{"id":71345,"date":"2022-11-07T12:30:00","date_gmt":"2022-11-07T17:30:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=71345"},"modified":"2024-11-08T17:45:38","modified_gmt":"2024-11-08T22:45:38","slug":"azure-ad-best-practices","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices","title":{"rendered":"Azure AD Best Practices"},"content":{"rendered":"\n<p>Identity is the <a href=\"https:\/\/jumpcloud.com\/blog\/2022-fal-con-event-recap\">new perimeter<\/a>. Cyberattacks are becoming more advanced and cloud-focused. Identity providers (IdP) have responded by offering security controls that make it possible for small and medium-sized enterprises (SMEs) to be proactive and mitigate these threats. Many SMEs use Microsoft\u2019s Azure Active Directory (AAD), which has <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/security\/fundamentals\/identity-management-best-practices\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">prescribed best practices<\/a> to secure identities. Microsoft reserves several features for its most premium subscriptions levels. IT administrators must determine which <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/authentication\/concept-mfa-licensing#available-versions-of-azure-ad-multi-factor-authentication\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">subscription tiers<\/a>, or mixture of supplemental services from an open directory, are most appropriate for their unique security requirements.&nbsp;<\/p>\n\n\n\n<p>This article outlines the fundamentals of securing identities in AAD with emphasis on understanding what options are available and tailoring security controls to your organization. Provisioning and identity and access management (IAM) is the starting point, followed by centralizing the identity management lifecycle, adding appropriate controls, and auditing.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"heading1\">Identity and Access Control<\/h2>\n\n\n\n<p>There are three main paths for provisioning in AAD:&nbsp;<\/p>\n\n\n\n<ul>\n<li>HR-driven onboarding.<\/li>\n\n\n\n<li>Federating identity from AAD to cloud apps.<\/li>\n\n\n\n<li>Inter-directory such as between the <a href=\"https:\/\/jumpcloud.com\/blog\/ad-ds\">Active Directory Domain Services<\/a> (AD DS) server role to access resources from your on-prem Active Directory domains.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"283\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/1-1.png\" alt=\"Diagram depicting Azure AD provisioning\" class=\"wp-image-71349\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/1-1.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/1-1-300x166.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><figcaption class=\"wp-element-caption\">Image credit: Microsoft<\/figcaption><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Provision, Manage, and Deprovision Access&nbsp;<\/h3>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"303\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/2-1.png\" alt=\"Get started with identity governance in Azure Active Directory\" class=\"wp-image-71350\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/2-1.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/2-1-300x178.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>Most Microsoft shops have Active Directory (AD). A sync tool called Azure AD Connect syncs users with AAD. Microsoft also accepts non-Microsoft identities for access control, but additional costs may be assessed. Some organizations may have deployed <a href=\"https:\/\/jumpcloud.com\/blog\/what-is-adfs\">Active Directory Federation Services<\/a> (AD FS) prior to the advent of AAD.&nbsp;<\/p>\n\n\n\n<p>There\u2019s a significant potential for disruptions to system availability when identities are migrated from AD FS to AAD without deliberate planning. Avoid impulsive decision-making when you\u2019re migrating users. Organizations that opt for a hybrid approach should harden Active Directory. This detailed guide to <a href=\"https:\/\/jumpcloud.com\/blog\/active-directory-faq\">Active Directory<\/a> offers recommendations about how AD should be managed and maintained for optimal security. Always limit administrative privileges in AD and avoid running day-to-day as a domain administrator.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"221\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/3-1.png\" alt=\"Configure Azure AD cloud sync\" class=\"wp-image-71351\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/3-1.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/3-1-300x129.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>Familiarize yourself with \u201cjoin, move, and leave\u201d planning processes and Microsoft\u2019s concepts for <a href=\"https:\/\/jumpcloud.com\/blog\/what-is-identity-governance-and-administration-iga\">identity governance<\/a>. Automation is possible, but it\u2019s designed for mid-size to large organizations. There\u2019s no default auditing to avoid over-provisioning users or for when individuals leave. Due diligence is necessary to avoid security and compliance issues.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"heading2\">Critically Important AAD Best Practices<\/h3>\n\n\n\n<p>Verify that you\u2019ve completed these steps before moving on.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Role-Based Access Control<\/h4>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"328\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/4-1.png\" alt=\"Role-based access control inside Azure Active Directory\" class=\"wp-image-71352\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/4-1.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/4-1-300x192.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>AAD has built-in and custom user roles, and role-based access control (RBAC) is standard across all subscription tiers. This permits IT to follow the concept of least privilege and helps to establish a <a href=\"https:\/\/jumpcloud.com\/use-cases\/zero-trust\">Zero Trust<\/a> security approach, but it relies heavily on manual input and maintenance. Dynamic membership rules are now possible using a <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/enterprise-users\/groups-dynamic-membership\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">rules-based approach<\/a> that&#8217;s separate from RBAC.<\/p>\n\n\n\n<p>Ensure that you:<\/p>\n\n\n\n<ul>\n<li>Minimize the number of privileged accounts.\n<ul>\n<li>Plan to manage, control, and monitor access.<\/li>\n\n\n\n<li>Limit global administrator accounts and make use of other roles such as billing administrator, global reader, helpdesk administrator, and license administrator.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Limit global administrators and never sync high privilege accounts from AD.<\/li>\n\n\n\n<li>Pay careful attention to external collaboration settings and consider restricting external users from being able to invite guests to shared files; third-party storage; as well as review and adjust global sharing settings for SharePoint Online and OneDrive. These changes impact end users, but make it easier to recognize the \u201cofficial\u201d channels.<\/li>\n<\/ul>\n\n\n\n<p>Using security groups for users assists with application security and lowers administrative overhead. Microsoft limits this capability to AAD Premium 1 (P1) and Premium 2 (P2) accounts. However, always try to avoid assigning resources directly to users and use identity protection. Please note that Microsoft has <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/hybrid\/concept-azure-ad-connect-sync-user-and-contacts\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">documented multiple limitations<\/a> to syncing AD groups with ADD groups.&nbsp; For example, AD primary group memberships will not sync over to AAD.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Multi-Factor Authentication<\/h4>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"196\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/5-3.png\" alt=\"Configuring multi-factor authentication in Azure Active Directory\" class=\"wp-image-71386\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/5-3.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/5-3-300x115.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p><a href=\"https:\/\/jumpcloud.com\/platform\/multi-factor-authentication-mfa\">Multi-factor authentication<\/a> (MFA) is vital for identity protection. AAD\u2019s free tier only permits the use of the Microsoft Authenticator application. Admins have the option of only protecting the Azure AD Global Administrator versus all accounts, but it\u2019s highly advisable to set up MFA for all users. Protect against MFA self-enrollment attacks by using a Temporary Access Pass (TAP) to secure the initial registration. Avoid mixing per-user MFA with Security Defaults and other settings.<\/p>\n\n\n\n<p>Your budget may impact what\u2019s possible. Microsoft assesses fees for all MFA verifications that happen with non-Microsoft identities and capabilities vary depending upon <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/authentication\/concept-mfa-licensing#available-versions-of-azure-ad-multi-factor-authentication\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">licensing levels<\/a>.&nbsp;<\/p>\n\n\n\n<p>Consider using additional context and \u201cnumber matching\u201d in Authenticator notifications to include the application name and geographic location in Push MFA prompts. This practice safeguards against \u201cMFA bombing,\u201d where attackers send repeated requests to exploit MFA fatigue. Attackers successfully hijacked Microsoft users\u2019 sign-in sessions to bypass <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/microsoft-phishing-bypassed-mfa-in-attacks-against-10-000-orgs\/\" target=\"_blank\" rel=\"noreferrer noopener\">MFA at 10,000 organizations<\/a> by using advanced phishing toolkits. Microsoft\u2019s mitigation is to use certificate-based authentication and Fast ID Online (FIDO) v2.0 MFA implementations.&nbsp;<\/p>\n\n\n\n<p>MFA through FIDO 2 devices and Windows Hello requires AAD P1 and P2. Additional hardware costs may apply. Some additional security controls include conditional access (CA).<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Conditional Access<\/h4>\n\n\n\n<p>Microsoft recommends that all accounts deploy CA, but it\u2019s also an extra cost and only available through P1, P2, or the E3 and E5 tiers for Microsoft 365 (M365) users. The standard M365 tier doesn\u2019t include it. The overall licensing scheme is changing and can be bewildering.&nbsp;<\/p>\n\n\n\n<p>There\u2019s more than one CA implementation:<\/p>\n\n\n\n<ul>\n<li>P1 enforces MFA in certain scenarios<\/li>\n\n\n\n<li>P2 is risk based, learning user behavior to minimize MFA prompts<\/li>\n<\/ul>\n\n\n\n<p>There are additional steps to consider for password management before we move on.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Configure Password Management<\/h4>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"108\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/6.png\" alt=\"Self-service password reset in Azure Active Directory\" class=\"wp-image-71354\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/6.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/6-300x63.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>Microsoft has revised its password policy guidance to no longer expire passwords. It\u2019s important to understand that SMEs that are regulated or don\u2019t have MFA and CA configured shouldn\u2019t do that. You may also consider changing passwords if you suspect an ID has been hijacked. CrowdStrike found that <a href=\"https:\/\/jumpcloud.com\/blog\/2022-fal-con-event-recap\">71% of attacks are now malware-less<\/a> and targeting cloud IDs. 75% of cloud breaches are due to compromised identities. A Zero Trust posture isn\u2019t optional. Consider deploying <a href=\"https:\/\/www.crowdstrike.com\/cybersecurity-101\/what-is-xdr\/\" target=\"_blank\" rel=\"noreferrer noopener\">Extended Detection and Response<\/a> (XDR) from a vendor of your choosing or paying extra for Microsoft Identity Protection if you prefer the Microsoft stack.<\/p>\n\n\n\n<p>Other best practices are:<\/p>\n\n\n\n<ul>\n<li>Set up self-service password reset (SSPR) with two authentication methods. Note that using security questions might be risky, because attackers gather intelligence on employees that\u2019s \u201copen source\u201d from the web or obtain information from third-party breaches elsewhere. Microsoft charges extra for on-premises write-back.<\/li>\n\n\n\n<li>Use the same <a href=\"https:\/\/jumpcloud.com\/blog\/best-practices-password-management\">password policies<\/a> everywhere (on-prem and cloud-based). Microsoft maintains <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/authentication\/concept-password-ban-bad-on-premises\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">extensive documentation<\/a> on an agent-based approach to enforce AAD password protection on AD DS without exposing your domain controller to the web or forcing networking changes. Note that you have to be proficient in modifying AD settings.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Prepare for the Worst<\/h4>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"239\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/7.png\" alt=\"Creating an emergency access global admin account inside Azure Active Directory\" class=\"wp-image-71355\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/7.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/7-300x140.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>Create an <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/roles\/security-emergency-access\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">emergency access<\/a> Global Admin account for when it\u2019s necessary to \u201cbreak the glass\u201d during network outages and periods of system downtime. This account is excluded from CA and MFA. Always store these credentials appropriately and use a highly complex password.<\/p>\n\n\n\n<p>Following the steps outlined above provides a strong foundation with the appropriate entitlements, attributes, and processes to prepare AAD for application provisioning.<\/p>\n\n\n\n<div class=\"promotion-banner-small is-flex-direction-column has-items-aligned-flex-start has-items-aligned-center-tablet\">\n    <div class=\"promo-small-image is-hidden-mobile\">\n        <img decoding=\"async\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/03\/large-202303-EB-Resource-BreakingUpWithAD-290x175-SiteDisplay-aspect-ratio-160-110.png\" alt=\"JumpCloud\">\n    <\/div>\n    <div class=\"promo-small-content\">\n        <p class=\"is-type-body-tiny is-type-weight-bold is-important promo-small-title\">\n            Breaking Up with Active Directory        <\/p>\n        <p class=\"is-type-body-default is-important\">\n            Don\u2019t let your directory hold you back. Learn why it\u2019s time to break up with AD.        <\/p>\n    <\/div>\n    <div class=\"promo-small-cta\">\n        <a href=\"https:\/\/jumpcloud.com\/resources\/ebook-breaking-up-with-active-directory\" data-promo=\"Breaking Up with Active Directory\" class=\"button is-primary-green promo-small-banner-link\">Read Now<\/a>\n    <\/div>\n<\/div>\n\n\n\n\n<h2 class=\"wp-block-heading\" id=\"heading3\">Manage Connected Applications<\/h2>\n\n\n\n<p>Application provisioning is on a per user basis by default with group assignment to applications being reserved for P1, P2, or equivalent AAD subscribers. Ensure that applications don\u2019t provision high access through RBAC. There are multiple options, and automation is available for application provisioning. The initial provisioning cycle populates users, followed by programmatic incremental updates that handle updates made through Microsoft Graph or AD.<\/p>\n\n\n\n<p>Microsoft provides several options for attribute mapping from identities that originate from the \u201cthree paths\u201d mentioned above via <a href=\"https:\/\/jumpcloud.com\/blog\/scim-provisioning-defined\">SCIM<\/a> endpoints to cloud resources or the <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/app-provisioning\/on-premises-scim-provisioning\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Azure AD Provisioning agent<\/a>. The latter must run on the same server as your SCIM application. Microsoft also has options for one-way connections from AAD to LDAP or SQL database user stores, but those have several <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/app-provisioning\/on-premises-ldap-connector-configure\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">on-premise prerequisites<\/a>. Provisioning users into AD DS isn\u2019t supported.<\/p>\n\n\n\n<p>Siloed identities complicate existing identity practices and infrastructure as well as increase technical overhead and the attack surface area. Enable <a href=\"https:\/\/jumpcloud.com\/blog\/what-is-single-sign-on-sso\">single sign-on (SSO)<\/a> to centralize identity management either through AAD or a system or service that integrates with it.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Enable Single Sign-On<\/h3>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"415\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/8.png\" alt=\"Registering an application and enable single sign-on in Azure AD\" class=\"wp-image-71356\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/8.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/8-300x243.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>SSO will improve security through modern authentication protocols, make life easier for your users, and reduce management overhead. Microsoft has imposed restrictions on the number of SSO applications per user on its free tier, but that policy may be changing. AAD provides pre-built integrations through the Azure AD application gallery in addition to <a href=\"https:\/\/jumpcloud.com\/blog\/what-is-saml\">SAML<\/a> and <a href=\"https:\/\/jumpcloud.com\/blog\/saml-oauth\">OAuth 2.0<\/a> SSO protocols for manual settings. Microsoft doesn\u2019t support the AAA protocol <a href=\"https:\/\/jumpcloud.com\/blog\/what-is-the-radius-protocol\">RADIUS<\/a>, which many network appliances use for access control, so its SSO doesn\u2019t access all of your resources. Consider using <a href=\"https:\/\/jumpcloud.com\/platform\/cloud-radius\" target=\"_blank\" rel=\"noreferrer noopener\">cloud RADIUS<\/a> or install and configure the <a href=\"https:\/\/jumpcloud.com\/blog\/microsoft-server-core-licensing-costs-more\">Microsoft NPS server role<\/a>.<\/p>\n\n\n\n<p>It\u2019s possible for all AAD tiers to access native Windows apps via Kerberos, NTLM, LDAP, RDP, and SSH authentication in a hybrid deployment. However, identity protection features such as CA are limited to P1 and P2 products including <a href=\"https:\/\/go.microsoft.com\/fwlink\/p\/?linkid=2126406\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Azure AD Application Proxy<\/a> or <a href=\"https:\/\/go.microsoft.com\/fwlink\/p\/?linkid=2123157\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">secure hybrid partnerships integrations<\/a>. These services will extend modern security to legacy apps.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"152\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/9.png\" alt=\"Azure AD Application Proxy requires AAD Premium or a Basic License\" class=\"wp-image-71357\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/9.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/9-300x89.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Phishing Considerations<\/h4>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"400\" height=\"347\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/10.png\" alt=\"App registrations and admin portal access can be restricted in AAD\" class=\"wp-image-71358\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/10.png 400w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/10-300x260.png 300w\" sizes=\"(max-width: 400px) 100vw, 400px\" \/><\/figure>\n\n\n\n<p>Microsoft\u2019s default settings permit all users to access the AAD admin portal and register custom SSO applets. Attackers are wise to this workflow and exploit OAuth in phishing exploits, which may bypass MFA. The principle of least privilege mandates that users who don\u2019t need access shouldn\u2019t receive it. Strongly consider restricting user-driven application consent and setting <a href=\"https:\/\/learn.microsoft.com\/en-us\/azure\/active-directory\/develop\/v2-permissions-and-consent\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">permissions classifications<\/a> to \u201clow impact.\u201d This also applies to group owners. Compliance boundaries are murkier and should be carefully assessed outside of the Microsoft ecosystem.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"201\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/11.png\" alt=\"Configuring permissions in Azure Active Directory\" class=\"wp-image-71359\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/11.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/11-300x118.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>AAD can be complex and Microsoft has amassed <a href=\"https:\/\/azure.microsoft.com\/en-us\/partners\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Azure partners<\/a> for advanced specialization. Blocks of time with consultants should be a budgeting consideration for any AAD project. This writer, a former IT director, needed consultants even when projects appeared straightforward.<\/p>\n\n\n\n<p>AAD is capable of alerting you to suspicious OAuth authorization requests, but that requires an additional subscription to Microsoft Cloud App security, either standalone or through M365 E5. Other solutions such as <a href=\"https:\/\/www.crowdstrike.com\/resources\/videos\/how-to-detect-and-prevent-suspicious-activities-with-falcon-identity-protection\/\" target=\"_blank\" rel=\"noreferrer noopener\">CrowdStrike Falcon Identity Protection<\/a> have this capability. JumpCloud is a CrowdStrike partner and integrates with its solutions through the <a href=\"https:\/\/marketplace.crowdstrike.com\/partners\/jumpcloud\" target=\"_blank\" rel=\"noreferrer noopener\">CrowdStrike Store<\/a>.<\/p>\n\n\n\n<p>Now that you\u2019re familiar with configuring users, groups, and applications, let\u2019s review reporting.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"heading4\">Audit Your Security Regularly<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"254\" height=\"290\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/12.png\" alt=\"Screenshot of reports available in Azure Active Directory\" class=\"wp-image-71360\"\/><\/figure>\n\n\n\n<p>You should always look for ways to improve in-house security and processes. If you can\u2019t stop it, you should at least monitor it. Regularly audit your entitlements, users, and review activity reports. Taking this extra step helps make security a process as opposed to relying solely on products and services.&nbsp;<\/p>\n\n\n\n<p>Ideally, you\u2019ll be monitoring all privilege changes, suspicious activity, and signs of known attacks. AAD will provide you with several reports:<\/p>\n\n\n\n<ul>\n<li>Basic security and usage reports are included among all subscription tiers<\/li>\n\n\n\n<li>Advanced reporting is restricted to P1 and P2<\/li>\n\n\n\n<li>SIEM reporting and Identity Protection require P2 (or equivalent) subscriptions<\/li>\n<\/ul>\n\n\n\n<p>Some security capabilities may be more accessible and easier to deploy via JumpCloud, which integrates with AD, AAD\/M365, <a href=\"https:\/\/support.jumpcloud.com\/s\/article\/g-suite-user-import-provisioning-and-sync1\" target=\"_blank\" rel=\"noreferrer noopener\">Google Workspace<\/a>, and <a href=\"https:\/\/jumpcloud.com\/blog\/azure-ad-okta\">Okta<\/a>, or can function as a standalone directory. JumpCloud is focused on managing identities, in all places, as your security perimeter.<\/p>\n\n\n\n<div class=\"promotion-banner-small is-flex-direction-column has-items-aligned-flex-start has-items-aligned-center-tablet\">\n    <div class=\"promo-small-image is-hidden-mobile\">\n        <img decoding=\"async\" src=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/03\/large-202303-EB-Resource-BreakingUpWithAD-290x175-SiteDisplay-aspect-ratio-160-110.png\" alt=\"JumpCloud\">\n    <\/div>\n    <div class=\"promo-small-content\">\n        <p class=\"is-type-body-tiny is-type-weight-bold is-important promo-small-title\">\n            Breaking Up with Active Directory        <\/p>\n        <p class=\"is-type-body-default is-important\">\n            Don\u2019t let your directory hold you back. Learn why it\u2019s time to break up with AD.        <\/p>\n    <\/div>\n    <div class=\"promo-small-cta\">\n        <a href=\"https:\/\/jumpcloud.com\/resources\/ebook-breaking-up-with-active-directory\" data-promo=\"Breaking Up with Active Directory\" class=\"button is-primary-green promo-small-banner-link\">Read Now<\/a>\n    <\/div>\n<\/div>\n\n\n\n\n<h2 class=\"wp-block-heading\" id=\"heading5\">How JumpCloud Improves Upon Azure AD Best Practices<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"277\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/13.png\" alt=\"JumpCloud admin console\" class=\"wp-image-71361\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/13.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/13-300x162.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>JumpCloud is an open directory platform that manages identities, access control, and devices. Devices are a method of granting access to an identity or application, so device management is included by default. That makes it possible to assemble high visibility telemetry data for reporting.<\/p>\n\n\n\n<p>As previously noted, Microsoft requires its users to purchase additional subscriptions (<a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/microsoft-entra\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Entra<\/a>, M365 E3\/5, AAD P1\/2, and Intune for device management) to meet its recommendations for best practices. Standard AAD deployments fall short of Microsoft\u2019s guidance, but some of its premium offerings may sell SMEs more features than they require or even want to purchase.<\/p>\n\n\n\n<p>JumpCloud can help to fill in some of those gaps, and is easy to deploy, with deepening integrations for exporting AAD user groups. It\u2019s designed for SMEs, so IT teams may benefit from having more control over what they\u2019re buying (as opposed to not using what they pay for). The next section explores the specifics of how JumpCloud can improve AAD and help your organization to build the stack of its choosing out of best-of-breed apps and services.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">IAM and SSO<\/h3>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"330\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/14.png\" alt=\"Configuring SSO applications in JumpCloud\" class=\"wp-image-71362\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/14.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/14-300x193.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>Identities flow into JumpCloud from other directories, <a href=\"https:\/\/jumpcloud.com\/blog\/how-jumpclouds-hris-integration-works\">HRIS systems<\/a>, or JumpCloud\u2019s <a href=\"https:\/\/jumpcloud.com\/platform\/ldap\">Cloud LDAP<\/a>. Attributes, such as where users are located, who their supervisor is, or what team they belong to, simplify provisioning user access to IT resources such as applications and networks.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"424\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/15.png\" alt=\"User groups in JumpCloud\" class=\"wp-image-71363\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/15.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/15-300x248.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>Group management is provided at no additional cost and leverages <a href=\"https:\/\/jumpcloud.com\/blog\/the-immediate-advantages-of-attribute-based-access-control\">attribute-based access control<\/a> (ABAC), enabling the system to continuously audit entitlements for Zero Trust access control. JumpCloud is introducing the ability to automate and apply membership suggestions to groups. RBAC is more of a manual process, which can lead to mistakes that over or under provision users. Group members can access resources through SSO protocols and more:<\/p>\n\n\n\n<ul>\n<li>SAML<\/li>\n\n\n\n<li>OAuth 2.0<\/li>\n\n\n\n<li>OIDC<\/li>\n\n\n\n<li>RADIUS<\/li>\n\n\n\n<li>LDAP<\/li>\n<\/ul>\n\n\n\n<p>JumpCloud provides <a href=\"https:\/\/jumpcloud.com\/blog\/feature-bulletin-radius-auth-azure-ad#:~:text=Delegated%20authentication%20removes%20the%20need,end%20user%20productivity%20and%20satisfaction.\">delegated authentication<\/a> that leverages AAD credentials and password policies for RADIUS. This capability extends Azure SSO to network resources such as Wi-Fi networks and VPNs while also reducing technical overhead and eliminating siloed identities. SSO applets launch from within the JumpCloud user console as a security control for phishing.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Environment-Wide MFA<\/h3>\n\n\n\n<p><a href=\"https:\/\/jumpcloud.com\/blog\/push-notification-mfa-using-jumpcloud-protect\">JumpCloud Protect<\/a>\u2122, an integrated authenticator app for MFA, is designed to be frictionless. It provides application-based <a href=\"https:\/\/jumpcloud.com\/blog\/push-notification-mfa\">Push MFA<\/a> and <a href=\"https:\/\/jumpcloud.com\/blog\/totp-mfa\">TOTP<\/a> in addition to WebAuthn and U2F keys. More options for <a href=\"https:\/\/jumpcloud.com\/blog\/what-is-biometric-authentication\">biometric authentication<\/a> and passwordless log-in experiences are being added to the platform.&nbsp;<\/p>\n\n\n\n<p>MFA can be configured for most SSO, LDAP, and RADIUS logins. It\u2019s also integrated with CA.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"320\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/16.png\" alt=\"RADIUS and MFA configuration in JumpCloud\" class=\"wp-image-71364\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/16.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/16-300x188.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Conditional Access<\/h3>\n\n\n\n<p>AAD identities can be protected by conditional access through JumpCloud as an add-on without purchasing P1 or P2 from Microsoft. Pre-built rules are available to enforce MFA for privileged user groups, restrict logins to specific locations, and to require device trust. Meaning, any identity + device that isn\u2019t managed by JumpCloud won\u2019t be able to access cloud apps. More granular conditions such as OS version and device encryption status are coming soon.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"177\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/17.png\" alt=\"Configuring conditional access policies\" class=\"wp-image-71365\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/17.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/17-300x104.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Password Management<\/h3>\n\n\n\n<p>A decentralized <a href=\"https:\/\/jumpcloud.com\/platform\/password-manager\" target=\"_blank\" rel=\"noreferrer noopener\">password manager and vault<\/a> is available as an add-on through browser plug-ins and mobile apps to help SMEs implement complex passphrases for users. This feature assists with provisioning and revoking user access to reduce the risk of data breaches. Centralized password management also increases visibility for compliance peace of mind.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"237\" height=\"512\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/18.png\" alt=\"JumpCloud password management categories\" class=\"wp-image-71366\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/18.png 237w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/18-139x300.png 139w\" sizes=\"(max-width: 237px) 100vw, 237px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Device Management<\/h3>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"318\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/19.png\" alt=\"Mobile device management (MDM) in JumpCloud\" class=\"wp-image-71367\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/19.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/19-300x186.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>JumpCloud is cross-OS, supporting:<\/p>\n\n\n\n<ul>\n<li><strong>Android:<\/strong> Support for policies and application distribution is <a href=\"https:\/\/jumpcloud.com\/blog\/q4-2022-roadmap-webinar-recap\">coming<\/a> in late 2022 and beyond.<\/li>\n\n\n\n<li><strong>Apple products: <\/strong><a href=\"https:\/\/jumpcloud.com\/platform\/mdm\" target=\"_blank\" rel=\"noreferrer noopener\">Mobile Device Management<\/a> (MDM) is available for macOS and iOS devices, providing for application distribution, policies, and commands with the option for Zero Trust deployment. Policies are timely and in-touch with the needs of Mac admins, including addressing \u201cDay 0\u201d OS upgrade controls.&nbsp;<\/li>\n\n\n\n<li><strong>Linux: <\/strong>JumpCloud supports <a href=\"https:\/\/support.jumpcloud.com\/support\/s\/article\/jumpcloud-agent-compatibility-system-requirements-and-impacts1#linux\" target=\"_blank\" rel=\"noreferrer noopener\">multiple Linux distros<\/a> with multiple deployment options. It provides pre-built policies, including full disk encryption (FDE), and Sudo access for commands (with pre-built security commands through the Admin Console). IAM capabilities aren\u2019t restricted to certain browsers; Microsoft mandates Edge for Intune device enrollment. Intune is an additional subscription beyond standalone AAD.<strong>&nbsp;<\/strong><\/li>\n\n\n\n<li><strong>Windows: <\/strong>Anything an admin wishes to do is possible through security commands and a PowerShell module. Commands function through a queue. JumpCloud provides<strong> <\/strong>pre-built <a href=\"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices\">GPO-like policies<\/a> including fine-grained control over BitLocker, as well as a GUI for custom policies. There\u2019s also software distribution, and more, with Windows Out of Box Experience (OOBE) coming soon to streamline onboarding remote workers.<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"217\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/20.png\" alt=\"\" class=\"wp-image-71368\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/20.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/20-300x127.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Patch Management<\/h3>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"216\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/21.png\" alt=\"JumpCloud Patch Management release trains\" class=\"wp-image-71369\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/21.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/21-300x127.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<p>JumpCloud offers cross-OS patching as an add-on. Patching is an important activity to mitigate the risk of security breaches that leverage 0-Day attacks with a healthy device state. Centralizing <a href=\"https:\/\/jumpcloud.com\/blog\/what-is-patch-management\">patch management<\/a> helps to reduce costs versus purchasing a third-party patch management solution for Windows and all other operating systems. Browser patch management is arriving in Q4, 2022, and it will extend to reporting for management status.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"291\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/22.png\" alt=\"Google Chrome patch management in JumpCloud\" class=\"wp-image-71370\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/22.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/22-300x171.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Remote Assist<\/h3>\n\n\n\n<p>IT teams can extend opt-in remote support to users with <a href=\"https:\/\/jumpcloud.com\/support\/get-started-remote-assist\">Remote Assist<\/a>. It\u2019s free and works cross-OS. The only configuration that\u2019s required is to have JumpCloud agents running on a device that\u2019s bound to an identity from the open directory. It\u2019s possible to:<\/p>\n\n\n\n<ul>\n<li>Copy and paste between devices<\/li>\n\n\n\n<li>Work in multi-monitor systems<\/li>\n\n\n\n<li>Turn on audit logging<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"336\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/23.png\" alt=\"JumpCloud Remote Assist\" class=\"wp-image-71371\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/23.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/23-300x197.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Reporting<\/h3>\n\n\n\n<p>JumpCloud\u2019s emphasis on making identity the new perimeter is reflected in the telemetry that\u2019s available from built-in reporting tools including Device Insights and Directory Insights. There\u2019s a growing selection of pre-made reports, stored for analysis. SIEM integration is also possible.<\/p>\n\n\n\n<p>Some of those include:<\/p>\n\n\n\n<ul>\n<li>User to Devices<\/li>\n\n\n\n<li>User to RADIUS Server<\/li>\n\n\n\n<li>User to LDAP<\/li>\n\n\n\n<li>User to Directories<\/li>\n\n\n\n<li>User to SSO Applications<\/li>\n\n\n\n<li>OS Patch Management Policy<\/li>\n<\/ul>\n\n\n\n<p>Cloud Insights is an add-on to monitor Amazon Web Services (AWS) events and user actions. This makes compliance and data forensics easier for SMEs and helps to enforce least privilege in cloud infrastructure. Support for Google Cloud (GCP) will be introduced next for a multi-cloud strategy.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"512\" height=\"236\" src=\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2022\/11\/24.png\" alt=\"JumpCloud Cloud Insights makes compliance, monitoring, and compliance easier\" class=\"wp-image-71372\" srcset=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/24.png 512w, https:\/\/jumpcloud.com\/wp-content\/uploads\/2022\/11\/24-300x138.png 300w\" sizes=\"(max-width: 512px) 100vw, 512px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Avoid Vendor Lock-In and Do More with JumpCloud<\/h2>\n\n\n\n<p>JumpCloud is <a href=\"https:\/\/console.jumpcloud.com\/signup\" target=\"_blank\" rel=\"noreferrer noopener\">available to try<\/a> with its full functionality. AAD users benefit from more freedom of choice, simpler deployment workflows, access to more sources, and lower costs.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Learn best practices for using Azure Active Directory and how JumpCloud can help streamline those processes and save money.<\/p>\n","protected":false},"author":150,"featured_media":47142,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"categories":[23],"tags":[],"collection":[2779,2775],"platform":[],"funnel_stage":[3016],"coauthors":[2535],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v22.9 (Yoast SEO v22.9) - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Azure AD Best Practices - JumpCloud<\/title>\n<meta name=\"description\" content=\"Learn best practices for using Azure Active Directory and how JumpCloud can help streamline those processes and save money.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Azure AD Best Practices\" \/>\n<meta property=\"og:description\" content=\"Learn best practices for using Azure Active Directory and how JumpCloud can help streamline those processes and save money.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices\" \/>\n<meta property=\"og:site_name\" content=\"JumpCloud\" \/>\n<meta property=\"article:published_time\" content=\"2022-11-07T17:30:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-11-08T22:45:38+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2020\/08\/office-hours-recap-new-features.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"780\" \/>\n\t<meta property=\"og:image:height\" content=\"520\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"David Worthington\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"David Worthington\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"18 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices#article\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices\"},\"author\":{\"name\":\"David Worthington\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/185ca12034835ee50ee17b100abdfb2e\"},\"headline\":\"Azure AD Best Practices\",\"datePublished\":\"2022-11-07T17:30:00+00:00\",\"dateModified\":\"2024-11-08T22:45:38+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices\"},\"wordCount\":2885,\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2020\/08\/office-hours-recap-new-features.jpg\",\"articleSection\":[\"Best Practices\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices\",\"url\":\"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices\",\"name\":\"Azure AD Best Practices - JumpCloud\",\"isPartOf\":{\"@id\":\"https:\/\/jumpcloud.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices#primaryimage\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices#primaryimage\"},\"thumbnailUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2020\/08\/office-hours-recap-new-features.jpg\",\"datePublished\":\"2022-11-07T17:30:00+00:00\",\"dateModified\":\"2024-11-08T22:45:38+00:00\",\"description\":\"Learn best practices for using Azure Active Directory and how JumpCloud can help streamline those processes and save money.\",\"breadcrumb\":{\"@id\":\"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices#primaryimage\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2020\/08\/office-hours-recap-new-features.jpg\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2020\/08\/office-hours-recap-new-features.jpg\",\"width\":780,\"height\":520,\"caption\":\"typing on a laptop with another next to it\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/jumpcloud.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Azure AD Best Practices\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/jumpcloud.com\/#website\",\"url\":\"https:\/\/jumpcloud.com\/\",\"name\":\"JumpCloud\",\"description\":\"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.\",\"publisher\":{\"@id\":\"https:\/\/jumpcloud.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/jumpcloud.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/jumpcloud.com\/#organization\",\"name\":\"JumpCloud\",\"url\":\"https:\/\/jumpcloud.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"contentUrl\":\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png\",\"width\":598,\"height\":101,\"caption\":\"JumpCloud\"},\"image\":{\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/185ca12034835ee50ee17b100abdfb2e\",\"name\":\"David Worthington\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/jumpcloud.com\/#\/schema\/person\/image\/d9acf1381c6e5b50c0f50d47b7b05411\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/a6dde901b469c9005c22973e42038d62?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/a6dde901b469c9005c22973e42038d62?s=96&d=mm&r=g\",\"caption\":\"David Worthington\"},\"description\":\"I'm the JumpCloud Champion for Product, Security. JumpCloud and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.\",\"sameAs\":[\"https:\/\/jumpcloud.com\/blog\",\"david.worthington@jumpcloud.com\"]}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Azure AD Best Practices - JumpCloud","description":"Learn best practices for using Azure Active Directory and how JumpCloud can help streamline those processes and save money.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices","og_locale":"en_US","og_type":"article","og_title":"Azure AD Best Practices","og_description":"Learn best practices for using Azure Active Directory and how JumpCloud can help streamline those processes and save money.","og_url":"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices","og_site_name":"JumpCloud","article_published_time":"2022-11-07T17:30:00+00:00","article_modified_time":"2024-11-08T22:45:38+00:00","og_image":[{"width":780,"height":520,"url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2020\/08\/office-hours-recap-new-features.jpg","type":"image\/jpeg"}],"author":"David Worthington","twitter_card":"summary_large_image","twitter_misc":{"Written by":"David Worthington","Est. reading time":"18 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices#article","isPartOf":{"@id":"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices"},"author":{"name":"David Worthington","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/185ca12034835ee50ee17b100abdfb2e"},"headline":"Azure AD Best Practices","datePublished":"2022-11-07T17:30:00+00:00","dateModified":"2024-11-08T22:45:38+00:00","mainEntityOfPage":{"@id":"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices"},"wordCount":2885,"publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"image":{"@id":"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices#primaryimage"},"thumbnailUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2020\/08\/office-hours-recap-new-features.jpg","articleSection":["Best Practices"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices","url":"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices","name":"Azure AD Best Practices - JumpCloud","isPartOf":{"@id":"https:\/\/jumpcloud.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices#primaryimage"},"image":{"@id":"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices#primaryimage"},"thumbnailUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2020\/08\/office-hours-recap-new-features.jpg","datePublished":"2022-11-07T17:30:00+00:00","dateModified":"2024-11-08T22:45:38+00:00","description":"Learn best practices for using Azure Active Directory and how JumpCloud can help streamline those processes and save money.","breadcrumb":{"@id":"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices#primaryimage","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2020\/08\/office-hours-recap-new-features.jpg","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2020\/08\/office-hours-recap-new-features.jpg","width":780,"height":520,"caption":"typing on a laptop with another next to it"},{"@type":"BreadcrumbList","@id":"https:\/\/jumpcloud.com\/blog\/azure-ad-best-practices#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/jumpcloud.com\/"},{"@type":"ListItem","position":2,"name":"Azure AD Best Practices"}]},{"@type":"WebSite","@id":"https:\/\/jumpcloud.com\/#website","url":"https:\/\/jumpcloud.com\/","name":"JumpCloud","description":"Daily insights on directory services, IAM, LDAP, identity security, SSO, system management (Mac, Windows, Linux), networking, and the cloud.","publisher":{"@id":"https:\/\/jumpcloud.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/jumpcloud.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/jumpcloud.com\/#organization","name":"JumpCloud","url":"https:\/\/jumpcloud.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/","url":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","contentUrl":"https:\/\/jumpcloud.com\/wp-content\/uploads\/2021\/01\/jc-logo-brand-2021.png","width":598,"height":101,"caption":"JumpCloud"},"image":{"@id":"https:\/\/jumpcloud.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/185ca12034835ee50ee17b100abdfb2e","name":"David Worthington","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/jumpcloud.com\/#\/schema\/person\/image\/d9acf1381c6e5b50c0f50d47b7b05411","url":"https:\/\/secure.gravatar.com\/avatar\/a6dde901b469c9005c22973e42038d62?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/a6dde901b469c9005c22973e42038d62?s=96&d=mm&r=g","caption":"David Worthington"},"description":"I'm the JumpCloud Champion for Product, Security. JumpCloud and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.","sameAs":["https:\/\/jumpcloud.com\/blog","david.worthington@jumpcloud.com"]}]}},"_links":{"self":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/71345"}],"collection":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/users\/150"}],"replies":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/comments?post=71345"}],"version-history":[{"count":3,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/71345\/revisions"}],"predecessor-version":[{"id":117277,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/posts\/71345\/revisions\/117277"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media\/47142"}],"wp:attachment":[{"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/media?parent=71345"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/categories?post=71345"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/tags?post=71345"},{"taxonomy":"collection","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/collection?post=71345"},{"taxonomy":"platform","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/platform?post=71345"},{"taxonomy":"funnel_stage","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/funnel_stage?post=71345"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/jumpcloud.com\/wp-json\/wp\/v2\/coauthors?post=71345"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}