8/1/24, 6:52 PM What is Azure Active Directory?

A Complete Overview

Blog Active Directory

What is Azure Active Directory? A Complete Overview

Azure Active Directory is a new way to manage users in the cloud. Read on to
learn some details and some how-tos as you migrate to Azure AD.

Michael Buckbee

8 min read

Last updated June 16, 2023

Azure Active Directory (Azure AD) is Microsoft’s enterprise cloud-based identity and access
management (IAM) solution. Azure AD is the backbone of the Office 365 system, and it can
sync with on-premise Active Directory and provide authentication to other cloud-based
systems via OAuth.

During the 2020 pandemic, Microsoft Teams saw a drastic 70% increase in daily Teams users
in a single month. While it is unclear how many of those users are net new to Azure AD, we can
assume that the 2020 pandemic jump-started both adoption and implementation of Azure AD
to meet the demands of a remote workforce.

Get the Free Pen Testing Active Directory

Environments EBook
First Name* Last Name*

First Name Last Name

Email*

Email

I agree to receive communications from Varonis.*

You can unsubscribe from these communications at any time. For more information on our privacy practices, and how
we're committed to protecting your information, please review our privacy policy.

https://www.varonis.com/blog/azure-active-directory 1/14
8/1/24, 6:52 PM What is Azure Active Directory? A Complete Overview

Download Now

It’s week eleventeen of the pandemic at the time of this writing, and it seems more likely that
enterprises won’t be returning the way things were in the before times. Sysadmins dealing
with hybrid cloud environments should understand how Azure AD works, and most
importantly, how to keep our data safe in this cloud-first world without the luxury of a secure
perimeter.

What is Windows Active Directory?

Windows Active Directory (AD) is Microsoft’s predecessor to Azure AD. Microsoft released
Active Directory in Windows 2000 server, and it became a standard for enterprise identity
management.

Active Directory lives on-premise in servers called Domain Controllers (DC). Each DC contains
a catalog of users and computers that are authorized to access resources on the network.
Users authenticate to DCs via Kerberos or NTLM authentication.

AD security is one of our favorite topics because many attacks the Varonis Incident Response
team researches involve AD at some point in the cyber kill chain. It could be a simple brute
force attack to crack an old NTLM password or a privilege escalation attempt to take over an
administrator account. AD security has been the topic of many conference talks and we even

https://www.varonis.com/blog/azure-active-directory 2/14
8/1/24, 6:52 PM What is Azure Active Directory? A Complete Overview

wrote a comprehensive guide to pen testing your AD environment to ensure its resilience to
common off-the-shelf attacks.

Any conversation about Azure AD has to mention AD classic, and we will explain why further
along in the blog.

Difference Between Windows and Azure AD

Azure AD and Windows AD are both created by Microsoft, and they are both IAM systems, but
that’s pretty much where the comparisons stop. They are fundamentally different systems that
exist in an interconnected enterprise environment.

https://www.varonis.com/blog/azure-active-directory 3/14
8/1/24, 6:52 PM What is Azure Active Directory? A Complete Overview

Azure Active Directory

REST APIs: Azure AD uses Representational State Transfer (REST) APIs to support
communication to other web-based services

Authentication: Azure AD uses cloud-based authentication protocols like OAuth2, SAML,

and WS-Security for user authentication

Network Organization: Each Azure AD instance is called a “tenant” which is a flat structure
of users and groups

Entitlement Management: Admins organize users into groups, and then give groups access
to apps and resources

Devices: Azure AD provides mobile device management with Microsoft Intune

Desktops: Windows desktops can join Azure AD with Microsoft Intune

Servers: Azure AD uses Azure AD Domain Services to manage servers that live in the Azure
cloud virtual machine environment

Windows Active Directory

LDAP: Windows AD uses Lightweight Directory Access Protocol (LDAP) to pass data
between clients and servers and DCs.

Authentication: Windows AD uses Kerberos and NTLM to validate user credentials

Network Organization: Windows AD is organized into Organizational Units, Domains, and

Forests

Entitlement Management: Admins or data owners assign users to groups, and those
groups have access to resources on the network

Devices: Windows AD does not manage mobile devices

Desktops: Desktops joined to Windows AD are governed by Group Policy (GPOs)

Servers: Servers in Windows AD are managed and governed by GPOs or other on-premise
server management system

The answer to the question, “so which one do I use?” is probably both. If you are running an
established enterprise network, you most likely already have Windows AD, and you are adding
Azure AD to manage your cloud infrastructure.

If you are starting a brand new organization from scratch, Azure AD could meet all of your
needs, especially if you plan on using an entirely cloud-based infrastructure.

The other question you might ask is “which one is harder to configure than the other?” And I
would say that neither one is more or less configurable than the other, and neither one is
more or less secure than the other. Both systems require a qualified expert to manage and

https://www.varonis.com/blog/azure-active-directory 4/14
8/1/24, 6:52 PM What is Azure Active Directory? A Complete Overview

protect your network for companies larger than 100 users or so. Smaller shops will find Azure
AD easier to manage overall.

Azure AD Connect for Hybrid Deployments

Azure AD Connect is Microsoft’s solution to enable hybrid Windows AD and Azure AD

deployments. Azure AD Connect syncs data between the on-premise DCs and the cloud.

Azure AD Connect will let you sync user accounts from your on-premise system to your Azure
tenant. It also provides password hash synchronization, pass-through authentication,
federation, and health monitoring.

Those features allow your users to have the same user id and password on-premise and in the
cloud and to ease the management of your hybrid environment. In short, you need Azure AD
Connect if you have a hybrid environment.

As a sysadmin or security pro, it’s important that your security solutions give you a unified
view of each user regardless of whether they’re accessing cloud or on-prem resources. The
Varonis Data Security Platform, for example, makes it easy to pinpoint a user and see their
activity in Azure AD and Windows AD. Even though there are two user repositories behind the
scenes, Varonis treats them as a single user with a comprehensive user behavior profile that
includes on-prem and cloud activity.

Azure Active Directory Considerations

OK, so if you have made it this far, you might be considering implementing Azure AD for your
organization. Now you have real decisions to make.

https://www.varonis.com/blog/azure-active-directory 5/14
8/1/24, 6:52 PM What is Azure Active Directory? A Complete Overview

1. Licensing: Azure AD licensing follows the same monthly subscription licensing as the Office
365 licenses. There are four license levels – Free, Office 365 Apps, Premium P1, and Premium
P2.

Office 365 Apps comes as part of your Office 365 subscription, and the Premium packages
are a separate item. You get the Free license as part of a subscription to Azure, Dynamics 365,
Intune, and Power Platform.

The Premium tier adds features like advanced password protection, self-service password
management for your users, advanced group access management, and conditional access.

The features lists for Azure AD and Microsoft 365 are separate, and you need to look at both
of them to understand everything available to you so you can build your implementation
strategy.

Ed. Note: Office 365 recently got renamed to Microsoft 365. At the time of this writing,
Microsoft’s documentation contains both names, but they are the same thing.

2. Choose your scenario: Hybrid Azure AD or Azure AD? If you already have Windows AD,
Hybrid might be your best option. If you are trying to build a cloud-only infrastructure, Azure
AD is the better choice.

For your Hybrid environment, you can go with Managed or Federated configurations. If you
are going to create users in Windows AD, you need to have Azure AD Connect to sync with
Azure AD.

Are you going to use the device management in Azure AD? If so, you need Windows 10 on all
those devices.

3. SSO: Are you going to enable Single Sign-on(SSO) with Azure AD? You will need to
configure your cloud apps and services to use the Azure SSO, and set up a hybrid cloud for
printing.

4. User Provisioning: How are you going to add your existing users to Azure? You can set up
self-enrollment where users run the process themselves, Windows Autopilot, or have an
admin enroll your users.

Those four steps will set you on the right path. You will have to do some more homework to
figure out all the answers, which will lead you to more questions that need different answers.

How Does Azure Active Directory Work?

https://www.varonis.com/blog/azure-active-directory 6/14
8/1/24, 6:52 PM What is Azure Active Directory? A Complete Overview

Azure AD is a new system that Microsoft designed from the ground up to support cloud
infrastructure. Azure AD uses REST APIs to pass data from one system to other cloud
applications and systems that support REST (which is most cloud applications).

Unlike Windows AD, Azure AD is a flat structure in a single tenant. Think of the tenant as a
circle that surrounds all your stuff. You can control the stuff inside the tenant, but once it
leaves that circle you lose some agency over what happens to your stuff.

At Varonis, our approach to data security aligns with zero-trust principles, so as we continue
we will weave in zero-trust when appropriate.

Users and Groups

Users and groups are the basic building blocks for Azure AD. You can further organize users
into groups that will all behave similarly. For example, you may put your Product Management
team in one Azure AD group and grant permissions at the group level, so when users leave the
organization, you only need to deactivate one account, and the rest of the group stays the
same.

Users in Azure AD can come from both inside and outside of Azure AD. Let me restate that.
Your Azure AD can contain identities for users inside of your organization and users from
outside your organization that have a Microsoft account. See below:

https://www.varonis.com/blog/azure-active-directory 7/14
8/1/24, 6:52 PM What is Azure Active Directory? A Complete Overview

What this means is that you can bring people outside of your organization inside your tenant
and grant them specific permissions just like they are part of your organization. When done
correctly, this provides an additional level of security to the organization’s data.

Adding User and Groups to Azure AD

There are several methods to populate your users and groups in Azure AD.

Use Azure AD Connect to sync users from Windows AD to Azure AD. Most enterprises that
already have Windows AD use this method.

You can create users manually in the Azure AD Management Portal.

You can script the process to add new users with PowerShell.

Or you could program the process with the Azure AD Graph API.

No matter which option you start with or use, later on, there are a few key points to make
about adding users in Azure AD.

1 Establish your authentication method and password policies, and enforce multi-factor
authentication.

2 Only add users that you need to Azure AD. Leave service accounts or stale accounts in
Windows AD, or delete them.

3 Keep privileged access in Azure AD to a minimum and follow Microsoft’s guidance to

keep privileged access secure.

4 Organize users into groups, and only give groups access to the applications and
resources they need to do their job.

5 Connect users to their devices (mobile phones, laptops, etc.), so you can establish
limits on how confidential data is downloaded or saved from approved and monitored
devices.

Custom Domains

https://www.varonis.com/blog/azure-active-directory 8/14
8/1/24, 6:52 PM What is Azure Active Directory? A Complete Overview

Adding a custom domain to Azure AD will reduce the frustration that your users’ experience
as they migrate to the new system. The default Azure AD domain looks like this:

@notarealdomain.onmicrosoft.com

That’s a lot to type. If you configured Azure AD to use a domain that you own, your users
would thank you. It would look something like @notarealdomain.com instead. That’s much
easier to deal with.

Common Attacks Against Azure AD

I’d like to say that the transition to Azure AD was smooth and without issue, but alas. Any
significant transformation to a cloud-enabled infrastructure is bound to attract malicious
attackers that want to infiltrate the new frontier. And so they did.

The Varonis IR team investigates many brute force attacks against Azure AD. Attackers love to
use vast collections of usernames and passwords from data breach dumps to try to break into
Azure AD accounts—a method known as credential stuffing.

Azure AD is available from the internet, so it’s a relatively easy target. A good password policy
and multi-factor authentication, as well as behavioral monitoring of login activity and geo-
hopping, can thwart most brute force attacks. Most. You still need to monitor your data to
detect malicious activity inside your tenant in the event an attacker succeeds with a single
login attempt.

Phishing is the other top attack we see against Azure AD users. Phishing can lead to credential
theft or malware infection, which can provide attackers with a foothold to access your tenant.

https://www.varonis.com/blog/azure-active-directory 9/14
8/1/24, 6:52 PM What is Azure Active Directory? A Complete Overview

One of the better enhancements Azure AD provides is warnings when you open an email from
an outsider or untrusted source.

You can enable this setting, and other email protections in the Azure AD Management
Console. The Varonis IR team demonstrates how to use phishing to infiltrate and steal data in
this Live Cyber Security Lab.

Azure Skeleton Key Attack

This attack has to with Azure AD Connect, which we described above as the way to
synchronize your Azure and on-prem AD. Azure AD Connect can be configured via a method
called Pass-Through Authentication. When this method is used, a server called the “Azure
Agent” is installed on-prem.

Should an attacker compromise an organization’s Azure agent server they can create a
backdoor that allows them to log in as any synchronized user. Varonis created a proof-of-
concept that manipulates the Azure authentication function to 1.) give us a ‘skeleton key’
password that will work for all users, and 2.) dump all real clear-text usernames and passwords
into a file.

You can read the details and see the Azure Skeleton Key attack POC in action here.

What Else Can I Configure in Azure AD?

Microsoft provides enhancements and tools to Azure AD and Microsoft 365 to further
securing and protecting your organization’s data in the cloud. Here are a few more options
that you can enable to keep your organization more secure.

Integrate applications with Azure AD to enable Single Sign-On (SSO)

Automate application provisioning to new users based on group membership

https://www.varonis.com/blog/azure-active-directory 10/14
8/1/24, 6:52 PM What is Azure Active Directory? A Complete Overview

Restrict user’s ability to consent to applications – this can be a phishing attack, and once
the user clicks the attacker has a foothold in your tenant

Block legacy protocols that have security issues, like SMTP, POP3, or MAPI

Enable Microsoft Cloud Access Security (MCAS) to provide monitoring inside your tenant,
and augment that monitoring with Azure Skeleton Key attack

Now that you have Varonis, classify all of your sensitive data and tag it with Microsoft Azure
Information Protection (AIP)

That’s not nearly a comprehensive list of tools to manage and secure Azure AD. Do check out
the webinar about Microsoft Teams and see some other ways to prevent data leaks and to

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Get started

View sample

Keep reading
Varonis tackles hundreds of use cases, making it the ultimate platform to stop
data breaches and ensure compliance.

https://www.varonis.com/blog/azure-active-directory 11/14