To better understand the structure of Azure® Active Directory® (AAD or Azure AD), we will be exploring each tier of their services in a four-part series.
This is the second part of that series. Below we explore the full scope of features offered with Azure AD’s Basic/Office 365™ apps iteration. Each part will cover the benefits of that particular service, as well as the drawbacks that come with each tier. Click here to read our previous blog on Azure AD Free.
Azure Active Directory Basic/Office365 Apps
Azure AD’s second pricing tier was introduced in 2014 alongside its other services. It was meant to serve as an intermediary step for admins that wanted more out of AAD’s Free version, but weren’t ready to commit to Premium P1 or P2.
Initially referred to as Azure AD Basic, this version of AAD was recently renamed “Azure AD Office 365 apps.” It’s included with the purchase of a subscription to Office 365 E1, E3, E5, and F1.
AAD Office 365 apps is designed to work optimally as a substrate identity solution that’s been paired with a directory service, namely Active Directory. It is meant to provide legacy, on-prem identity management solutions with a bridge to securely connect existing user credentials to select web apps and the Azure infrastructure.
Benefits of Azure AD Office 365 Apps
By itself, AAD O365 apps offers the following features:
- Sync Office365 user accounts to an unlimited number of directory objects
- Leverage SSO for up to 10 pre-integrated SaaS applications per user
- Self-service password changes and resets (for cloud users only)
- Sync with Azure AD Connect
- Basic reporting on their substrate identity management solution
- Service level agreements (SLAs) for Azure infrastructure
- Multi-factor authentication (MFA) only for O365 apps
As with all other versions of Azure AD, O365 apps allows admins to sync their AAD instance with AD through Azure AD Connect. By doing so, they can increase the value of AAD O365 apps by enabling admins to implement important Microsoft features like network authentication via RADIUS (this requires an on-prem NPS server to do so), or group policy objects (GPOs) to manage Windows® systems.
On its own, AAD O365 apps can be beneficial for admins looking to manage their Office365 users, but as an identity provider, admins may be searching for other solutions to increase the effectiveness of the substrate identity management tool.
Drawbacks of Azure AD Office 365 Apps
In organizations where users generally use 10 applications or more, AAD O365 apps can be less than ideal. Though AAD O365 apps offers an unlimited number of directory objects per user, this only applies to O365 user accounts, and doesn’t apply to user identities in Azure or Active Directory.
IT teams have to look beyond AAD O365 apps if they want to leverage RADIUS, manage users or groups, customize the provision or deprovisioning of users to pre-integrated SaaS apps, or enact GPOs for Windows devices. Additionally, AAD O365 apps don’t manage disparate systems (such as macOS® devices or Linux® servers hosted in AWS®), so organizations with heterogeneous environments may need to look beyond Microsoft for managing access to those.
Cloud Identity Management
IT teams looking to leverage Azure AD for identity management may find that it can be a costly choice, depending on what their needs are. Ultimately, AAD O365 apps ideally serves organizations that keep their applications limited to that of Office 365 and a handful of others.
For network authentication, group management, GPOs, and more, IT teams can choose to implement Azure AD in conjunction with AD, though that still leaves them generally limited to only Windows-centric devices. As a result, organizations looking for a modern solution that manages all of their modern resources may find that AAD O365 apps could not be the most practical solution, as it requires any number of add-ons to get it to the level of functionality that some IT departments require.
Admins seeking a holistic solution for managing their IT infrastructure should consider JumpCloud® Directory-as-a-Service® (DaaS). Using preconfigured protocols like cloud-based LDAP, RADIUS, and SAML 2.0, admins can authenticate user credentials to nearly all their resources via True Single Sign-On™ (True SSO.)
Also, JumpCloud employs functions such as multi-factor authentication and SSH keys to protect the resources users are connecting to. Identity management in the cloud can be made both simple and secure for admins and users alike.