A few weeks ago we wrote about the 4 types of Microsoft Active Directory, Azure Active Directory being one of those four. In this article, we'll explore the 3 licenses that you need to know about within Azure AD exclusively. The three Azure Active Directory licenses are: Office 365 edition, P1, and P2.
You may not even know you're using Azure AD, it runs in the background of Office 365 and Microsoft 365. It is the technology that manages the identities of all of your users, a.k.a. the thing that checks whether the credentials you wrote are correct or incorrect after you click 'log in' to access an account or an app.
Azure Active Directory (AAD)
Azure AD is an identity management tool hosted on Microsoft Azure. It does have quite different capabilities and features compared to Windows Server Active Directory (AD). Its primary function at the moment is to manage users and the myriad of devices (Windows, Apple and Linux PC’s, tablets and smartphones, etc.) that users are employing in their work and social lives, particularly for remote users.
Azure AD is blurring the distinction between “on-premise“ and "remote" workers. It is the authentication and authorization mechanism for not only Azure, Office 365 and Intune, but is capable of tying in many other third-party authentication systems.
Think of Azure Active Directory as cloud only, which means if you have legacy software you will need to go with Hybrid Azure AD (HAAD).
Features: Azure AD P1 vs P2
Azure AD P2 has all the same features as Azure AD P1, in addition the the 6 additional features below, that cover the topics of Azure Identity Protection and Azure Identity Governance.
Vulnerabilities and Risky Accounts
- Providing custom recommendations to improve overall security posture by highlighting vulnerabilities
- Calculating sign-in risk levels
- Calculating user risk levels
Here is the full list of vulnerabilities Azure can detect.
Risk Events Investigation
- Sending notifications for risk detections
- Investigating risk detections using relevant and contextual information
- Providing basic workflows to track investigations
- Providing easy access to remediation actions such as password reset
Here is a full list of the risk event types Azure can detect, it's really impressive.
Risk-based Conditional Access Policies
- Policy to mitigate risky sign-ins by blocking sign-ins or requiring multi-factor authentication challenges
- Policy to block or secure risky user accounts
- Policy to require users to register for multi-factor authentication
Privileged Identity Management (PIM)
PIM helps you manage the who, what, when, where, and why for resources in Azure. Here are some of the key features of PIM:
- Provide just-in-time privileged access to Azure AD and Azure resources
- Assign time-bound access to resources using start and end dates
- Require approval to activate privileged roles
- Enforce multi-factor authentication to activate any role
- Use justification to understand why users activate
- Get notifications when privileged roles are activated
- Conduct access reviews to ensure users still need roles
- Download audit history for internal or external audit
Azure Active Directory (Azure AD) access reviews enable organizations to efficiently manage group memberships, access to enterprise applications, and role assignments. User's access can be reviewed on a regular basis to make sure only the right people have continued access. You can learn more by reading the full Azure Access Reviews technical document.
This tool can helps you manage access to groups, applications, and SharePoint Online sites for internal users and also users outside your organization. You can learn more by reading the full Azure Entitlement technical document.
Azure AD Pricing
- Azure AD P1 is bundled with Microsoft 365 Business and Microsoft 365 E3 for $20 per user/month and $32 per user/month, respectively
- Azure AD P2 is bundled with Microsoft 365 E5 for $57.50 per user/month
You can buy Azure AD P1 for $6.00 per user/month and P2 for $9.00 per user/month, as stand alone products or you buy them bundled with Microsoft 365.
Other Azure AD Uses
Azure AD can be used with Windows 10 licenses. It offers unique features like the ability to join a device to Azure AD, Windows Hello for Azure AD, and Administrator BitLocker recovery.
Azure AD P1 and P2 also have Mobile Device Management (MDM) self-enrollment, Azure AD join, and Enterprise State Roaming.
Multi-factor Authentication (MFA) with Microsoft Authenticator
OK, so your company uses MFA. And even if your company doesn't, you probably do on some of your personal home accounts like your banking app. Don't you hate receiving that MFA text message or email, having to type in that four to six digit code? Well say no more with Microsoft Authenticator, now all you have to do is click 'accept'. It's just another way Microsoft improves the user experience of cybersecurity!
Go Password-less with Microsoft Hello
Windows Hello allows employees to login using their laptop's built-in camera, instead of using a password. Enabling this feature increases security while simultaneously increasing the user's experience. We've been using Windows Hello for a while now at BEMO and now typing out a password feels ancient. Your IT team will thank you and your employees will feel like they work for a company on the cutting edge! You know what else is cool? Windows Dynamic lock, which you can also configure by typing 'Sign-in options' into your PC's search bar. Essentially, you pair your smart phone to your computer via Bluetooth and when your phone is out of distance from your computer, your PC will automatically lock itself.