Tuesday, June 30, 2015

Azure Active Directory editions

The Free edition of Azure Active Directory is part of every Azure subscription. There is nothing to license and nothing to install. With it, you can manage user accounts, synchronise with on-premises directories, get single sign-on across Azure, Office 365, and thousands of popular SaaS applications like Salesforce, Google Apps, ServiceNow, Dropbox, etc.

Azure AD premium is what you will need for password self service in the cloud and AD write back.

The Microsoft Enterprise Mobility Suite (EMS) discount makes it the most cost-effective way to acquire the included cloud services:

  1. Microsoft Azure Active Directory Premium for hybrid identity management, Microsoft Intune and Microsoft Azure Rights Management for information protection

Features

Free edition

Basic edition

Premium edition

Directory as a service

Up to 500K objects

No object limit

No object limit

User and group management using UI or Windows PowerShell cmdlets

Tick

Tick

Tick

Device registration

Tick

Tick

Tick

Access Panel portal for SSO-based user access to SaaS and custom applications

Tick

Up to 10 apps per user

Tick

Up to 10 apps per user

No app limit

User-based application access management and provisioning

Tick

Tick

Tick

Self-service password change for cloud users

Tick

Tick

Tick

Azure AD Connect – For syncing between on-premises directories and Azure Active Directory

Tick

Tick

Tick

Standard security reports

Tick

Tick

Tick

Features

 

Basic edition

Premium edition

High availability SLA uptime (99.9%)

 

Tick

Tick

Group-based application access management and provisioning

 

Tick

Tick

Customisation logo and colours to the Sign In and Access Panel pages

 

Tick

Tick

Self-service password reset for cloud users

 

Tick

Tick

Application Proxy: Secure Remote Access and SSO to on-premises web applications

 

Tick

Tick

Features

Premium edition

Advanced application usage reporting

   

Tick

Self-service group management for cloud users

   

Tick

Self-service password reset with on-premises write-back

Tick

Microsoft Identity Manager (MIM) user licenses – For on-premises identity and access management

Tick

Advanced anomaly security reports (machine learning-based)

   

Tick

Cloud app discovery

   

Tick

Multi-Factor Authentication service for cloud users

Tick

Multi-Factor Authentication server for on-premises users

   

Tick

Multi-Factor Authentication is included with Premium and can secure access to on-premises applications (VPN, RADIUS, etc.), Azure, Microsoft Online Services like Office 365 etc.

Microsoft Identity Manager (MIM) - Premium comes with the option to grant rights to use a MIM server (and CALs) in your on-premises network to support any combination of Hybrid Identity solutions. This is a great option if you have a variation of on-premises directories and databases that you want to sync directly to Azure Active Directory. There is no limit on the number of FIM servers you can use, however, MIM CALs are granted based on the allocation of an Azure.

 

Note, if you have SSPR on prem too?

Q: Can I synchronise data for security questions from on premises?
A: No, this is not possible today, but Microsoft are considering it.

Note2, locked out account?

Q: Do you unlock the local active directory accounts when users reset their passwords?

A: Yes, when a user resets his or her password and password writeback has been deployed with versions of AADSync 1.0.0485.0222 or later, then that user’s account will be automatically unlocked when that user resets his or her password.

Note3 & 4, worries about hackerz?

Q: Do you prevent users from attempting password reset many times in a short time period?

A: Yes, Users may only try 5 password reset attempts within an hour before being locked out for 24 hours. Users may only try to validate a phone number 5 times within an hour before being locked out for 24 hours. Users may only try a single authentication method 5 times within an hour before being locked out for 24 hours.

Q: For how long are the email and SMS one-time passcode valid?

A: The session lifetime for password reset is 105 minutes. This means that from the beginning of the password reset operation, the user has 105 minutes to reset his or her password. The email and SMS one-time passcode are invalid after this time period expires.

 

 

 

 

Azure AD versions: https://msdn.microsoft.com/en-us/library/azure/dn532272.aspx

Azure AD Password writeback: https://msdn.microsoft.com/en-us/library/azure/dn903642.aspx

Setting up SSRP: https://msdn.microsoft.com/en-us/library/azure/dn683881.aspx

Blog Archive