Microsoft Entra ID Reviews

We used Azure AD for a role-based customer access mechanism. We implemented a single tenant, single sign-on for users of the application. We gave them a sign-on feature with OpenID Connect.

Previously we had to manually create the authentication server, but when we used Azure AD, we got the server directly from Azure. I didn't have to design the server.

We were also able to filter on the domain for the client I was working for.

In addition, we used Azure AD's Conditional Access feature to enforce fine-tuned and adaptive access controls. That was pretty useful because we didn't have to do much because we had attributes like authorized tags. And we configured scope, meaning who can access what, in the manifest. It was not very complicated.

And Azure ID has definitely helped save us time. Earlier, we had to depend on the infrastructure team, a different team, to manage the Active Directory permissions. But now, most of the time, the developers have access in the portal. It is saving us about 40 percent of our time.

The most valuable features of Azure ID are the single sign-on and OpenID Connect authentication.

Also, it was very nice that the documentation, the articles and help, on how to implement what we were trying to do, were available freely on the site, making it easy to develop. We did two or three sprints because things worked. Most of the time was spent on development and testing. But the deployment was easy.

Maybe I don't have enough experience, but when you fix the rules and permissions, working directly on the manifest, you really need to have in-depth knowledge. If there were a graphical user interface to update the manifest, that would be good. For example, if I want to grant access to HR versus an admin, I have to specifically write that in the manifest file to create the various roles. That means I'm coding in the manifest file. A graphical user interface would really help.

I have been using Azure AD for two-plus years.

The stability is 95 percent. We don't have any issues with it.

Of course it's scalable and that's why we choose the platform. We only have two regions in the load balancer. We have not gone beyond that, so we have not faced an issue.

We deployed it in multiple locations for our customer.

We haven't contacted Microsoft support.

I have played a small role in deploying Azure AD, but I have not been involved in the migration process. Overall, the deployment is easy. It took us 20 to 25 days, including fixing issues. That was normal, nothing unusual.

Regarding maintenance, the team I'm on does application maintenance. For Azure, we have a cloud admin who looks at the Azure portal for things like billing, access management, and admin work.

Some people use SAML technology for single sign-on. Although I haven't used it, it seems a bit complex. I started working directly with Azure AD OpenID Connect to a single tenant, or Azure AD B2B or B2C, and it was very smooth. It was not much of a challenge. Most of the complex things are taken care of by the Azure AD login. Usually, you don't need to do a deep dive into what is happening internally. 

Microsoft is like a "hovercraft", as opposed to scuba diving. With Microsoft, you can use the "hovercraft". Without touching the river you can cross it.

I have not explored many other competitive products, like GCP or AWS. I am a supporter of Microsoft products.

With Verified ID, things were secure. In recent news, there has been some hacking due to some developer using an email ID as opposed to OpenID, but our team did not use email IDs. Even if we were using email IDs for single sign-on, the user still needed to sign up with a password, so it was not possible to impersonate someone else.

The user experience, the interface, is very smooth. We have never had any problems with the single sign-on.

When applications are hosted on Azure, you should use the advantages of Azure AD.

Microsoft Entra ID is used to control access to our environment.

Microsoft Entra ID has been most beneficial in the realm of IT management, although not significantly impactful on user experience. Microsoft Entra ID is not solely for user management or enhancing user experience. Rather, it greatly aids in constructing operational processes for IT management, as its capabilities extend far beyond user and access management. In terms of refining user experience, it certainly contributes to areas like authentication, particularly in diverse authentication methods and device-based authentication. 

The best thing about Microsoft Entra ID is the ease of setup.

If we're highly experienced or dealing with intricate scenarios, Microsoft Entra ID might not be the most suitable solution. In my opinion, it resolves the majority of cases, but it lacks comprehensive management tools for access control. I don't consider it the premier tool for user or identity management. While it covers many aspects, we'll need supplementary tools to effectively manage access rules. This deficiency is quite significant. To make it viable for a large organization, substantial additional development is necessary.

Microsoft Entra ID provides a way to manage user access, but it's not an effective tool for access management due to its excessive complexity. This is primarily because the process needs to be performed manually. Therefore, it lacks a user-friendly interface where we could define all access rules and scenarios comprehensively.

Zero trust is not easy to set up, especially for large organizations. While it could be implemented for smaller organizations, the extensive manual configuration required makes it impractical for larger enterprises.

Microsoft Entra ID's impact on access and identity management is relatively limited.

The single interface for managing permissions, permission rules, or conditional access policies needs to be significantly more user-friendly. While it remains functional for IT departments, it is not particularly user-friendly for end users. There is considerable room for improvement in this regard.

Microsoft Entra ID offers various features, but its setup and utilization are quite complex due to the lack of a user-friendly interface for end users. Unless we allocate a significant budget and a substantial workforce to configure it for end users, making it usable remains a challenge. Moreover, even with these investments, the cost of using Microsoft Entra ID would become prohibitively high. Thus, it's evident that the platform lacks the necessary functionality to provide a satisfactory end-user experience. 

I have been using Microsoft Entra ID for eight years.

The solution is stable. I have not encountered any stability issues.

Microsoft Entra ID is scalable.

I have had a positive experience with technical support. Additionally, if we opt for premium support or possess varying levels of support agreements with Microsoft, we can access excellent support.

Positive

The deployment is quite straightforward. It's truly uncomplicated from an IT perspective to utilize Microsoft Entra ID. It's not overly intricate in that aspect. However, when we delve into end-user scenarios, and the management and configuration of conditional access policies, permission management, and other similar aspects, it does introduce a certain level of complexity, naturally.

Microsoft Entra ID service can be quite costly due to its hidden expenses linked to usage. This cost ambiguity arises from our inability to accurately project expenses prior to implementation, contingent upon the specific features employed. The expense is particularly notable if we intend to utilize it for comprehensive identity management. Nevertheless, alternative budget-friendly identity management solutions are limited within the current market landscape.

There are no additional costs for maintenance because most of the parts are cloud-based and managed by Microsoft. This means we can't manage it ourselves. However, if we had a private cloud with Microsoft Entra ID, for instance, then we could manage our entire cloud ourselves. This would allow us to have good control of the costs. But there are many small components in Microsoft Entra ID. So, when we are planning to build something with Microsoft Entra ID, we might struggle to understand the total cost for the users. It's difficult to comprehend all the necessary pieces we need to purchase to construct a scenario. Only after we have designed this solution, we will be able to see the complete cost. Unfortunately, there are numerous hidden costs in Microsoft Entra ID that I am not particularly fond of.

If we consider the top three or four management tools, they offer numerous out-of-the-box features for connecting to HR sources. Furthermore, we have a straightforward method for establishing access policies based on our HR data. In my opinion, competitors hold an advantage over Microsoft Entra ID.

I would rate Microsoft Entra ID eight out of ten.

We can achieve a great deal with conditional access policies; however, using the interface itself is quite cumbersome and not very user-friendly. Consequently, there are very few tools currently available that offer a well-designed user interface for managing access policies. This is consistently a highly intricate scenario.

Based on my experience, Okta functions primarily as a solution for managing customer access or customer identity, rather than being the conventional method for handling business or corporate identities. It's more focused on robustly managing customer identities. However, in my previous procurement roles, it has never been selected as the primary option. This could be due to my limited exposure to customer identity management. Thus, I find it challenging to draw a direct comparison. On the other hand, Microsoft Azure Active Directory can certainly serve as a customer identity management solution and is comparable in this aspect. However, the comparison doesn't hold true for user identity management.

The maintenance is controlled by Microsoft because the solution is on their cloud.

Organizations should refrain from exclusively using Microsoft Entra ID for all identity and access management scenarios. This is because relying solely on Microsoft Entra ID necessitates creating additional components ourselves to address aspects that cannot be readily addressed using the default Microsoft Entra ID setup. We are required to construct these components and establish phases for end users, as Microsoft Entra ID does not encompass all these functionalities. A more effective approach could involve integrating Microsoft Entra ID with another product, such as SailPoint. This combined utilization would likely result in a robust identity management solution. It's important to recognize that Microsoft Entra ID alone cannot adequately address all our scenarios.

We use it because we have to onboard our user laptops to our Windows domain. Azure AD provides us with the Windows domain capability.

As an organization, we are going for ISO 27001 compliance. The only way to achieve much of that was to have Azure AD in place. Once Azure was in place, many things, like bringing all our laptops into the domain, and ensuring centralized policy deployment, were taken care of and that is where Azure AD has come in handy.

We use BitLocker for policy enforcement. And now, because of the Microsoft 365 Business Premium package, we get Intune as a part of it. That's very useful for us for setting policies and managing the systems. The biggest strength of Azure AD is Intune. As a user, I rarely go into Azure AD. I would rather go to Intune and work from there.

I've been using Azure Active Directory for the last few years. Since 2020, I've been using it extensively because, where I'm working, we're totally on Azure AD.

There is nothing to be worried about when it comes to stability. It's a cloud product.

We are not worried about scalability because it's a cloud system. It will run and they will scale it. They already have packages wherein you can scale it depending on how many users you have in your system.

Our usage of Azure AD will continue, going forward, as an organization. We are not going to pull back on it. It's only a question of what more we can extract out of it as we go along.

Technical support varies. The problem is that Microsoft has contracted out support to multiple organizations around the world. When you raise a ticket, you may or may not get support from someone in your country or region. That's "Part I". 

"Part II" is that when you get to a support agent, they go by the playbook. While they do a lot of R&D for us when we give them the problem in detail, and they actually find things out and come back to us, they're not willing to go beyond the established guidelines to try to troubleshoot. They will only do so if it becomes a pain-in-the-neck issue and multiple users are reporting that problem. For example I found an issue with Defender and I raised a ticket with the Defender team. That has now been pushed to some sort of a feature update, so things like that do happen.

Positive

The initial setup is straightforward. There is nothing very complicated about it.

The very basic setup of AD might take between 10 minutes and half an hour. Then, if you sit down and focus on the task, it takes about a couple of days to have all your nodes in place.

In our company, there is another person who is my immediate junior and who reports to me. We are the ones who deploy, use, and maintain the system.

We are using the version that comes with Microsoft 365 Business Premium.

Microsoft has a very weird way of licensing the product. With the standard on-prem edition, we can do a lot of regular, day-to-day maintenance, including creating policies and the like. We can't do that in Azure Active Directory. The Azure system is very basic in nature compared to what the server provides us.

There are add-on components and services, such as identity services, that we have to add to our Azure subscription. Only then can I actually say it's on par with the on-prem server edition.

Why should I pay for a component? It should be included in my subscription. I understand there may be an added fee, but don't remove an essential component. I am a career IT guy. When I start comparing my on-prem server against this cloud edition, I see that there are components missing. The money issue is secondary. Give me a solution that matches the Azure standard edition. They should ensure that whatever I have on my domain controller are the facilities that run here in Azure AD. For example, on the domain controller, if you are my user, I can let you create a 14-character or a 20-character password. I can't do that on Azure AD. To do that, I must get the Directory Services module, which costs me another $100 a month. Let that cost be added to the bill and let me create my configurations as and how I want. Why do they want to restrict me? It's a detrimental business practice.

Still, I say go for it. Don't worry about the pricing. Licensing, at the basic level, is sensible. But you should actively talk to your reseller about the needs of your organization. Costs will vary as you dig deeper into understanding what product or service you need. Independent of your geographic location, talk to a local Microsoft partner and understand the cost. Don't simply go online and order things. I would stress that to anybody in the world, whatever the size of their organization.

The pricing module is pretty straightforward for many of the products. They have a price for up to 300 users for many of the licensed products. Up to 300 users is not considered an enterprise business.

You may have knowledge about the product, but when you talk to somebody else you get a slightly different perspective. Exercise that principle. Talk to one or two vendors, but talk. Spend time on the call. Understand what you want. One person might give you an idea of how you can deploy with your existing products, while another guy might say those products have these weaknesses and these strengths.

From the organizational perspective, it's not the native Azure AD components that provide value to the customer, it's more the other components. If you're a Microsoft 365 Business Premium customer, you get Microsoft 365 Defender. Along with that package, you get something called Secure Score for your organization. The beauty of Secure Score is that it gives you something of a benchmark. It says X percentage of organizations have this particular level of security score and it tells you how you can upgrade your security. It may tell you to enable something or disable a feature. After about a day's time, during which the change percolates across the organization, your security posture goes up a notch. That's a very useful tool for any organization, whatever the size.

The end-user experience is better because we don't have to have so many components on board, compared to other solutions, to do something. For example, even though Defender is a limited version in some critical aspects, it still does its job pretty well. One major benefit of having it is that we can control the policies of Defender from the Intune portal or the Microsoft 365 Defender system because it's backed by Azure AD. Azure AD plays a kind of backend role. 

It doesn't play much of a front-end role wherein I can create a policy. If I have to create a GPO, I must get the Directory Services component. Without that, I cannot create a GPO the way I would with the ordinary service. That's a critical difference. And with Microsoft, as usual, until you go digging around, you'll never know about this. I raised support queries with Microsoft and followed up with the tech support, after which I was informed that until I have Directory Services I can't do anything. This kind of clarity is not provided to the customer. Microsoft's website is really weak when it comes to providing specific details.

I would tell any organization that doesn't have Azure Active Directory today not to spend money on setting up a server and a data center and infrastructure. Simply upgrade your Office subscription, because it eventually happens. The world is divided into two major parts: Microsoft users and Google users, and there may be some percentage that doesn't use either product. If you're using these products and looking at ISO compliance, simply upgrade to Microsoft 365 Business Premium. You'll get Azure AD and then you can go about the rest of your work.

Overall, I rate Azure AD at seven out of 10. There is a huge difference in the capabilities between the on-prem server and the Azure version.

I am a systems manager. I use Azure Active Directory every day for my support job.

Our authentication tools to single sign-on portals are hosted in different cloud products, like Amazon or GCP. So, we create an enterprise application and Azure Active Directory to give our users for authentication access to various public URLs.

Before Azure Active Directory, it took effort to provide cloud access to on-premises users. With Azure Active Directory and AD Connect, we are able to sync on-prem users to the cloud with minimal effort. We don't have to manage keeping multiple entities for the same user.

The multi-factor authentication (MFA) is one of the best aspects of the product. 

The security features are great. They will report in advance to you in the case of suspicious activity. 

The GUI is pretty enhanced. You can configure applications or do whatever they need to do. 

Azure Active Directory currently supports Linux machines. However, the problem is that you get either full or minimal access. It would be very nice if we could have some granular authorization modules in Azure Active Directory, then we could join it to the Linux machine and get elevated access as required. Right now, it is either full or nothing. I would like that to be improved. 

We have the ability to join Windows VMs to Azure. It would be nice if we could have some user logs, statistics, and monitoring with Azure Active Directory.

When we subscribe to MFA, the users get MFA tokens. However, it is not a straightforward process to embed any of the OTP providers. It would be good if Microsoft started embedding other third-party OTP solutions. That would be a huge enhancement.

I have been using Active Directory for two years.

This product is used every second of every day.

The solution offers nice stability and performance. 

In my organization, there might be as many as 60,000 people who utilize the solution. 

The scalability is awesome. You don't even need to think about scalability because Microsoft manages it.

We use it on a daily basis.

The support could be better. Lately, they sort of dropped off a bit in terms of quality. Recently, Microsoft support has not been doing such a good job. Previously, they used to do a good job.

In the past, AD Connect was not syncing. It threw errors in the beginning. So, I had to call up technical support to solve the problem. At the time, we were satisfied with their assistance.

I am also using AWS.

Azure Active Directory is not an Active Directory product. It is just the application proxy. You need to have an on-prem solution. Azure Active Directory would just be a proxy that uses the on-prem data and hosts the application. It is not a full-scale Active Directory solution. However, it has a lot of enhancements. The traditional on-prem Active Directory hosts the users and computers as well as some additional group objects. 

On the other hand, AWS Active Directory has all the capabilities of the traditional Active Directory with limited access for the administrator. All domain administration and sensitive credentials will be managed by AWS. So, you don't need to worry about application delays or syncing issues.  

The initial setup is simple.

It is pretty easy to set up the product. You subscribe in Azure Active Directory. By default, it will have an extension where you need to register. If you need a custom domain name, then you need to register with your public DNS providers to create the DNS public entry. You will then have to prove that you own the domain name. Once it has been proven, then your Active Directory pretty much works. 

If you need to sync up your on-prem users with the Azure Active Directory, then you need to have an AD Connect server installed at the VM-level domain. It should be credentialed so AD Connect can use credentials to read your on-premises and sync it to the cloud. Once this has been done, you are good to go. As an enhancement, for whatever user you are syncing, you can mandate them by adding them to a group or rolling out an MFA policy.

Since it is pretty straightforward, you just need one person to deploy it.

I implemented it in an hour.

Some maintenance is required. However, it is not on Azure Active Directory's part. Rather, it is for AD Connect. Often, we see that the connection is getting lost or something is not happening. Sometimes, port 443 might not be open from your on-prem Azure Active Directory. In that case, if you haven't implemented it in the beginning, then you need to do this. For a high availability solution, if you find that the machine is having additional issues, then you might need a higher AD Connect device. I would probably also deploy it with a different availability.

The solution has three types of tiers:

1. E1 has very basic features. 
2. You get limited stuff in E2 and cannot have Office 360 associated with it. 
3. E3 is on the costly side and has all the features.
   

If you need to have an Exchange subscription or email functionality, then you need to pay more for that.

We are using both the on-premises version and the SaaS version.

I would advise potential new users to learn a bit about the product before jumping in. If you are new, you need to do background research about Azure Active Directory. You also need to understand its purpose and how you want to leverage it. When you have a draft architecture in place, then you can go ahead and implement this solution. If it needs to be reimplemented, it is just a matter of five minutes.

I would rate the solution as nine out of 10.

We provide single sign-on, app syncing, and API seamless access to more than 2,000 users with the syncs into Azure. We provide access to email, SharePoint Online, Skype, and other services on the cloud to half of those users. We have services in the cloud, such as app registration and documents for SharePoint Online.

The single sign-on is the most valuable aspect of the solution. It allows for storing passwords in secure vaults. For developers, we use a vault for SSH. Mainly, we have replication from all services on-prem to the cloud.

With a single sign-on, in the case something happens on-premises, users can still use a single sign-on to a PC to access the cloud.

We can deploy policies, which improves our security posture. It's mainly very similar to on-premises, however, some new features can be used on the cloud as well, such as labs and password rotation. Some features have improved, which has been great.

The solution improves the way our organization functions. I can deploy a policy that will search for unused accounts, for example, and delete or just move them to a different organization unit that handles unused accounts. We can change unsecured passwords. We can detect intrusion and inform a security group on how to disable that account immediately. We can also perform security checks on services.

We can easily migrate services and improve the quality and improvement of bandwidth of the service. It's easy to scale.

There are some searches, such as a global search, which have powerful query capabilities if you configure it in a certain way.

It's easy to use. The portal experience provides a dashboard of what's happening. With the dashboard, you can see what's happening with the service faster. Of course, I’m talking about the cloud. On-prem you don't have that dashboard.

Active Directory has affected our end-user experience. It has improved it as we have centralized management now and we have centralized administration, and things can be automated easily. You can have most tasks automated. It's good.

The security needs to be improved. For example, in terms of changing from one version to the latest, meaning going from 2008 to 2012, or 2016 to 2019, you need to get rid of all the operating systems and they need to ensure the security is upgraded and improved.

They need to bring BitLocker into the VMs and the servers.

LAPS could also be improved. LAPS are used to rotate passwords on a server. That can be improved upon to increase security levels.

Protocols SSL 2.0 and SSL 3.0 need to be removed and they should change my TLS 1.2 for every application.

I've been using Azure for about 13 years. However, I've used Active Directory for 25 years. It's been a long time.

We have found some servers do not have enough CPU or memory which meant there was not enough stability. I scaled up the service to ESX, to a virtual host, and I installed multiple DCs, virtualized. As the solution has physical machines, CPU and memory were not enough. However, the scaling provided much more stability.

The scalability is good now, and I find it to be more stable and faster since scaling up to ESX.

We tend to increase usage every month. We have five countries with multiple forests. Currently, we have 200 users or so on the solution.

The technical support is not so bad, however, it's lacking in faster response times sometimes.

We did not previously use a different product.

The initial setup was complex. It has several forests connected to multiple domains in several countries, and it's going through multiple data centers. Typically, we have a solution for the VPN. It's different in every country sometimes. On top of that, centralized services are not so easy to manage in different forests.

The initial deployment was set initially for six months, and then we’ve been doing improvements for the last six months as well. It’s been a year in total.

Our initial implementation strategy was to sync a forest with multiple domains.

We have ten to 15 people who are capable to handle maintenance on the product. These include a cloud architect to Active Directory architect engineers, help desk engineers to deploy and manage solutions, and engineers to manage the servers.

We did not use an integrator, reseller, or consultant for the deployment. We handled it in-house. That is my understanding.

We have seen a bit of an ROI.

The solution is not the cheapest in the market. It could be improved and possibly lowered slightly.

We moved right into Active Directory, however, as a cloud architect, I am familiar with other solutions. I advised the client to go right to Active Directory based on my past experience. Due to the complexity of services they offered, I knew integration would be easy.

We are a Microsoft partner.

We use several versions of the product, including 2016 and 2019. For one customer, they're running 2008, which is the old version, and I just upgraded them to 2012. The domain controller is 2012 R2 and has the latest patches.

I'd advise new users to do an original design with an architect, and think about scaling up while considering services you will be adding in the future. It's important to plan the security tightly and do a neat design and consider services such as BitLocker and other resources that will be needed.

I'd rate the solution at an eight out of ten.

We're using Azure AD as a centralized identity management tool, to keep all identities in one place. For example, if we have an application that needs authentication, we use Azure AD. It is not only for user authentication and authorization.

We also use Azure AD as a synchronization tool from on-premises instances to the cloud, and we are using Azure ID Join to join machines directly to the cloud. We use it for access policies, as well as the registration of services.

With MFA, if there has been a password leak and someone tries to access the system, Azure AD will send a notification to the real user's cell phone and ask, "Are you trying to login? Please approve or decline this login." If the user declines the login, he can send a report to IT and the IT guys can automatically block the account, change the password, and review everything else. That helps us prevent unauthorized access to the system, and that's just through the use of MFA.

Through access policies, if my account was stolen and the guy got his hands on the MFA information for some reason, if the real user is in one country and the thief is in another country, the account will be blocked by our geolocation policy, even when the password is right and the MFA has been approved. We can lock it down using geolocation.

If we're talking about applications, one of the most valuable features is the administration of enterprise applications. It helps us to keep them working. We don't always need to authenticate a user to make an application work, but we do need some kind of authorization. We use service principal names for that. Managed identities for applications are very useful because we can control, using roles, what each resource can do. We can use a single identity and specify what an application can do with different resources. For example, we can use the same managed identity to say, "Hey, you can read this storage account." We can control access, across resources, using a single managed identity.

When it comes to users who have a single account, the most valuable feature is the authorization across applications. In addition, access policies help us to keep things safe. If we have a suspicious login or sign-on, we can block the account and keep the environment safe. It's also important, regarding users, to have a centralized place to put everything.

The user functionality enables us to provide different levels of access, across many applications, for each user. We can customize the access level and set a security level in connection with that access. For instance, we can require MFA. That is a feature that helps enhance our security posture a lot. And through access policies we can say, "If you just logged in here in Brazil, and you try to log in from Europe five or 10 minutes later, your login will be blocked."

One thing that bothers me about Azure AD is that I can't specify login hours. I have to use an on-premises instance of Active Directory if I want to specify the hours during which a user can log in. For example, if I want to restrict login to only be possible during working hours, to prevent overtime payments or to prevent lawsuits, I can't do this using only Azure AD.

I have been using Azure AD for the last five or six years. I have been using the on-premises solution, Active Directory, since 2005 or 2006.

We have never faced an outage situation with Azure AD. The stability is great, very reliable.

The scalability is okay for us. While there are limitations on the number of users, it's a very huge limitation. We have not hit that limitation so far. No matter how many users or groups or SPNs (service principal names) we have, it works fast. The response takes two to three seconds if we use the API.

Currently, we have more than 5,000 users. We are at 100 percent adoption. All our users from on-premises are synced to the cloud and they are fully using the features available.

The technical support is not going in the right direction. Sometimes the first-level support agents don't have the proper knowledge. Some of them take a lot of time to discover simple things because of that lack of knowledge. Sometimes a guy takes three or four days to give up and to ask for help from a higher level of support. The technical support can be improved in that area.

Neutral

Before Azure AD, we either used Active Directory for on-premises or a Linux solution, but it was almost a miracle finding Linux solutions for identities. In our location, the majority of enterprises and companies are using Active Directory. The free Linux solution is basic. You can choose a user, a password, and a level of access, but it does not go as deep as Active Directory.

The initial setup of Azure AD is very straightforward. There is even a wizard for it, making it very simple. The wizard guided us and pointed us to articles in the Microsoft Knowledge Base, in case we had any doubts about what was going on. It was a matter of "next, next, and finish."

Deployment took less than 60 minutes. It was very fast.

There are almost always issues when it comes to synching on-premises instances because they almost never follow best practices. When migrating to the cloud, there is a tool that Microsoft provides to run in your environment that tells you, "Hey, you need to fix this and this about these users, before you initiate the migration." It's complicated because on-premises solutions are like that. But if you want to have identities in Azure AD, you must have a proper set of User Principal Names, because these will be the anchor for the synchronization. If my on-premises instance has a bad UPN, it will not be able to properly sync to the cloud. But once we finished fixing the irregularities in the on-premises accounts, the migration was easy. We just installed the synchronization server and it did the job.

We have seen ROI using Azure Active Directory in the fact that we don't need to have four or five local servers. We can have just one local server and the heavy jobs can be run over the cloud. There is some money saved on that.

The pricing for companies and businesses is okay, it's fair. 

But if you are trying to teach someone about Azure AD, there is no licensing option for that. There is a trial for one month to learn about it, but there is a need for some kind of individual licensing. For instance, I personally have an Azure tenant with Azure AD and I use this tenant to study things. It's a place where I can make a mess. But sometimes I want to do things that are blocked behind the licensing. If I were to buy that license it would be very expensive for me as an individual. It would be nice to have a "learning" license, one that is cheaper for a single person.

Plan what you want. Think about whether you want native authentication and authorization in Azure AD. And if you want to have servers on-prem, you have to plan the kind of synchronization you want. Do you want passwords synced to the cloud or not? Instead of going headlong into using Azure AD and running into issues, the kind that require a change in access which could be problematic, plan before doing the deployment.

We use Azure Active Directory for quite a few things. We use it for security group management of authorized principals who need access to get SSH-signed certificates for user logins. We use it for automated jot-based (JSON Web Token) self sign-on for our lowest, least privileged credentials on certain products. We also use AAD for B2B coordination of SSO when we're bringing users onto our platform, where they have Active Directory on their side. We use the OIDC-based SSO flows through AAD to merge project-level AADs back to our corporate AAD for internal single sign-on flows.

• There is tech support to help with any OIDC-based setups between organizations.
• It has good support for SAML 2.0 and OIDC-based setups for our remote identity providers.

The solution has come a long way. Now, with the Azure AD B2C offering integrated as well, we've got a full IAM-type solution for our customer-facing identity management. In addition, when it comes to user journeys we now can hook in custom flows for different credential checking and authorizations for specific conditional access. 

I don't think the documentation is where it needs to be yet, for user journeys and that type of flow. There is still trial and error that I would like to see cleaned up.

Also, they do have support for SAML 2.0 and it's very easy to set up linkages to other Active Directory customers. But if somebody is using an IdP or an identity solution other than Active Directory, that's where you have to start jumping through some hoops. So far, our largest customers are all using Active Directory, but I don't think the solution is quite as third-party-centric as Okta or Auth0. Those solutions have a lot of support for all kinds of IdPs you want to link up to.

Finally, a couple of months ago I was on a team that was looking at low-cost MFA for SSO, where we would control the MFA on our side, instead of having the remote database handle it. In those kinds of flows, there aren't as many off-the-shelf options as I would like. There were cost implications, if I recall, to turn on 2FA. Also, the linkages that they had set up off-the-shelf—obviously they had the Authenticator app—meant that if you wanted to do something with Duo Mobile or any of the other popular 2FA providers, it seems it might have taken us more time than we wanted to put into it.

I have been using Azure Active Directory for a couple of years now.

The stability is great.

The scalability is also great.

We have an enterprise agreement with Microsoft, so we aren't typical folks. Through that agreement, we get a dedicated technical account manager and that person is able to escalate tickets when necessary. I have found Microsoft to be very responsive when needed, although we haven't really needed them that often.

We use Azure a lot, and therefore, AAD was an obvious choice and we thought, "Why not use it?"

They've done a good job on OIDC. That was a pretty simple, seamless setup. We've done that with multiple remote IdPs now, and I don't recall too many issues there.

There is much less cost investment going into it now. We didn't have to do a volume buy to get onto the platform. When it comes to ROI, there is low friction and a high, immediate return on investment.

It's relatively inexpensive in comparison with third-party solutions. It's highly available and supported by Microsoft Azure in our enterprise agreements. With the addition of their B2C tenants, it's hard to beat from a cost perspective now.

They changed their pricing for B2B access. You used to need shared licenses so that, if you were paying for a Premium AAD on your side, that would allow you to have five shared external mapped users. They've blown that all up and it's now dirt cheap. It works out to pennies per user per month, instead of dollars. A P1 user license in their system was $6 per user per month, which is cost-prohibitive for a lot of B2B SSO flows, but now it's down in the pennies range.

We have integrated our internal applications and cloud applications with Azure AD. We also have a few external applications for which we need to implement a self-service portal and handle requests such as password reset.

We have external applications such as Cloudspace, and we have integrated Azure AD with Cloudspace. We mainly use a single sign-on. Our main target is to go through all single sign-on applications and integrate them with Azure AD. We also need to audit everything in Office 365. Our mail system is Office 365, and we also do some auditing.

We are also implementing Intune. We have deployed some basic policies for mobile devices, and we are working on improving those policies. We need to configure conditional access and improve policies for the applications and devices. We are doing some testing, and it is in progress.

In terms of deployment, we have a hybrid deployment of Azure AD. We have the 2019 version of AD on-prem.

We are able to do complete onboarding through AD. The users have access through the AD login, which is synced with Azure AD. We have a hybrid environment, and every cloud application is accessed through AD. We have defined AD policies related to password expiration, limitations, etc. It has provided smoother accessibility.

Previously, when we had on-premise AD, to reset their own passwords, users had to use a VPN or bring their laptop to the office. With self-service, users can easily change their passwords. This reduces the workload for IT support. If their password gets locked, they can unlock it themself by using Azure AD. Previously, it was also difficult to integrate with external applications, but with Azure AD, integration with external applications is easier. 

Azure AD makes it easier to see and monitor everything in terms of access. We can see sign-in logs or audit logs, and we can also integrate devices by using Intune. So, we can manage BYOD devices inside the organization.

We are using Conditional Access, MFA, and AIP. We have integrated it with Intune, and we already have DLPs.

Application integration is easy. MFA and password self-service have reduced most of the supportive work of IT. We use multi-factor authentication. Every access from a user is through multi-factor authentication. There is no legacy authentication. We have blocked legacy authentication methods. For people who use the MDM on mobile, we push our application through Intune. In a hybrid environment, users can work from anywhere. With Intune, we can push policies and secure the data. 

The audit logs are very good for seeing everything.

We started using it at the end of last year.

It is stable. I haven't faced any issues. There could be some issues related to syncing because of on-prem, but overall, it is quite stable.

I don't have much experience with scalability. I only use tier one or Premium P1, and I want to move to Premium P2 that has more security levels and more advantages.

In my previous companies, there were a thousand users. In my current company, we have less than 500 users. It is working fine, and there are no issues.

We plan to expand our usage. If it is possible, we plan to upgrade our subscription to Premium P2. We have introduced it to one or two companies who were looking for such a solution. We have already introduced the Azure AD hybrid platform for companies that had only an on-prem setup.

Sometimes, there are issues, but they are usually because of user mistakes. We are able to fix such issues. We are able to find the issue and do troubleshooting. We are able to find information about what is wrong and how to fix it. 

Their support is okay. They are able to resolve the issue, but sometimes, there is a delay because the ticket goes to the wrong person or the wrong time zone. I would rate them an eight or a nine out of 10.

We have only been using Microsoft solutions.

It is easy to deploy and not complex, but it also depends on your requirements. We have tenants and subscriptions, and we connect AD to Azure AD through Azure AD Connect, and they are periodically synced.

The connectivity took a day or two. It doesn't take long. Sometimes, there could be issues with on-prem because of not having a standardized setup or because of parameter duplication, but after we resolve the issues, it doesn't take long. For its setup, only one person is generally required.

It was implemented by me, and I also had one guy's support. 

Our infrastructure team takes care of the maintenance part. They are taking care of monitoring. If there is an alert or something happens, they take care of it. It doesn't require much maintenance. One person can manage it.

We have been able to achieve our target and requirements for security. After the move to Azure AD, the security level is high. The users have to change passwords and do MFA a few times if something goes wrong, and if they can't, the device is going to block them. Sometimes, users are not happy, but at the organizational level, it is good. It is costly, but the improvement is good in terms of performance and security.

It is a packaged license. We have a Premium P1 subscription of Office 365, and it came with that.

Two or three years ago, we were looking at some open-source solutions.

I would rate Azure Active Directory a nine out of 10.