is a server role on Windows Server, which means that it can be deployed on physical or virtual machines. It has a hierarchical structure based on X.500. It uses DNS for locating objects, can be interacted with using LDAP, and it primarily uses Kerberos for authentication. Active Directory enables organizational units (OUs) and Group Policy Objects (GPOs) in addition to joining machines to the domain, and trusts are created between domains.

Azure AD is a multi-customer public directory service, which means that within Azure AD you can create a tenant for your cloud servers and applications such as Office 365. Users and groups are created in a flat structure without OUs or GPOs. Authentication is performed through protocols such as SAML, WS-Federation, and OAuth. It's possible to query Azure AD, but instead of using LDAP you must use a REST API called AD Graph API. These all work over HTTP and HTTPS.

You can use Azure AD Connect to sync your on-premises identities with Azure AD.

AAuutthheennttiiccaattiioonn aanndd aauutthhoorriizzaattiioonn ddeettaaiillss

AAzzuurree AADD

SAML , WS-Federation OOnn--pprreemmiisseess AADD DDSS SAML , WS-Federation
SAML
, WS-Federation
OOnn--pprreemmiisseess AADD DDSS
SAML
, WS-Federation

, Interactive with supported credentials, OAuth 2.0, OpenID Connect

, NTLM, Kerberos, MD5, Basic

OObbjjeecctt rreeppoossiittoorryy ddeettaaiillss

AAzzuurree AADD

Access via Azure AD Graph and Microsoft Graph

OOnn--pprreemmiisseess AADD DDSS

X.500 LDAP

PPrrooggrraammmmaattiicc aacccceessss ddeettaaiillss

AAzzuurree AADD

MS/Azure AD Graph REST APIs

OOnn--pprreemmiisseess AADD DDSS

LDAP

SSSSOO ttoo aapppplliiccaattiioonnss ddeettaaiillss

AAzzuurree AADD

OpenID Connect , SAML OOnn--pprreemmiisseess AADD DDSS Open-ID Connect , SAML
OpenID Connect
, SAML
OOnn--pprreemmiisseess AADD DDSS
Open-ID Connect
, SAML

, WS-Fed

AAcccceessss mmaannaaggeemmeenntt ddeettaaiillss

AAzzuurree AADD

Resource-defined scope and role based access control, Client-define delegated and application permissions, Consent Framework (enforces proper user/admin consent, as defined/requested by resource/client)

Via app role, can be applied individually or through groups, supports: Admin managed, Self-service application access, User consent

OOnn--pprreemmiisseess AADD DDSS

Via ACLs, can be applied individually or through groups, supports: Admin managed

GGrroouupp mmaannaaggeemmeenntt ddeettaaiillss

AAzzuurree AADD

Admin managed

, Rule/dynamic managed, Self-service group management

OOnn--pprreemmiisseess AADD DDSS

Admin managed

, External system (FIM, or other) required for Rule/dynamic managed |

SSuuppppoorrtteedd ccrreeddeennttiiaallss ddeettaaiillss

AAzzuurree AADD

Username + password

,

OOnn--pprreemmiisseess AADD DDSS

Username + password

,

Smartcard Smartcard
Smartcard
Smartcard

How can I get started?

If you are an IT admin:

Try it out! - you can sign up for a free 30 trial today and Try it out! - you can sign up for a free 30 trial today and deploy your first cloud solution in under 5 minutes using this link

Read “Getting started with Azure AD” for tips and tricks on getting an Azure AD tenant up and running fastyour first cloud solution in under 5 minutes using this link If you are a developer:

If you are a developer:

Check out our Developers Guide to Azure Active Directory Developers Guide to Azure Active Directory

Start a trial – sign up for a free 30 day trial today and start Start a trial – sign up for a free 30 day trial today and start integrating your apps with Azure AD

Where can I learn more?

We have a ton of great resources online to help you learn all about Azure AD. Here’s a list of great articles to get you started:

Getting started with Azure AD Reportingto SaaS Applications with Azure Active Directory Manage your passwords from anywhere What is application

Manage your passwords from anywhereActive Directory Getting started with Azure AD Reporting What is application access and single sign-on with

What is application access and single sign-on with Azure Active Directory?with Azure AD Reporting Manage your passwords from anywhere Automate User Provisioning and Deprovisioning to SaaS

How to provide secure remote access to on-premises applicationsto SaaS Applications with Azure Active Directory Managing access to resources with Azure Active Directory

Managing access to resources with Azure Active Directory groupsto provide secure remote access to on-premises applications What is Microsoft Azure Active Directory licensing? How

What is Microsoft Azure Active Directory licensing?access to resources with Azure Active Directory groups How can I discover unsanctioned cloud apps that

How can I discover unsanctioned cloud apps that are used within my organizationManaging access to resources with Azure Active Directory groups What is Microsoft Azure Active Directory licensing?

Azure Active Directory editions

1/17/2017 • 9 min to read • Edit on GitHub

All Microsoft Online business services rely on Azure Active Directory (Azure AD) for sign-in and other identity needs. If you subscribe to any of Microsoft Online business services (for example, Office 365 or Microsoft Azure), you get Azure AD with access to all of the Free features, described below.

Azure Active Directory is a comprehensive, highly available identity and access management cloud solution that combines core directory services, advanced identity governance, and application access management. Azure Active Directory also offers a rich, standards-based platform that enables developers to deliver access control to their applications, based on centralized policy and rules. With the Azure Active Directory Free edition, you can manage users and groups, synchronize with on-premises directories, get single sign-on across Azure, Office 365, and thousands of popular SaaS applications like Salesforce, Workday, Concur, DocuSign, Google Apps, Box, ServiceNow, Dropbox, and more. To learn more about Azure Active Directory, read What is Azure AD?

To enhance your Azure Active Directory, you can add paid capabilities using the Azure Active Directory Basic, Premium P1, and Premium P2 editions. Azure Active Directory paid editions are built on top of your existing free directory, providing enterprise class capabilities spanning self-service, enhanced monitoring, security reporting, Multi-Factor Authentication (MFA), and secure access for your mobile workforce.

Office 365 subscriptions include additional Azure Active Directory features described in the comparison table below.

NNOOTTEE For the pricing options of these editions, see Azure Active Directory Pricing. Azure Active Directory Premium P1, Premium P2, and Azure Active Directory Basic are not currently supported in China. Please contact us at the Azure Active Directory Forum for more information.

Azure Active Directory Basic - Designed for task workers with cloud-first needs, this edition provides cloud centric application access - Designed for task workers with cloud-first needs, this edition provides cloud centric application access and self-service identity management solutions. With the Basic edition of Azure Active Directory, you get productivity enhancing and cost reducing features like group-based access management, self-service password reset for cloud applications, and Azure Active Directory Application Proxy (to publish on-premises web applications using Azure Active Directory), all backed by an enterprise-level SLA of 99.9 percent uptime.

Azure Active Directory Premium P1 - Designed to empower organizations with more demanding identity and access management needs, Azure Active - Designed to empower organizations with more demanding identity and access management needs, Azure Active Directory Premium edition adds feature-rich enterprise-level identity management capabilities and enables hybrid users to seamlessly access on-premises and cloud capabilities. This edition includes everything you need for information worker and identity administrators in hybrid environments across application access, self-service identity and access management (IAM), identity protection and security in the cloud. It supports advanced administration and delegation resources like dynamic groups and self-service group management. It includes Microsoft Identity Manager (an on-premises identity and access management suite) and provides cloud write-back capabilities enabling solutions like self- service password reset for your on-premises users.

Azure Active Directory Premium P2 - Designed with advanced protection for all your users and administrators, this new offering includes - Designed with advanced protection for all your users and administrators, this new offering includes all the capabilities in Azure AD Premium P1 as well as our new Identity Protection and Privileged Identity Management. Azure Active Directory Identity Protection leverages billions of signals to provide risk-based conditional access to your applications and critical company data. We also help you manage and protect privileged accounts with Azure Active Directory Privileged Identity

Management so you can discover, restrict and monitor administrators and their access to resources and provide just-in-time access when needed.

To sign up and start using Active Directory Premium today, see Getting started with Azure Active Directory Premium.

NNOOTTEE A number of Azure Active Directory capabilities are available through "pay as you go" editions:

Active Directory B2C is the identity and access management solution for your consumer-facing applications. For more details, see Azure Active Directory B2C Azure Active Directory B2C

Azure Multi-Factor Authentication can be used through per user or per authentication providers. For more details, see What is Azure Multi-Factor Authentication? What is Azure Multi-Factor Authentication?

Comparing generally available features

NNOOTTEE For a different view of this data, see the Azure Active Directory Capabilities.

Common Features

Directory Objectsthe Azure Active Directory Capabilities . Common Features User/Group Management (add/update/delete)/ User-based

User/Group Management (add/update/delete)/ User-based provisioning, Device registrationDirectory Capabilities . Common Features Directory Objects Single Sign-On (SSO) Self-Service Password Change for cloud

Single Sign-On (SSO)User-based provisioning, Device registration Self-Service Password Change for cloud users Connect (Sync

Self-Service Password Change for cloud usersprovisioning, Device registration Single Sign-On (SSO) Connect (Sync engine that extends on-premises directories to

Connect (Sync engine that extends on-premises directories to Azure Active Directory)Sign-On (SSO) Self-Service Password Change for cloud users Security / Usage Reports Basic Features Group-based access

Security / Usage Reportsextends on-premises directories to Azure Active Directory) Basic Features Group-based access management / provisioning

Basic Features

Group-based access management / provisioningActive Directory) Security / Usage Reports Basic Features Self-Service Password Reset for cloud users Company Branding

Self-Service Password Reset for cloud usersBasic Features Group-based access management / provisioning Company Branding (Logon Pages/Access Panel customization)

Company Branding (Logon Pages/Access Panel customization)/ provisioning Self-Service Password Reset for cloud users Application Proxy SLA 99.9% Premium P1 Features Self-Service

Application ProxyCompany Branding (Logon Pages/Access Panel customization) SLA 99.9% Premium P1 Features Self-Service Group and app

SLA 99.9%(Logon Pages/Access Panel customization) Application Proxy Premium P1 Features Self-Service Group and app

Premium P1 Features

Self-Service Group and app Management/Self-Service application additions/Dynamic GroupsApplication Proxy SLA 99.9% Premium P1 Features Self-Service Password Reset/Change/Unlock with on-premises

Self-Service Password Reset/Change/Unlock with on-premises write-backManagement/Self-Service application additions/Dynamic Groups Multi-Factor Authentication (Cloud and On-premises (MFA

Multi-Factor Authentication (Cloud and On-premises (MFA Server))Password Reset/Change/Unlock with on-premises write-back MIM CAL + MIM Server Cloud App Discovery Connect Health

MIM CAL + MIM ServerAuthentication (Cloud and On-premises (MFA Server)) Cloud App Discovery Connect Health Automatic password

Cloud App Discovery(Cloud and On-premises (MFA Server)) MIM CAL + MIM Server Connect Health Automatic password rollover for

Connect Health(MFA Server)) MIM CAL + MIM Server Cloud App Discovery Automatic password rollover for group accounts

Automatic password rollover for group accountsMIM CAL + MIM Server Cloud App Discovery Connect Health Premium P2 Features Identity Protection Privileged

Premium P2 Features

Identity ProtectionDiscovery Connect Health Automatic password rollover for group accounts Premium P2 Features Privileged Identity Management

Azure Active Directory Join – Windows 10 only related features

Join a device to Azure AD, Desktop SSO, Microsoft Passport for Azure AD, Administrator Bitlocker recoveryActive Directory Join – Windows 10 only related features MDM auto-enrollment, Self-Service Bitlocker recovery,

MDM auto-enrollment, Self-Service Bitlocker recovery, Additional local administrators to Windows 10 devices via Azure AD JoinPassport for Azure AD, Administrator Bitlocker recovery Common Features DDiirreeccttoorryy OObbjjeeccttss Type:

Common Features

DDiirreeccttoorryy OObbjjeeccttss

Type: Common Features

The default usage quota is 150,000 objects. An object is an entry in the directory service, represented by its unique distinguished name. An example of an object is a user entry used for authentication purposes. If you need to exceed this default quota, please contact support. The 500K object limit does not apply for Office 365, Microsoft Intune or any other Microsoft paid online service that relies on Azure Active Directory for directory services.

Availability:

FREE EDITION

BASIC EDITION

PREMIUM (P1 AND P2) EDITIONS

OFFICE 365 APPS ONLY

Up to 500,000 objects

No object limit

No object limit

No object limit for Office 365 user accounts

UUsseerr//GGrroouupp MMaannaaggeemmeenntt ((aadddd//uuppddaattee//ddeelleettee)),, UUsseerr--bbaasseedd pprroovviissiioonniinngg,, DDeevviiccee rreeggiissttrraattiioonn

Type: Common Features

Availability:

FREE EDITION

BASIC EDITION

PREMIUM (P1 AND P2) EDITIONS

OFFICE 365 APPS ONLY

EDITION PREMIUM (P1 AND P2) EDITIONS OFFICE 365 APPS ONLY More details: Administer your Azure AD

More details:

Administer your Azure AD directory(P1 AND P2) EDITIONS OFFICE 365 APPS ONLY More details: Azure Active Directory Device Registration overview

Azure Active Directory Device Registration overviewAPPS ONLY More details: Administer your Azure AD directory SSiinnggllee SSiiggnn--OOnn ((SSSSOO)) Type: Common

SSiinnggllee SSiiggnn--OOnn ((SSSSOO))

Type: Common Features

Availability:

FREE EDITION

BASIC EDITION

PREMIUM (P1 AND P2) EDITIONS

OFFICE 365 APPS ONLY

10 apps per user (1)

10 apps per user (1)

No Limit (2)

10 apps per user (1)

1. With Azure AD Free and Azure AD Basic, end-users are entitled to get single sign-on access for up to 10 applications.

More details:

Managing Applications with Azure Active Directory (AD) SSeellff--SSeerrvviiccee PPaasssswwoorrdd CChhaannggee ffoorr

Managing Applications with Azure Active Directory (AD)

SSeellff--SSeerrvviiccee PPaasssswwoorrdd CChhaannggee ffoorr cclloouudd uusseerrss

Type: Common Features Availability:

FREE EDITION

BASIC EDITION

PREMIUM (P1 AND P2) EDITIONS

OFFICE 365 APPS ONLY

EDITION PREMIUM (P1 AND P2) EDITIONS OFFICE 365 APPS ONLY More details: How to update your

More details:

How to update your own password(P1 AND P2) EDITIONS OFFICE 365 APPS ONLY More details: CCoonnnneecctt ((SSyynncc eennggiinnee tthhaatt

CCoonnnneecctt ((SSyynncc eennggiinnee tthhaatt eexxtteennddss oonn--pprreemmiisseess ddiirreeccttoorriieess ttoo AAzzuurree AAccttiivvee DDiirreeccttoorryy))

Type: Common Features Availability:

FREE EDITION

BASIC EDITION

PREMIUM (P1 AND P2) EDITIONS

OFFICE 365 APPS ONLY

EDITION PREMIUM (P1 AND P2) EDITIONS OFFICE 365 APPS ONLY More details: Integrating your on-premises identities

More details:

(P1 AND P2) EDITIONS OFFICE 365 APPS ONLY More details: Integrating your on-premises identities with Azure

SSeeccuurriittyy//UUssaaggee RReeppoorrttss

Type: Common Features Availability:

FREE EDITION

BASIC EDITION

PREMIUM (P1 AND P2) EDITIONS

OFFICE 365 APPS ONLY

3 Basic reports

3 Basic reports

More details:

365 APPS ONLY 3 Basic reports 3 Basic reports More details: View your access and usage

View your access and usage reports

Premium and Basic Features

GGrroouupp--bbaasseedd aacccceessss mmaannaaggeemmeenntt//pprroovviissiioonniinngg

Type: Basic Features Availability:

FREE EDITION

BASIC EDITION

Advanced reports

PREMIUM (P1 AND P2) EDITIONS

3 Basic reports

OFFICE 365 APPS ONLY

SSeellff--SSeerrvviiccee PPaasssswwoorrdd RReesseett ffoorr cclloouudd uusseerrss

Type: Basic Features Availability:

FREE EDITION

BASIC EDITION

PREMIUM (P1 AND P2) EDITIONS

OFFICE 365 APPS ONLY

EDITION PREMIUM (P1 AND P2) EDITIONS OFFICE 365 APPS ONLY More details: Azure AD Password Reset

More details:

(P1 AND P2) EDITIONS OFFICE 365 APPS ONLY More details: Azure AD Password Reset for Users

Azure AD Password Reset for Users and Admins

CCoommppaannyy BBrraannddiinngg ((LLooggoonn PPaaggeess//AAcccceessss PPaanneell ccuussttoommiizzaattiioonn))

Type: Basic Features Availability:

FREE EDITION

BASIC EDITION

PREMIUM (P1 AND P2) EDITIONS

OFFICE 365 APPS ONLY

EDITION PREMIUM (P1 AND P2) EDITIONS OFFICE 365 APPS ONLY More details: Add company branding to

More details:

Add company branding to your Sign In and Access Panel pages(P1 AND P2) EDITIONS OFFICE 365 APPS ONLY More details: AApppplliiccaattiioonn PPrrooxxyy Type: Basic Features

AApppplliiccaattiioonn PPrrooxxyy

Type: Basic Features Availability:

 

FREE EDITION

BASIC EDITION

PREMIUM (P1 AND P2) EDITIONS

OFFICE 365 APPS ONLY

 
 
 

More details:

 
How to provide secure remote access to on-premises applications  

How to provide secure remote access to on-premises applications

 

SSLLAA 9999 99%%

 

Type: Basic Features Availability:

 

FREE EDITION

BASIC EDITION

PREMIUM (P1 AND P2) EDITIONS

OFFICE 365 APPS ONLY

PREMIUM (P1 AND P2) EDITIONS OFFICE 365 APPS ONLY More details: Service Level Agreements Premium Features

More details:

(P1 AND P2) EDITIONS OFFICE 365 APPS ONLY More details: Service Level Agreements Premium Features

Premium Features

SSeellff--SSeerrvviiccee GGrroouupp aanndd aapppp MMaannaaggeemmeenntt//SSeellff--SSeerrvviiccee aapppplliiccaattiioonn aaddddiittiioonnss//DDyynnaammiicc GGrroouuppss

Type: Premium Features

Availability:

FREE EDITION

BASIC EDITION

PREMIUM (P1 AND P2) EDITIONS

OFFICE 365 APPS ONLY

 
 

SSeellff--SSeerrvviiccee PPaasssswwoorrdd RReesseett//CChhaannggee//UUnnlloocckk wwiitthh oonn--pprreemmiisseess wwrriittee--bbaacckk

 

Type: Premium Features

Availability:

FREE EDITION

BASIC EDITION

PREMIUM (P1 AND P2) EDITIONS

OFFICE 365 APPS ONLY

 
 

MMuullttii--FFaaccttoorr AAuutthheennttiiccaattiioonn ((CClloouudd aanndd OOnn--pprreemmiisseess ((MMFFAA SSeerrvveerr))))

Type: Premium Features

Availability:

FREE EDITION

BASIC EDITION

PREMIUM (P1 AND P2) EDITIONS

OFFICE 365 APPS ONLY

More details:

(P1 AND P2) EDITIONS OFFICE 365 APPS ONLY More details: What is Azure Multi-Factor Authentication? Limited
More details: What is Azure Multi-Factor Authentication? Limited to cloud only for Office 365 Apps MMIIMM

Limited to cloud only for Office 365 Apps

MMIIMM CCAALL ++ MMIIMM SSeerrvveerr

Microsoft Identity Manager Server software rights are granted with Windows Server licenses (any edition). Because Microsoft Identity Manager runs on the Windows Server operating system, as long as the server is running a valid, licensed copy of Windows Server, then Microsoft Identity Manager can be installed and used on that server. No other separate license is required for Microsoft Identity Manager Server.

Type: Premium Features

Availability:

FREE EDITION

BASIC EDITION

PREMIUM (P1 AND P2) EDITIONS

OFFICE 365 APPS ONLY

 
 

CClloouudd AApppp DDiissccoovveerryy

Type: Premium Features

Availability:

FREE EDITION

BASIC EDITION

PREMIUM (P1 AND P2) EDITIONS

OFFICE 365 APPS ONLY

Finding unmanaged cloud applications with Cloud App DiscoveryAAzzuurree AADD CCoonnnneecctt HHeeaalltthh Type: Premium Features Availability: FREE EDITION BASIC EDITION PREMIUM (P1

AAzzuurree AADD CCoonnnneecctt HHeeaalltthh

Type: Premium Features Availability:

FREE EDITION

BASIC EDITION

PREMIUM (P1 AND P2) EDITIONS

OFFICE 365 APPS ONLY

More details:

(P1 AND P2) EDITIONS OFFICE 365 APPS ONLY More details: Monitor your on-premises identity infrastructure and

AAuuttoommaattiicc ppaasssswwoorrdd rroolllloovveerr ffoorr ggrroouupp aaccccoouunnttss

Type: Premium Features Availability:

FREE EDITION

BASIC EDITION

PREMIUM (P1 AND P2) EDITIONS

OFFICE 365 APPS ONLY

 
 

IIddeennttiittyy PPrrootteeccttiioonn

Type: Premium Features

FREE EDITION

BASIC EDITION

PREMIUM P2 EDITION

OFFICE 365 APPS ONLY

 
 

PPrriivviilleeggeedd IIddeennttiittyy MMaannaaggeemmeenntt

Type: Premium Features

FREE EDITION

BASIC EDITION

PREMIUM P2 EDITION

OFFICE 365 APPS ONLY

BASIC EDITION PREMIUM P2 EDITION OFFICE 365 APPS ONLY Azure Active Directory Join – Windows 10

Azure Active Directory Join – Windows 10 only related features

JJooiinn aa ddeevviiccee ttoo AAzzuurree AADD,, DDeesskkttoopp SSSSOO,, MMiiccrroossoofftt PPaassssppoorrtt ffoorr AAzzuurree AADD,, AAddmmiinniissttrraattoorr BBiittlloocckkeerr rreeccoovveerryy

Type: Azure Active Directory Join – Windows 10 only related features Availability:

FREE EDITION

BASIC EDITION

PREMIUM (P1 AND P2) EDITIONS

OFFICE 365 APPS ONLY

EDITION PREMIUM (P1 AND P2) EDITIONS OFFICE 365 APPS ONLY MMDDMM aauuttoo--eennrroollllmmeenntt,,

MMDDMM aauuttoo--eennrroollllmmeenntt,, SSeellff--SSeerrvviiccee BBiittlloocckkeerr rreeccoovveerryy,, AAddddiittiioonnaall llooccaall aaddmmiinniissttrraattoorrss ttoo WWiinnddoowwss 1100 ddeevviicceess vviiaa AAzzuurree AADD JJooiinn

Type: Azure Active Directory Join – Windows 10 only related features Availability:

FREE EDITION

BASIC EDITION

PREMIUM (P1 AND P2) EDITIONS

OFFICE 365 APPS ONLY

 
 

EEnntteerrpprriissee SSttaattee RRooaammiinngg

Type: Azure Active Directory Join – Windows 10 only related features

 

Availability:

FREE EDITION

BASIC EDITION

PREMIUM (P1 AND P2) EDITIONS

OFFICE 365 APPS ONLY

More details:

Enterprise State Roaming(P1 AND P2) EDITIONS OFFICE 365 APPS ONLY More details: Azure AD preview features In addition

OFFICE 365 APPS ONLY More details: Enterprise State Roaming Azure AD preview features In addition to

Azure AD preview features

In addition to the generally available features of the Free, Basic, and Premium (P1 and P2) editions, Azure AD also provides you with a collection of preview features. You can use the preview features to get an impression of what is coming in the near future and to determine whether these features can help improving your environment.

Available preview features:

B2B collaborationhelp improving your environment. Available preview features: Administrative Units HR application Integration

Administrative Unitsenvironment. Available preview features: B2B collaboration HR application Integration Certificate-based authentication

Certificate-based authentication on iOSAdministrative Units HR application Integration Certificate-based authentication on Android What's next

Certificate-based authentication on AndroidIntegration Certificate-based authentication on iOS What's next Getting started with Azure Active Directory

What's next

Getting started with Azure Active Directory PremiumCertificate-based authentication on Android What's next Add company branding to your Sign In and Access Panel

Add company branding to your Sign In and Access Panel pageson Android What's next Getting started with Azure Active Directory Premium View your access and usage

View your access and usage reportsnext Getting started with Azure Active Directory Premium Add company branding to your Sign In and

The fundamentals of Azure identity management

1/17/2017 • 13 min to read • Edit on GitHub

Managing identity is just as important in the public cloud as it is on premises. To help with this, Azure supports several different cloud identity technologies. They include these:

You can run Windows Server Active Directory (commonly called just AD) in the cloud using virtual machines created with Azure Virtual machines. This approach makes sense when you're using Azure to extend your on- premises datacenter into the cloud.different cloud identity technologies. They include these: You can use Azure Active Directory to give your

You can use Azure Active Directory to give your users single sign-on to Software as a Service (SaaS) applications. Microsoft's Office 365 uses this technology, for example, and Software as a Service (SaaS) applications. Microsoft's Office 365 uses this technology, for example, and applications running on Azure or other cloud platforms can also use it.

Applications running in the cloud or on-premises can use Azure Active Directory Access Control to let users log in using identities from Facebook, Google, Microsoft, and other identity providers.running on Azure or other cloud platforms can also use it. This article describes all three

This article describes all three of these options.

Table of Contents

Running Windows Server Active Directory in virtual machinesdescribes all three of these options. Table of Contents Using Azure Active Directory Using Azure Active

Using Azure Active DirectoryRunning Windows Server Active Directory in virtual machines Using Azure Active Directory Access Control Running Windows

Using Azure Active Directory Access ControlDirectory in virtual machines Using Azure Active Directory Running Windows Server Active Directory in virtual machines

Running Windows Server Active Directory in virtual machines

Running Windows Server AD in Azure virtual machines is much like running it on-premises. Figure 1 shows a typical example of how this looks.

Figure 1 shows a typical example of how this looks. Figure 1: Windows Server Active Directory

Figure 1: Windows Server Active Directory can run in Azure virtual machines connected to an organization's on- premises datacenter using Azure Virtual Network.

In the example shown here, Windows Server AD is running in VMs created using Azure Virtual Machines, the platform's IaaS technology. These VMs and a few others are grouped into a virtual network connected to an on- premises datacenter using Azure Virtual Network. The virtual network carves out a group of cloud virtual machines that interact with the on-premises network via a virtual private network (VPN) connection. Doing this lets these

Azure virtual machines look like just another subnet to the on-premises datacenter. As the figure shows, two of those VMs are running Windows Server AD domain controllers. The other virtual machines in the virtual network might be running applications, such as SharePoint, or being used in some other way, such as for development and testing. The on-premises datacenter is also running two Windows Server AD domain controllers.

There are several options for connecting the domain controllers in the cloud with those running on premises:

Make all of them part of a single Active Directory domain.controllers in the cloud with those running on premises: Create separate AD domains on-premises and in

Create separate AD domains on-premises and in the cloud that are part of the same forest.Make all of them part of a single Active Directory domain. Create separate AD forests in

Create separate AD forests in the cloud and on-premises, then connect the forests using cross-forest trusts or Windows Server Active Directory Federation Services (AD FS), which can also run in virtual machines on Azure.and in the cloud that are part of the same forest. Whatever choice is made, an

Whatever choice is made, an administrator should make sure that authentication requests from on-premises users go to cloud domain controllers only when necessary, since the link to the cloud is likely to be slower than on- premises networks. Another factor to consider in connecting cloud and on-premises domain controllers is the traffic generated by replication. Domain controllers in the cloud are typically in their own AD site, which allows an administrator to schedule how often replication is done. Azure charges for traffic sent out of an Azure datacenter, although not for bytes sent in, which might affect the administrator's replication choices. It's also worth pointing out that while Azure does provide its own Domain Name System (DNS) support, this service is missing features required by Active Directory (such as support for Dynamic DNS and SRV records). Because of this, running Windows Server AD on Azure requires setting up your own DNS servers in the cloud.

Running Windows Server AD in Azure VMs can make sense in several different situations. Here are some examples:

If you're using Azure Virtual Machines as an extension of your own datacenter, you might run applications in the cloud that need local domain controllers to handle things such as Windows Integrated Authentication requests or LDAP queries. SharePoint, for example, interacts frequently with Active Directory, and so while it's possible to run a SharePoint farm on Azure using an on-premises directory, setting up domain controllers in the cloud will significantly improve performance. (It's important to realize that this isn't necessarily required, however; plenty of applications can run successfully in the cloud using only on-premises domain controllers.)in several different situations. Here are some examples: Suppose a faraway branch office lacks the resources

Suppose a faraway branch office lacks the resources to run its own domain controllers. Today, its users must authenticate to domain controllers on the other side of the world - logins are slow. Running Active Directory on Azure in a closer Microsoft datacenter can speed this up without requiring more servers in the branch office.in the cloud using only on-premises domain controllers.) An organization that uses Azure for disaster recovery

An organization that uses Azure for disaster recovery might maintain a small set of active VMs in the cloud, including a domain controller. It can then be prepared to expand this site as needed to take over for failures elsewhere.this up without requiring more servers in the branch office. There are also other possibilities. For

There are also other possibilities. For example, you're not required to connect Windows Server AD in the cloud to an on-premises datacenter. If you wanted to run a SharePoint farm that served a particular set of users, for instance, all of whom would log in solely with cloud-based identities, you might create a standalone forest on Azure. How you use this technology depends on what your goals are. (For more detailed guidance on using Windows Server AD with Azure, see here.)

Using Azure Active Directory

As SaaS applications become more and more common, they raise an obvious question: What kind of directory service should these cloud-based applications use? Microsoft's answer to that question is Azure Active Directory.

There are two main options for using this directory service in the cloud:

Individuals and organizations that use only SaaS applications can rely on Azure Active Directory as their sole directory service.main options for using this directory service in the cloud: Organizations that run Windows Server Active

Organizations that run Windows Server Active Directory can connect their on-premises directory to Azure Active Directory, then use it to give their users single sign-on to SaaS applications.and organizations that use only SaaS applications can rely on Azure Active Directory as their sole

Figure 2 illustrates the first of these two options, where Azure Active Directory is all that's required.

where Azure Active Directory is all that's required. Figure 2: Azure Active Directory gives an organization's

Figure 2: Azure Active Directory gives an organization's users single sign-on to SaaS applications, including Office

365.

As the figure shows, Azure AD is a multi-tenant service. This means that it can simultaneously support many different organizations, storing directory information about users at each of them. In this example, a user at organization A is trying to access a SaaS application. This application might be part of Office 365, such as SharePoint Online, or it might be something else - non-Microsoft applications can also use this technology. Because Azure AD supports the SAML 2.0 protocol, all that's required from an application is the ability to interact using this industry standard. (In fact, applications that use Azure AD can run in any datacenter, not just an Azure datacenter.)

The process begins when the user accesses a SaaS application (step 1). To use this application, the user must present a token issued by Azure AD.

This token contains information that identifies the user, and it's digitally signed by Azure AD. To get the token, the user authenticates himself to Azure AD by providing a username and password (step 2). Azure AD then returns the token he needs (step 3).

This token is then sent to the SaaS application (step 4), which validates the token's signature and uses its contents (step 5). Typically, the application will use the identity information the token contains to decide what information the user is allowed to access and perhaps in other ways.

If the application needs more information about the user than what's contained in the token, it can request this directly from Azure AD using the Azure AD Graph API (step 6). In the initial version of Azure AD, the directory schema is quite simple: It contains just users and groups and relationships among them. Applications can use this information to learn about connections between users. For example, suppose an application needs to know who this user's manager is to decide whether he's allowed access to some chunk of data. It can learn this by querying Azure AD through the Graph API.

The Graph API uses an ordinary RESTful protocol, which makes it straightforward to use from most clients, including mobile devices. The API also supports the extensions defined by OData, adding things such as a query language to let clients access data in more useful ways. (For more on OData, see Introducing OData.) Because the Graph API can be used to learn about relationships between users, it lets applications understand the social graph that's embedded in the Azure AD schema for a particular organization (which is why it's called the Graph API). And to authenticate itself to Azure AD for Graph API requests, an application uses OAuth 2.0.

If an organization doesn't use Windows Server Active Directory - it has no on-premises servers or domains - and relies solely on cloud applications that use Azure AD, using just this cloud directory would give the firm's users

single sign-on to all of them. Yet while this scenario gets more common every day, most organizations still use on- premises domains created with Windows Server Active Directory. Azure AD has a useful role to play here as well, as Figure 3 shows.

has a useful role to play here as well, as Figure 3 shows. Figure 3: An

Figure 3: An organization can federate Windows Server Active Directory with Azure Active Directory to give its users single sign-on to SaaS applications.

In this scenario, a user at organization B wishes to access a SaaS application. Before she does this, the organization's directory administrators must establish a federation relationship with Azure AD using AD FS, as the figure shows. Those admins must also configure data synchronization between the organization's on-premises Windows Server AD and Azure AD. This automatically copies user and group information from the on-premises directory to Azure AD. Notice what this allows: In effect, the organization is extending its on-premises directory into the cloud. Combining Windows Server AD and Azure AD in this way gives the organization a directory service that can be managed as a single entity, while still having a footprint both on-premises and in the cloud.

To use Azure AD, the user first logs in to her on-premises Active Directory domain as usual (step 1). When she tries to access the SaaS application (step 2), the federation process results in Azure AD issuing her a token for this application (step 3). (For more on how federation works, see Claims-Based Identity for Windows: Technologies and Scenarios.) As before, this token contains information that identifies the user, and it's digitally signed by Azure AD. This token is then sent to the SaaS application (step 4), which validates the token's signature and uses its contents (step 5). And is in the previous scenario, the SaaS application can use the Graph API to learn more about this user if necessary (step 6).

Today, Azure AD isn't a complete replacement for on-premises Windows Server AD. As already mentioned, the cloud directory has a much simpler schema, and it's also missing things such as group policy, the ability to store information about machines, and support for LDAP. (In fact, a Windows machine can't be configured to let users log in to it using nothing but Azure AD - this isn't a supported scenario.) Instead, the initial goals of Azure AD include letting enterprise users access applications in the cloud without maintaining a separate login and freeing on-premises directory administrators from manually synchronizing their on-premises directory with every SaaS application their organization uses. Over time, however, expect this cloud directory service to address a wider range of scenarios.

Using Azure Active Directory Access Control

Cloud-based identity technologies can be used to solve a variety of problems. Azure Active Directory can give an organization's users single sign-on to multiple SaaS applications, for example. But identity technologies in the cloud can also be used in other ways.

Suppose, for instance, that an application wishes to let its users log in using tokens issued by multiple identity providers (IdPs). Lots of different identity providers exist today, including Facebook, Google, Microsoft, and others,

and applications frequently let users sign in using one of these identities. Why should an application bother to maintain its own list of users and passwords when it can instead rely on identities that already exist? Accepting existing identities makes life simpler both for users, who have one less username and password to remember, and for the people who create the application, who no longer need to maintain their own lists of usernames and passwords.

But while every identity provider issues some kind of token, those tokens aren't standard - each IdP has its own format. Furthermore, the information in those tokens also isn't standard. An application that wishes to accept tokens issued by, say, Facebook, Google, and Microsoft is faced with the challenge of writing unique code to handle each of these different formats.

But why do this? Why not instead create an intermediary that can generate a single token format with a common representation of identity information? This approach would make life simpler for the developers who create applications, since they now need to handle only one kind of token. Azure Active Directory Access Control does exactly this, providing an intermediary in the cloud for working with diverse tokens. Figure 4 shows how it works

working with diverse tokens. Figure 4 shows how it works Figure 4: Azure Active Directory Access

Figure 4: Azure Active Directory Access Control makes it easier for applications to accept identity tokens issued by different identity providers.

The process begins when a user attempts to access the application from a browser. The application redirects her to an IdP of her choice (and that the application also trusts). She authenticates herself to this IdP, such as by entering a username and password (step 1), and the IdP returns a token containing information about her (step 2).

As the figure shows, Access Control supports a range of different cloud-based IdPs, including accounts created by Google, Yahoo, Facebook, Microsoft (formerly known as Windows Live ID), and any OpenID provider. It also supports identities created using Azure Active Directory and, through federation with AD FS, Windows Server Active Directory. The goal is to cover the most commonly used identities today, whether they're issued by IdPs in the cloud or on-premises.

Once the user's browser has an IdP token from her chosen IdP, it sends this token to Access Control (step 3). Access Control validates the token, making sure that it really was issued by this IdP, then creates a new token according to the rules that have been defined for this application. Like Azure Active Directory, Access Control is a multi-tenant service, but the tenants are applications rather than customer organizations. Each application can get its own namespace, as the figure shows, and can define various rules about authorization and more.

These rules let each application's administrator define how tokens from various IdPs should be transformed into an Access Control token. For example, if different IdPs use different types for representing usernames, Access Control rules can transform all of these into a common username type. Access Control then sends this new token back to the browser (step 4), which submits it to the application (step 5). Once it has the Access Control token, the application verifies that this token really was issued by Access Control, then uses the information it contains (step

6).

While this process might seem a little complicated, it actually makes life significantly simpler for the creator of the application. Rather than handle diverse tokens containing different information, the application can accept identities issued by multiple identity providers while still receiving only a single token with familiar information. Also, rather than require each application to be configured to trust various IdPs, these trust relationships are instead maintained by Access Control - an application need only trust it.

It's worth pointing out that nothing about Access Control is tied to Windows - it could just as well be used by a Linux application that accepted only Google and Facebook identities. And even though Access Control is part of the Azure Active Directory family, you can think of it as an entirely distinct service from what was described in the previous section. While both technologies work with identity, they address quite different problems (although Microsoft has said that it expects to integrate the two at some point).

Working with identity is important in nearly every application. The goal of Access Control is to make it easier for developers to create applications that accept identities from diverse identity providers. By putting this service in the cloud, Microsoft has made it available to any application running on any platform.

About the Author

David Chappell is Principal of Chappell & Associates www.davidchappell.com in San Francisco, California.

Preview of the Azure Active Directory management experience in the Azure portal

1/17/2017 • 1 min to read • Edit on GitHub

The Azure Active Directory (Azure AD) management experience is in preview in the Azure portal. You can try it out by signing in to the Azure portal as a global administrator of your directory. Then, select Azure Active Directory in the services list if it is visible, or select More services to view the list of all services. You do not need an Azure subscription to use the Azure AD management experience in the Azure portal.

Learn about what you can do in the preview experience

The preview experience enables you to manage many directory resources such as users, groups, applications, and directory settings in the Azure portal. We are improving this experience to include all the capabilities that exist in the Azure AD management experience in the Azure classic portal. Until then, there are some directory management tasks that you must still complete in the classic portal.

Manage the same Azure AD tenants

The preview experience reads and writes to the same Azure Active Directory tenant as the classic portal and the Office 365 Admin center. Changes that are made in any of these portals are reflected in all the other portals.

Use the same authorization logic

The preview experience uses the same authorization logic as existing Active Directory clients. Users are authorized to make changes to directory resources based on their directory role, such as global administrator, user administrator, and password administrator. Having a role on Azure resources or an Azure subscription doesn't give users the authorization to manage directory resources. For more information about Azure AD management roles, see Assigning administrator roles in Azure Active Directory.

The preview experience is optimized for global administrators. If you use the preview experience while signed in as a user that is not a global administrator, you might have a degraded experience. For example, you might be able to select a button that lets you begin a task that you can't complete in the directory. We will be improving this experience soon.

Tell us what you think

Edit on GitHub

1 min to read •

Getting started with Azure Active Directory Premium

1/17/2017 • 4 min to read • Edit on GitHub

To sign up for Active Directory Premium, you have several options:

Azure or Office 365 - As an Azure or Office 365 subscriber, you can buy Active Directory Premium online. For detailed steps, see How to Purchase Azure Active Directory Premium - Existing Customers or How to Purchase Azure Active Directory Premium - New Customers.

Enterprise Mobility + Security - Enterprise Mobility + Security (formerly Enterprise Mobility Suite) is a cost effective way for organizations to use the following services together under one licensing plan: Active Directory Premium, Azure Rights Management, Microsoft Intune. For more information, see the Enterprise Mobility + Security web site. To get e free 30-day trial, click here.

This topic shows you how to get started with an Azure Active Directory Premium you have purchased through the Volume Licensing program. If you are not yet familiar with the different editions of Azure Active Directory, see Azure Active Directory editions.

NNOOTTEE Azure Active Directory Premium and Basic editions are available for customers in China using the worldwide instance of Azure Active Directory. Azure Active Directory Premium and Basic editions are not currently supported in the Microsoft Azure service operated by 21Vianet in China. For more information, contact us at the Azure Active Directory Forum.

Step 1: Sign up for Active Directory Premium

Step 2: Activate your license plan

Is this your first license plan purchase through the Enterprise Volume Licensing program from Microsoft? In this case, you get a confirmation email when your purchase has been completed. You need this email to activate your first license plan.

On any subsequent purchase for this directory, the licenses are automatically activated in the same directory.

To activate your license plan, perform one of the following steps:

1. To start the activation, click either Sign In or Sign Up.

If you have an existing tenant, click Sign In to sign in with your existing

If you have an existing tenant, click Sign In to sign in with your existing administrator account. You need to sign in Sign In to sign in with your existing administrator account. You need to sign in with the global administrator credentials from the directory where the licenses must be activated.

If you want to create a new Azure Active Directory tenant to use with your licensing plan, click Sign Up to open the Create Account Profile dialog. Sign Up to open the Create Account Profile dialog.

click Sign Up to open the Create Account Profile dialog. When you are done, the following

When you are done, the following dialog shows up as confirmation for the activation of the license plan for your tenant.

Step 3: Activate your Azure Active Directory access If you have used Microsoft Azure before,

Step 3: Activate your Azure Active Directory access

If you have used Microsoft Azure before, you can proceed to Step 4.

When the licenses are provisioned to your directory, a Welcome email is sent to you. The email confirms that you can start managing your Azure Active Directory Premium or Enterprise Mobility Suite licenses and features.

If you make an attempt to activate your access to Azure Active Directory prior to receiving the Welcome email, you get the following error message.

the Welcome email, you get the following error message. If you Please try again in a

If you Please try again in a few minutes once you have received the email.

New administrators in your subscription can also activate their access to the Azure classic portal through this link.

To activate your Azure Active Directory access, perform the following steps:

1. In your Welcome email, click Sign In.

2. When you have signed in successfully, you need to complete a second factor authentication

2. When you have signed in successfully, you need to complete a second factor authentication in form of a mobile verification:

factor authentication in form of a mobile verification: The activation can take a few minutes. Once

The activation can take a few minutes. Once your access is active, the brown bar disappears and you are able to click Portal.

In this case, your Azure access is limited to Azure Active Directory. You may already

In this case, your Azure access is limited to Azure Active Directory.

your Azure access is limited to Azure Active Directory. You may already have had access to

You may already have had access to Azure from prior usage; in addition, you can upgrade your Access Azure Active Directory to full Azure access by activating additional Azure subscriptions. In these cases, the Azure classic portal has more capabilities.

these cases, the Azure classic portal has more capabilities. Step 4: Assign license to user accounts

Step 4: Assign license to user accounts

Before you can start using the plan you purchased, you need to manually assign licenses to user accounts within your organization so that they can use the rich features provided with Premium. Use the following steps to assign licenses to users so they can use Azure Active Directory Premium features.

To assign licenses to users, perform the following steps:

1. Sign into the Azure classic portal as the global administrator of the directory you wish to customize.

2. Click Active Directory, and then select the directory where you want to assign licenses.

3. Select the Licenses tab, select Active Directory Premium or Enterprise Mobility Suite, and then click Assign.

or Enterprise Mobility Suite , and then click Assign . 4. In the dialog box, select

the changes.

the changes. LLiicceennssee rreessttrriiccttiioonnss Some license plans are subsets or supersets of other license plans.

LLiicceennssee rreessttrriiccttiioonnss Some license plans are subsets or supersets of other license plans. Typically, a user cannot be assigned a license plan that has already been assigned to them. If it is your intention to assign a license plan that is a superset, you need to first remove the subset license plan.

LLiicceennssee rreeqquuiirreemmeennttss When you assign a license to a user, you can specify a primary usage location in the properties of their account. If a usage location is not specified, the tenant’s location is automatically assigned to the user.

tenant’s location is automatically assigned to the user. The availability of services and features for a

The availability of services and features for a Microsoft cloud service varies by country or region. A service, such as Voice over Internet Protocol (VoIP), may be available in one country or region, and not available in another. Features within a service can be restricted for legal reasons in certain countries or regions. To see if a service or feature is available with or without restrictions, look for your country or region on license restrictions site of a service.

What's next

on license restrictions site of a service. What's next Add company branding to your Sign In

Add company branding to your Sign In and Access Panel pages

View your access and usage reports

View your access and usage reports

How Azure subscriptions are associated with Azure Active Directory

1/17/2017 • 9 min to read • Edit on GitHub

This article covers information about signing in to Microsoft Azure and related issues, such as the relationship between an Azure subscription and Azure Active Directory (Azure AD).

Accounts that you can use to sign in

Let’s start with the accounts that you can use to sign in. There are two types: a Microsoft account (formerly known as Microsoft Live ID) and a work or school account, which is an account stored in Azure AD.

MICROSOFT ACCOUNT

AZURE AD ACCOUNT

The consumer identity system run by Microsoft

The business identity system run by Microsoft

Authentication to services that are consumer-oriented, such as Hotmail and MSN

Authentication to services that are business-oriented, such as Office 365

Consumers create their own Microsoft accounts, such when they sign up for email

Companies and organizations create and manage their own work or school accounts

Identities are created and stored in the Microsoft account system

Identities are created by using Azure or another service such as Office 365, and they are stored in an Azure AD instance assigned to the organization

Although Azure originally allowed access only by Microsoft account users, it now allows access by users from both systems. This was done by having all the Azure properties trust Azure AD for authentication, having Azure AD authenticate organizational users, and by creating a federation relationship where Azure AD trusts the Microsoft account consumer identity system to authenticate consumer users. As a result, Azure AD is able to authenticate “guest” Microsoft accounts as well as “native” Azure AD accounts.

For example, here a user with a Microsoft account signs in to the Azure classic portal.

NNOOTTEE To sign in to the Azure classic portal, msmith@hotmail.com must have a subscription to Azure. The account must be either a Service administrator or a co-administrator of the subscription.

administrator or a co-administrator of the subscription. Because this Hotmail address is a consumer account, the

Because this Hotmail address is a consumer account, the sign in is authenticated by the Microsoft account consumer identity system. The Azure AD identity system trusts the authentication done by the Microsoft account system and will issue a token to access Azure services.

How an Azure subscription is related to Azure AD

Every Azure subscription has a trust relationship with an Azure AD instance. This means that it trusts that directory to authenticate users, services, and devices. Multiple subscriptions can trust the same directory, but a subscription trusts only one directory. You can see which directory is trusted by your subscription under the Settings tab. You can edit the subscription settings to change which directory it trusts.

This trust relationship that a subscription has with a directory is unlike the relationship that a subscription has with all other resources in Azure (websites, databases, and so on), which are more like child resources of a subscription. If a subscription expires, then access to those other resources associated with the subscription also stops. But the directory remains in Azure, and you can associate another subscription with that directory and continue to manage the directory users.

Similarly, the Azure AD extension you see in your subscription doesn’t work like the other extensions in the Azure classic portal. Other extensions in the Azure classic portal are scoped to the Azure subscription. What you see in the Azure AD extension does not vary based on subscription – it shows only directories based on the signed-in user.

All users have a single home directory which authenticates them, but they can also be guests in other directories. In the Azure AD extension, you will see every directory your user account is a member of. Any directory that your account is not a member of will not appear. A directory can issue tokens for work or school accounts in Azure AD or for Microsoft account users (because Azure AD is federated with the Microsoft account system).

This diagram shows a subscription for Michael Smith after he signed up by using a work account for Contoso.

after he signed up by using a work account for Contoso. How to manage a subscription

How to manage a subscription and a directory

The administrative roles for an Azure subscription manage resources tied to the Azure subscription. These roles and the best practices for managing your subscription are covered at Assigning administrator roles in Azure Active Directory.

By default, you are assigned the Service Administrator role when you sign up. If others need to sign in and access services using the same subscription, you can add them as co-administrators. The Service Administrator and co-

administrators can be either Microsoft accounts or work or school accounts from the directory that the Azure subscription is associated with.

Azure AD has a different set of administrative roles to manage the directory and identity-related features. For example, the global administrator of a directory can add users and groups to the directory, or require multifactor authentication for users. A user who creates a directory is assigned to the global administrator role and they can assign administrator roles to other users.

As with subscription administrators, the Azure AD administrative roles can be either Microsoft accounts or work or school accounts. Azure AD administrative roles are also used by other services such as Office 365 and Microsoft Intune. For more information, see Assigning administrator roles.

But the important point here is that Azure subscription admins and Azure AD directory admins are two separate

concepts. Azure subscription admins can manage resources in Azure and can view the Active Directory extension

in the Azure classic portal (because the Azure classic portal is an Azure resource). Directory admins can manage

properties in the directory.

A person can be in both roles but this isn’t required. A user can be assigned to the directory global administrator

role but not be assigned as Service administrator or co-administrator of an Azure subscription. Without being an administrator of the subscription, this user cannot sign in to the Azure classic portal. But the user could perform

directory administration tasks using other tools such as Azure AD PowerShell or Office 365 Admin Center.

Why can't I manage the directory with my current user account?

Sometimes a user may try to sign in to the Azure classic portal using a work or school account prior to signing up for an Azure subscription. In this case, the user will receive a message that there is no subscription for that account. The message will include a link to start a free trial subscription.

After signing up for the free trial, the user will see the directory for the organization in the Azure classic portal but be unable to manage it (that is, be unable to add users, or edit any existing user properties) because the user is not

a directory global administrator. The subscription allows the user to use the Azure classic portal and see the Azure Active Directory extension, but the additional permissions of a global administrator are needed to manage the directory.

Using your work or school account to manage an Azure subscription that was created by using a Microsoft account

As a best practice, you should sign up for Azure as an organization and use a work or school account to manage resources in Azure. Work or school accounts are preferred because they can be centrally managed by the organization that issued them, they have more features than Microsoft accounts, and they are directly authenticated by Azure AD. The same account provides access to other Microsoft online services that are offered to businesses and organizations, such as Office 365 or Microsoft Intune. If you already have an account that you use with those other properties, you likely want to use that same account with Azure. You will also already have an Active Directory instance backing those properties that you will want your Azure subscription to trust.

Work or school accounts can also be managed in more ways than a Microsoft account. For example, an administrator can reset the password of an a work or school account, or require multifactor authentication for it.

In some cases, you may want a user from your organization to be able to manage resources that are associated

with an Azure subscription for a consumer Microsoft account. For more information about how to transition to

have different accounts manage subscriptions or directories, see Manage the directory for your Office 365 subscription in Azure.

Signing in when you used your work email for your Microsoft account

If at some point of time in the past you created a consumer Microsoft account using your work email as a user identifier, you may see a page asking you to select from either the Microsoft Azure Account system or the Microsoft Account system.

Azure Account system or the Microsoft Account system. You have user accounts with the same name,

You have user accounts with the same name, one in Azure AD and the other in the consumer Microsoft account system. You should pick the account that is associated with the Azure subscription you want to use. If you get an error saying a subscription does not exist for this user, you likely just chose the wrong option. Sign out and try again. For more information about errors that can prevent sign in, see Troubleshooting "We were unable to find any subscriptions associated with your account" errors.

Manage the directory for your Office 365 subscription in Azure

Let's say you signed up for Office 365 before you sign up for Azure. Now you want to manage the directory for the Office 365 subscription in the Azure classic portal. There are two ways to do this, depending on whether you have signed up for Azure or you have not.

II ddoo nnoott hhaavvee aa ssuubbssccrriippttiioonn ffoorr AAzzuurree

In this case, just sign up for Azure using the same work or school account that you use to sign in to Office 365. Relevant information from the Office 365 account will be prepopulated in the Azure sign-up form. Your account will be assigned to the Service Administrator role of the subscription.

II ddoo hhaavvee aa ssuubbssccrriippttiioonn ffoorr AAzzuurree uussiinngg mmyy MMiiccrroossoofftt aaccccoouunntt

If you signed up for Office 365 using a work or school account and then signed up for Azure using a Microsoft account, then you have two directories: one for your work or school and a Default directory that was created when you signed up for Azure.

To manage both of the directories in the Azure classic portal, complete these steps.

NNOOTTEE These steps can only be completed while a user is signed in with a Microsoft account. If the user is signed in with a work or school account, the option Use existing directory is not available because a work or school account can be authenticated only by its home directory (that is, the directory where the work or school account is stored, and which is owned by the work or school).

1. Sign in to the Azure classic portal using your Microsoft account.

3.

Click Use existing directory and check I am ready to be signed out now and click the check mark to complete the action.

4. Sign in to the Azure classic portal using an account that has global admin rights for the work or school directory.

5. When prompted to Use the Contoso directory with Azure?, and click continue.

6. Click Sign out now.

7. Sign back in to the Azure classic portal using your Microsoft account. Both directories will appear in the Active Directory extension.

Next Steps

To learn more about how resource access is controlled in Microsoft Azure, see Understanding resource access in Azure Understanding resource access in Azure

For more information on how to assign roles in Azure AD, see Assigning administrator roles in Azure Active Directory Assigning administrator roles in Azure Active Directory

Sign up for Azure as an organizationFor more information on how to assign roles in Azure AD, see Assigning administrator roles in

What is Microsoft Azure Active Directory licensing?

1/17/2017 • 10 min to read • Edit on GitHub

Description

Azure Active Directory (Azure AD) is Microsoft's Identity as a Service (IDaaS) solution and platform. Azure AD is offered in a number of functional and technical versions ranging from Azure AD Free, which is available with any Microsoft service such as Office 365, Dynamics, Microsoft Intune and Azure (Azure AD does not generate any consumption charges in this mode), to Azure AD paid versions such as Enterprise Mobility Suite (EMS), Azure AD Premium and Basic, as well as Azure Multi-Factor Authentication (MFA). Like many of Microsoft online services, most Azure AD paid versions are delivered through per-user entitlements as they are in Office 365, Microsoft Intune, and Azure AD. In these cases, the service purchase is represented with one or more subscriptions, and each subscription includes a pre-purchase number of licenses in your tenant. Per-user entitlements are achieved through license assignment, creating a link between the user and the product, enabling the service components for the user, and consuming one of the prepaid licenses.

NNOOTTEE Azure AD administration portal is a part of the Azure classic portal. While using Azure AD does not require any Azure purchases, accessing this portal requires an active Azure subscription or an Azure trial subscription.

NNOOTTEE Azure pay as you go subscriptions are different: while also represented in your directory, these subscriptions enable creation of Azure resources and map them to your payment method. In this case there are NO license counts associated with the subscription. Users' association with the subscription, the users' access to managing subscription resources, is achieved by granting them permissions to operate on Azure resources mapped to the subscription.

How does Azure AD licensing work?

License-based (Entitlement-based) Azure AD services work by activating a subscription in your Azure AD directory/service tenant. Once the subscription is active the service capabilities can be managed by directory/service administrators and used by licensed users.

When you purchase or activate Enterprise Mobility Suite, Azure AD Premium, or Azure AD Basic, your directory is updated with the subscription, including its validity period and prepaid licenses. Your subscription information, including status, next lifecycle event, and the number of assigned or available licenses is available through the Azure classic portal under the Licenses tab for the specific directory. This is also to best place to manage your license assignments.

Each subscription consists of one or more service plans, each mapping the included functional level of the service type; for example, Azure AD, Azure MFA, Microsoft Intune, Exchange Online, or SharePoint Online. Azure AD license management does NOT require service plan level management. This is different from Office 365 which relies on this advanced configuration mode to manage access to included services. Azure AD relies on in service configuration, to enable features and manage individual permissions.

In general, Azure AD subscription information is managed through the Azure classic portal, under the Licenses tab for the specific directory. Azure AD subscriptions, with the exception of Azure AD Premium, do NOT show up in the Office portal.

IIMMPPOORRTTAANNTT Azure AD Premium and Basic, as well as Enterprise Mobility Suite subscriptions, are confined to their provisioned directory/tenant. Subscriptions cannot be split between directories or used to entitle users in other directories. Moving a subscription between directories is possible but requires submitting a support ticket or cancellation and re-purchase in the case of direct purchases.

When purchasing Azure AD or Enterprise Mobility Suite through Volume Licensing subscription activation will happen automatically when the agreement includes other Microsoft Online services, e.g. Office 365.

Paid Azure AD features span the breadth of the directory. Examples include:

Group-based assignment to applications, which is enabled under the specific application you are managing.span the breadth of the directory. Examples include: Advanced and self-service group management capabilities are

Advanced and self-service group management capabilities are available under the directory configuration or within the specific group.is enabled under the specific application you are managing. Premium security reports are on the Reporting

Premium security reports are on the Reporting tabthe directory configuration or within the specific group. Cloud application discovery shows up in the Azure

Cloud application discovery shows up in the Azure portal under Identity.group. Premium security reports are on the Reporting tab AAssssiiggnniinngg lliicceennsseess While obtaining a

AAssssiiggnniinngg lliicceennsseess While obtaining a subscription is all you need to configure paid capabilities, using your Azure AD paid features requires distributing licenses to the right individuals. In general, any user who should have access to or who is managed through an Azure AD paid feature must be assigned a license. A license assignment is a mapping between a user and a purchased service, such as Azure AD Premium, Basic, or Enterprise Mobility Suite.

Managing which users in your directory should have a license is simple. It can be accomplished by assigning to a group to create assignment rules through the Azure AD administration portal or by assigning licenses directly to the right individuals through a portal, PowerShell, or APIs. When assigning licenses to a group, all group members will be assigned a license. If users are added or removed from the group they will be assigned or removed the appropriate license. Group assignment can utilize any group management available to you and is consistent with group-based assignment to applications. Using this approach, you can set up rules such that all users in your directory are automatically assigned, ensure that everyone with the appropriate job title has a license or even delegate the decision to other managers in the organization.

With group-based license assignment, any user missing a usage location will inherit the directory location during assignment. This location can be changed by the administrator at any time. In cases where the automated assignment failed due to error, the user information under that license type will reflect that state.

Getting started with Azure AD licensing

Getting started with Azure AD is easy; you can always create your directory as a part of signing up to a free Azure trial. Learn more about signing up as an organization. The following can help you make sure that your directory is best aligned with other Microsoft services you may be consuming or are planning to consume, and your goals in obtaining the service.

Here are a couple of best practices:

If you are already using any of Microsoft's organizational services, you already have an Azure AD directory. In this case, you should continue to use the same directory for other services, so that core identity management, including provisioning and hybrid SSO, can be utilized across the services. Your users will have a single logon experience and will benefit from richer capabilities across the services. As a result, if you decide to buy an Azure AD paid service for your workforce, we recommend that you use the same directory to do this.may be consuming or are planning to consume, and your goals in obtaining the service. Here

If you are planning to use Azure AD for a different set of users (partners,

If you are planning to use Azure AD for a different set of users (partners, customers, and so on), or if you would like to evaluate Azure AD services and would like to do that in isolation of your production service, or if you are looking to setup a sandbox environment for your services, we recommend that you first create a new directory through the Azure Azure classic portal. Learn more about creating a new Azure AD directory in the Azure classic portal. The new directory will be created with your account as an external user with global administrator permissions. When you sign in to the Azure classic portal with this account, you will be able to see this directory and access all directory administration tasks. We recommend that you create a local account with appropriate privileges to manage other Microsoft services (those not accessible through the Azure classic portal). Learn more about creating user accounts in Azure AD.

NNOOTTEE Azure AD supports “external users,” which are user accounts in an instance of Azure AD that were created using either a Microsoft Account (MSA) or an Azure AD identity from another directory. While we are busy extending this capability into all of Microsoft's organizational services, right now these accounts are not supported in some of the services' experiences; for example, the Office 365 administration portal does not currently support these users. As a result, external users with Microsoft accounts will not be able to access the Office 365 administration portal at all, while external users from other Azure AD directories will be ignored. In the latter case, only the user’s local account, the Azure AD or Office 365 directory where the user was originally created, would be accessible through these experiences.

As indicated, Azure AD has different paid versions. These versions have some minor differences in their purchase availability:

 

MPN USE

DIRECT

PRODUCT

EA/VL

OPEN

CSP

RIGHTS

PURCHASE

TRIAL

Enterprise

X

X

X

X

X

Mobility Suite

Azure AD

X

X

X

X

X

Premium

Azure AD

X

X

X

X

Basic

SSeelleecctt oonnee oorr mmoorree lliicceennssee ttrriiaallss In all cases, you can activate an Azure AD Premium or Enterprise Mobility Suite trial subscription by selecting the specific trial you want on the Licenses tab in your directory. Either trial contains a 30-day subscription with 100 licenses.

trial you want on the Licenses tab in your directory. Either trial contains a 30-day subscription
AAssssiiggnn lliicceennsseess Once the subscription is active, you should assign a license to yourself and
AAssssiiggnn lliicceennsseess Once the subscription is active, you should assign a license to yourself and

AAssssiiggnn lliicceennsseess Once the subscription is active, you should assign a license to yourself and refresh the browser to ensure you are seeing all your features. The next step is to assign licenses to the users that will need to access or be included in paid Azure AD features. As we mentioned above in "Assigning licenses," the best way to do this is to identify the group representing the desired audience and assign it to the license; in this way, users who are added or removed from the group over its lifecycle will be assigned to or removed from the license.

To assign a license to a group or individual users, select the license plan you would like to assign and click Assign on the command bar.

would like to assign and click Assign on the command bar. Once in the assignment dialog

Once in the assignment dialog for the selected plan, you can select users and adding them to the Assign column on the right. You can page through the user list or search for specific individuals using the looking glass on the top right of the user grid. To assign groups, select "Groups" from the Show menu and then click the check button on the right to refresh the assignments that are displayed.

You can now search or page through groups and add them to the Assign column

You can now search or page through groups and add them to the Assign column in the same way. You can use these to assign a combination of users and groups in a single operation. To complete the assignment process, click the check button in the bottom right corner of the page.

the check button in the bottom right corner of the page. When a group is assigned,

When a group is assigned, its members inherit the licenses within 30 minutes, but usually within 1-2 minutes.

Assignment errors can occur during Azure AD license assignment, but are relatively rare. Potential assignment errors are limited to:

Assignment conflict - when a user was previously assigned a license that is incompatible with the current license. In this case, assigning the new license will require removing the previous one.relatively rare. Potential assignment errors are limited to: Exceeded available licenses - when the number of

Exceeded available licenses - when the number of users in assigned groups exceed available licenses, the users' assignment status will reflect a failure to assign due to missing licenses.the new license will require removing the previous one. VViieeww aassssiiggnneedd lliicceennsseess A summary view of

VViieeww aassssiiggnneedd lliicceennsseess

A summary view of assigned licenses including available, assigned, and next subscription lifecycle event are displayed on the Licenses tab.

lifecycle event are displayed on the Licenses tab. A detailed list of assigned users and groups,

A detailed list of assigned users and groups, including assignment status and path (direct or inherited from one or more groups) is available when navigating into a license plan.

groups) is available when navigating into a license plan. Removing licenses is just as easy as

Removing licenses is just as easy as assigning them. If the user is directly assigned or for an assigned group, you can remove the license by selecting the license type, selecting Remove, adding the user or group to the remove list, and confirming the action. Alternatively, you can open a license type, select the specific user or group, and tap

Remove on the command bar. To end a user’s inheritance of a license from a group, simply remove the user from the group.

EExxtteennddiinngg ttrriiaallss Trial extensions for customers are available as self-service through the Office 365 portal. A customer admin can navigate to the Office portal (access depends on permissions for the Office portal) and select your Azure AD Premium trial. Click the Extend trial link and follow the instructions. You will need to enter a credit card, but it will not be charged.

need to enter a credit card, but it will not be charged. Customers can also request

Customers can also request a trial extension by submitting a support request. A customer admin can navigate to the Office 365 portal support page (access depends on permissions for the Office support page). On this page select “Subscriptions and Trials” under Features and “Trial questions” under Symptom. Finally, enter information on the circumstances

Symptom. Finally, enter information on the circumstances Next steps Now you might be ready to configure

Next steps

Now you might be ready to configure and use some Azure AD Premium features.

Self-service password resetSelf-service group management Azure AD Connect heath Group assignment to applications Azure Multi-Factor Authentication

Self-service group managementSelf-service password reset Azure AD Connect heath Group assignment to applications Azure Multi-Factor Authentication

Group assignment to applicationsreset Self-service group management Azure AD Connect heath Azure Multi-Factor Authentication Direct purchase of Azure

Sign up for Azure as an organization

1/17/2017 • 1 min to read • Edit on GitHub

Until recently, you could only sign up for a new Microsoft Azure subscription using your Microsoft account (Windows Live ID). Azure now supports using either of the following two account methods to sign up:

Microsoft accounts (created by you for personal use) - Provide access to all consumer-oriented Microsoft products and (created by you for personal use) - Provide access to all consumer-oriented Microsoft products and cloud services, such as Outlook (Hotmail), Messenger, OneDrive, MSN, Xbox LIVE, or Office 365. Signing up for an Outlook.com mailbox automatically creates a Microsoft account. After a Microsoft account is created, it can be used to access consumer-related Microsoft cloud services or Azure. Learn more

Work or school accounts (issued by an admin for business/academic use) - Provide access to all small, medium, and (issued by an admin for business/academic use) - Provide access to all small, medium, and enterprise business-level Microsoft cloud services, such as Azure, Microsoft Intune, or Office 365. When you sign up to one of these services as an organization, a cloud-based directory is automatically provisioned in Azure Active Directory to represent your organization. Learn more

After this directory has been created, an admin can then create users and assign licenses to them based on which cloud service subscriptions they need access to, such as Azure.

Want to sign up for Azure as an organization? Sign up now

Additional Resources

What is Azure AD?Sign up now Additional Resources Microsoft Azure blog Use your on-premises identity infrastructure in the cloud

Azure Active Directory FAQ

1/20/2017 • 7 min to read • Edit on GitHub

Azure Active Directory is a comprehensive Identity as a Service (IDaaS) solution that spans all aspects of identity, access management, and security.

For more details, see What is Azure Active Directory?.

Accessing Azure and Azure Active Directory

Q: Why do I get “No subscriptions found” when I try to access Azure AD in the Azure classic portal (https://manage.windowsazure.com)?

A: Accessing the Azure classic portal requires each user to have permissions on an Azure subscription. If you have a paid Office 365 or Azure AD navigate to http://aka.ms/accessAAD for a one-time activation step, otherwise you will need to activate a full Azure trial or a paid subscription.

For more details, see:

How Azure subscriptions are associated with Azure Active DirectoryAzure trial or a paid subscription. For more details, see: Manage the directory for your Office

Manage the directory for your Office 365 subscription in Azuresubscriptions are associated with Azure Active Directory Q: What’s the relationship between Azure AD, Office 365,

Q: What’s the relationship between Azure AD, Office 365, and Azure?

A: Azure Active Directory provides you with common identity and access capabilities to all Microsoft online services. Whether you are using Office 365, Microsoft Azure, Intune or others, you are already using an Azure AD to enable sign-on and access management for all of these services.

In fact, all the users you have enabled for Microsoft Online services are defined as user accounts in one or more Azure AD instances. You can enable these accounts for free Azure AD capabilities such as cloud application access.

Additionally, Azure AD paid services (e.g.: Azure AD basic, Premium, EMS, etc.) complement other Online services such as Office 365 and Microsoft Azure with comprehensive enterprise scale management and security solutions.

Q: Why can I sign-in to the Azure portal but not the classic portal? A: The new Azure portal does not require a valid subscription whereas the classic portal does require you to have a valid subscription. If you do not have a subscription, you will not be able to sign-in to the classic portal.

Q: What are the differences between Subscription Administrator and Directory Administrator?**

A: By default, you are assigned the Subscription Administrator role when you sign up for Azure. A subscription Administrator can use either a Microsoft account or a work or school account from the directory that the Azure subscription is associated with. This role is authorized to manage services in the Azure portal. If others need to sign in and access services using the same subscription, you can add them as co-administrators. This role has the same access privileges as the Service Administrator, but can’t change the association of subscriptions to Azure directories. For additional information on Subscription Administrators see here. and here

Azure AD has a different set of administrative roles to manage the directory and identity-related features. These administrators will have access to various features in the Azure portal or Azure classic portal and, depending on their role, will be able to create or edit users, assign administrative roles to others, reset user passwords, manage user licenses, and manage domains, among other things. For additional information on Azure AD Directory Administrators and their roles see here.

Getting started with Hybrid Azure AD

Q: How can I connect my on-premises directory to Azure AD?

A: You can connect your on-premises directory to Azure AD using Azure AD Connect.

Q: How do I set up SSO between my on-premises directory and my cloud applications?

A: You only need to set up SSO between your on-premises directory and Azure AD. As long as you access your cloud applications through Azure AD, the service automatically drives your users to correctly authenticate with their on-premises credentials.

Implementing SSO from on-premises can be easily achieved with federation solutions such as ADFS or by configuring password hash sync. You can easily deploy both options using the Azure AD Connect configuration wizard.

Q: Does Azure Active Directory provide a self-service portal for users in my organization?

A: Yes, Azure Active Directory provides you with the Azure AD Access Panel for user self-service and application access. IF you are an Office 365 customer, you can find many of the same capabilities in the Office 365 portal.

For more information, see the Introduction to the Access Panel.

Q: Does Azure AD help me manage my on-premises infrastructure?

A: Yes, it does. The Azure AD Premium edition provides you with Connect Health. Azure AD Connect Health helps you monitor and gain insight into your on-premises identity infrastructure and the synchronization services.

Password management

Q: Can I use Azure AD password write-back without password sync? (AKA, I would like to use Azure AD SSPR with password write-back but I don’t want my passwords stored in the cloud?)

A: You do not need to synchronize your AD passwords to Azure AD in order to enable write-back. In a federated environment, Azure AD SSO relies on the on-premises directory to authenticate the user. This scenario does not require the on-premises password to be tracked in Azure AD.

Q: How long does it take for a password to be written back to AD on-premises?

A: Password write-back operates in real-time.

For more details, see Getting started with Password Management

Q: Can I use password write-back with passwords that are managed by an administrator?

A: Yes, if you have password write-back enabled, the password operations performed by an administrator are written back to your on-premises environment.

For more answers to password related questions, see Password Management Frequently Asked Questions.

Q: What can I do if I cannot remember my existing Office 365/Azure AD password while trying to change my password?

A: For this type of situation there are a couple of options. If your organization has enabled self-service password reset then you can try this. This may or may not work depending on how self-serive password reset has been configured. For more information see How does the password reset portal work.

For Office 365 users, your administrator can reset the password using the steps outlined here.

For Azure AD accounts, administrators can reset passwords using one of the following:

Reset accounts in the Azure portalcan reset passwords using one of the following: Reset accounts in the classic portal Using PowerShell

Reset accounts in the classic portalone of the following: Reset accounts in the Azure portal Using PowerShell Application access Q: Where

Application access

Q: Where can I find a list of applications that are pre-integrated with Azure AD and their capabilities?

A: Azure AD has over 2600 pre-integrated applications from Microsoft, application service providers, or partners. All pre-integrated applications support SSO. SSO enables you to use your organizational credentials to access your apps. Some of the applications also support automated provisioning and de-provisioning

For a complete list of the pre-integrated applications, see the Active Directory Marketplace.

Q: What if the application I need is not in the Azure AD marketplace?

A: With Azure AD Premium, you can add and configure any application you want. Depending on your application’s capabilities and your preferences, you can configure SSO and automated provisioning.

For more details, see:

Using SCIM to enable automatic provisioning of users and groups from Azure Active Directory to applicationsare not in the Azure Active Directory application gallery Q: How do users sign into applications

Q: How do users sign into applications using Azure Active Directory?

A: Azure Active directory provides several ways for users to view and access their applications such as:

The Azure AD access panelfor users to view and access their applications such as: The Office 365 application launcher Direct

The Office 365 application launcheraccess their applications such as: The Azure AD access panel Direct sign-on to federated apps Deep

Direct sign-on to federated appsAzure AD access panel The Office 365 application launcher Deep links to federated, password-based, or existing

Deep links to federated, password-based, or existing apps365 application launcher Direct sign-on to federated apps For more information, see Deploying Azure AD integrated

For more information, see Deploying Azure AD integrated applications to users.

Q: What are the different ways Azure Active Directory enables authentication and single sign-on to applications?

A: Azure Active Directory supports many standardized protocols for authentication and authorization such as SAML 2.0, OpenID Connect, OAuth 2.0, and WS-Federation. Azure AD also supports password vaulting and automated sign-in capabilities for apps that only support forms-based authentication.

For more information, see:

How does single sign-on with Azure Active Directory work?Scenarios for Azure AD Active Directory Authentication Protocols Q: Can I add applications I’m running on-premises?

A: Azure AD Application Proxy provides you with easy and secure access to on-premises web applications that you choose. You can access these applications in the same way you are accessing your SaaS apps in Azure Active Directory. There is no need for a VPN or changing your network infrastructure.

For more details, see How to provide secure remote access to on-premises applications.

Q: How do I require MFA for users accessing a particular application?

A: With Azure AD conditional access, you can assign a unique access policy for each application. In your policy, you can require MFA at all times, or when users are not connected to the local network.

For more details, see Securing access to Office 365 and other apps connected to Azure Active Directory.

Q: What is Automated User Provisioning for SaaS Apps?

A: Azure Active Directory allows you to automate the creation, maintenance, and removal of user identities in many popular cloud (SaaS) applications.

Q: Can I setup a secure LDAP connection with Azure Active Directory? A: No. Azure AD does not support using the LDAP protocol.

List of Tutorials on How to Integrate SaaS Apps with Azure Active Directory

1/17/2017 • 2 min to read • Edit on GitHub

To help you integrate all of your cloud (SaaS) applications with Azure Active Directory, we have developed a collection of tutorials that show you each of the necessary configuration steps.

List of Tutorials