Microsoft Entra ID Reviews

I am an operational engineer and consultant that assists organizations with their Azure Active Directory implementation. I primarily deal with administrative functions in my day-to-day tasks. I am responsible for creating and configuring Azure AD users and groups, as well as assigning the dynamic membership required by the organization to their users. Another common task is that I set up guest user access for organizations that want to grant access to users on a temporary basis.

For customers that want to use a cloud-based deployment, I can assist them with that. In cases where the customer wants an on-premises deployment then we will provide them with help using AD Connect, which is used for synchronization between cloud-based and on-premises data.

This solution helps to improve security for our clients using a specific directory structure and by using a variety of options. There is a default directory, which is owned by Microsoft, and in there you can create custom directories for your use. 

There is a panel available for the administration of users, groups, and external identities. 

Options are included for uploading your on-premises applications to the cloud, and they can be registered with Azure. This means that you can also create your own applications.

Identity governance is available for paid users.

Using Azure Active Directory has benefitted several of my clients, with an example being a startup organization. Startups have three or four things that they need to do in order to begin work. First, they need a domain, and after that, they need a DNS record to be created for their domain. For instance, these services are provided by godaddy.com or similar vendors. Once these steps are complete, they connect to Azure AD with the help of the DNS record that was created. At this point, Azure AD performs the role of a Platform as a Service. Once Active Directory is connected and verified, you can create the users and groups, and begin managing your processes. 

These are the only steps that are required for a startup. For an enterprise that wants to migrate its on-premises data to the cloud, there are several additional steps. For instance, you need to create a virtual machine and install your server. Alternatively, if you already have a server, it can be connected with the help of AD Connect.

This is a good solution for end-users because the vendor provides good documentation and if the users experience errors or issues, they get a popup alert to explain the problem. Furthermore, it can provide a solution to resolve the issue.

The most valuable feature is Identity and Access Management. As an IT administrator, this feature allows me to manage access for users and groups.

This product is easy to use and easy to manage.

The application policies, licensing, and AD Connect options are valuable.

Multifactor authentication provides more security. Having a user ID and password is compulsory but after that, you can add different security features. For example, it can work with biometrics such as fingerprints, retinal scans, and facial recognition. There are many more options that may suit you better, as per your requirements.

When you log in to the Azure portal, there is an option available called Resource Groups. Here, you can add multiple things including printers and different servers. There are Windows servers available, as well as servers hosting many different flavors of Linux. Once a server is created, you can add in a database, for instance.

There are four levels of subscription and the security features are not available for free. At the free or basic level of service, Azure should provide identity protection features including single sign-on and multifactor authentication. These are the most important features for organizations and everybody should be able to utilize them for working remotely.

I have been working with Azure Active Directory for approximately three years.

Worldwide, Azure has many servers available and in fact, they are the largest cloud organization in the world. As long as you are paying for the service, you don't have to worry about availability. There is a Microsoft backend team available that can provide you with what you need.

The availability is the best in the cloud industry.

You don't need to create or manage your own infrastructure, as it is handled by the Azure team. Also, through the Azure portal, you can add databases.

This is a scalable product. You can scale it to any number of users and any number of servers, and there is no issue. As your organization grows day by day, you can increase your users, your databases, and compute services including RAM, CPU, and networking capabilities. This will ensure availability on the platform.

If you are part of a very large organization, with between 50,000 and one million users, then you might generate between 500 and 1,000 terabytes of data each day. You have two options for uploading this data to the cloud, including an online option and an offline option. In the online option, you use a gateway. The offline option includes Data Box, which is a device used to transfer your data. These hold 800 terabytes and above.

I have not used technical support from Microsoft myself. However, it is available and they can provide proper resolution to problems that people are having.

The support documentation that is supplied on the web page is very good. If anything changes then there is a section for notes in the documentation that explains it.

Using technical support is a more cost-effective solution than hiring somebody to maintain the product full-time.

The initial setup is not a complex process. It is simplest in a cloud-based deployment and it will not take much time. If your current server is on-premises then you only need two things. One is your enterprise domain users, which have full access permissions. The other is a global administrator on the cloud side. Both sides need to be integrated and this is done with the help of Azure AD connect. Once this is complete, you can have interaction between your on-premises data and cloud data.

It is helpful to have a basic level of understanding of the product prior to implementing it.

We provide support to our customers, depending on the error or issues that they are having.

There are four different levels of subscription including the free level, one that includes the Office 365 applications, the Premium 1 (P1) level, and the Premium 2 (P2) level. There are different options available for each of the different levels.

Everybody can get a one-month free trial.

This product is cheaper than Amazon AWS and Google GCP.

I do not use the other Active Directory solutions, although I do check on them from time to time. One thing I have noted is that the Google platform charges you on an hourly basis. In the case where you need a virtual machine for only one or two hours, this is a good option. However, if you forget to log out of your machine, then the cost will be large.

AWS provides you with a one-month free trial so that you can test using the resources.

At this time, Azure AD is the biggest cloud Platform as a Service that is available. They have 60+ cloud data centers available worldwide, which is more than any other organization. It is a service that I recommend.

My advice for anybody interested in this product is to utilize the free trial. Microsoft will not charge you anything for the first month. They will also give you a $200 credit so that you can use the services.

I would rate this solution an eight out of ten.

It has allowed us to use other SaaS products that will authenticate with Office 365 as well as other Microsoft products and non-Microsoft products, so we can have a single sign-on experience for our users. Rather than them needing to have multiple usernames and passwords, they just use whatever they have as their main username and password to log onto their machine.

It is SaaS based, but we sync up from our on-prem into Azure AD.

With COVID-19 at the moment, this solution is a good example of where we needed to move a lot of our traffic from our on-prem authentication into the cloud. Last year, before I joined the company, we had to setup our VPN differently. It was easy enough for us to do because our machines were already joined to Azure AD. We just split the traffic and stopped having to rely on our on-prem VPN for our Office 365 traffic. We were just good to go into the Internet because we had all the features setup, e.g., MFA and Conditional Access, which made life a lot easier.

It has made our security posture better. There are always improvements to be made, but we feel more secure because of the way that things have been setup and how everything integrates together.

• Single sign-on is the most useful at the onset. 
• The dashboards offered are very granular, in terms of usages. 
• We find the Conditional Access element and Multi-Factor Authentication side of things very useful. 

These features let us have secure, yet user-friendly interactions, rather than having to be embroiled in various types of signups for each application. These allow us to be a lot more granular as well as making sure our environment is more secure. Our accesses and users remain secure too.

Multi-Factor Authentication (MFA) and Conditional Access have helped us be more secure. There is one place where all these features are posted, making life a lot easier. If we were to try and buy these separately, then it would be a painful experience. Whereas, if it is in one product, then all these features talk to each other and it is available for us in one go. For example, when you buy a car, if you buy the steering wheel and engine separately, then you need to make it work altogether. Whereas, you just want to buy a car with everything included, making life a lot easier.

It has made the end user experience a lot better. They only have one password to get into their online applications and that makes the user experience much better.

The one area that we are working on at the moment is the business-to-consumer (B2C) element. It is not as rich as some of the other competitors out there. The B2C element of Azure AD is quite niche. Some of the features that they offer, e.g., customized emails, are not available with B2C. You are stuck with whatever email template they give you, and it is not the best user experience. For B2C, that is a bit of a negative thing.

In my previous role, there would have been a few things that I would have liked added, but they have already introduced them. Those are already in the roadmap. 

I have been using the product for many years. I have only been at Adecco for six months, but I had experience with it at my prior role as well. Overall, I have used it in excess of five years.

The stability is fantastic. It is a big step from using Active Directory on-premise to now moving to something that has been completely rethought in the cloud. It is very impressive and fits into the whole Microsoft ecosystem, making life easier.

We have had some downtime, but I think a lot of that has been unavoidable from Microsoft's side of things. Microsoft made some changes in some instances which caused certain features to be unavailable, like Azure AD became unavailable a few weeks ago. I love that they were very frank, open, and honest as to what happened. However, the bottom line is that we prefer downtime not to happen. 

We have had no problems with it. We are not exactly the biggest organization, i.e., 30,000 accounts. IT makes up probably 5,000 of those accounts, or less. If we were an organization of hundreds of thousands, then we might be questioning scalability. However, I have never known it not to be scalable. For medium- to large-organizations, it is fine. I think it is when you get into multiple companies with multiple complexities then it becomes a struggle. For us, it is more than scalable for our purposes.

We still have many applications that need to be onboarded to Azure AD. Because we are moving to the cloud, there is a lot more that we need onboarded into Azure AD, but it is working well so far.

The technical support is great. We have a dedicated resource who understands our environment. We have regular meetings with them once a week where we get to discuss the current status of various tickets as well as our questions. The support that we get is very good.

We have Premier Support. We also have Premier Mission Critical Support on Azure AD, which is where we have someone who is dedicated to our setup and knows how our environment's setup. Therefore, if we do have a major issue, then they would be brought in to help resolve those issues.

It was a given that we would use Microsoft. To use Microsoft 365, you need to use Azure AD, so that is what we did.

I have always used AD and Azure AD.

In my previous role, the initial setup was quite simple. It was a simple case of install and follow some wizards, then you pretty much had it setup and synced to your Azure AD from the on-prem. Minimum effort was required.

The deployment was about three weeks, which was mainly the change process and getting it through our internal changes. It was quite quick. 

We did it ourselves internally with some help from Microsoft. There were four people involved in the deployment: the service owner, a Microsoft product engineer, and two internal engineers.

We have the maintenance outsourced to a partner. However, we have had trouble with this partner because of their lack of delivery.

Ideally, I would like around five people to work with the partner and maintain the environment. At the moment, we have one person and are recruiting two others. For our scale, three to five people would be great as well as working with a partner to do the operations. That is the model that I am using.

It is one of those costs where you can't really quantify a return on investment. In the grand scheme of things, if we didn't have it, we would probably have a lot more breaches. It would be a lot harder to detect issues because we would have people using static usernames and passwords for various sites, making us open to a lot more attacks. The amount of security and benefit that we get out of it is not quantifiable but the return of investment from a qualitative point of view is much higher than not having it. 

It is the one platform that should be used for all authentication. Azure AD allows you to have one username and password to access all of your sites, which makes life a lot easier. Therefore, the return on investment is good because people have to use the one ID and password.

Be sure:

1. You know your userbase, e.g., how many users you have. 
2. You choose the right license and model that suit your business requirements.

In the future, I would maybe like better integration with competitive products. Obviously, Microsoft would be selective on that anyway. For example, working alongside Okta as a competitor, their product seems to be a bit richer in its offerings. From what I have seen, Okta has a bit more of an edge, which is something that might benefit Azure AD.

Be prepared to learn. It is a massive area. There are a lot of features offered by Azure AD. It works well within the Microsoft realm but also it can work very well with non-Microsoft realms, integrating with other parties. The fact it is Microsoft makes life so much easier, because everyone integrates with Microsoft. Just be prepared to absorb because it is a big beast. It is also a necessary evil that you need to have it. The advantages outweigh the disadvantages of having it.

The learning curve is both steep and wide. You can only focus on what you can focus on with the resources you have in your organization. It is such a big product and changing all the time. This means that you need dedicated people to be on it. There is a lot of keeping up with what Microsoft puts out there with Azure AD, which is great. This makes its feature-rich, but you need to be able to learn how it integrates into your business as well.

What Azure AD does for my current organization is sufficient, but we are probably not adopting most of what Azure AD has. We do not have it at a mature place at the moment, but we hope (over the next couple of years) to get it up to the latest and greatest.

It is an integral part of using Microsoft stuff, so we are not going to move away from it any time soon. If anything, we will ensure that everything is on Azure AD and authenticating users use Azure AD. That part will still take some time to do. Like most large organizations who have been around for a long time, we have legacy to deal with and some of that legacy does not support Azure AD. So, we are working towards that.

If you come from a company with legacy technology, then there will be a lot of business and technological changes for you to make.

The adoption of Azure AD B2C is progressing somewhat well. That is something that we just started in the last couple of months. We are having more of our products being onboarded into it. We will be moving other implementations of Azure AD into the one Azure AD implementation, and it has been great so far.

I would rate it as a nine out of 10. I would have given it a 10, but it is impossible for something to be perfect. The product does itself a disservice when there is an impact due to downtime, which we have had over the years. Because you rely on it so heavily, you can't afford for it to go down for a few minutes because then there will be user impact. 

We are using Azure Active Directory (AD) for:

• Application authentication, which is single sign-on. 
• Multi-factor authentication (MFA). 
• Conditional access for people coming in from non-trusted networks, which are interlinked. 
• Azure AD B2B. 

These are the four big items that we are using.

The flexibility around accessing company systems from anywhere at any time has proven to be very helpful. Organizations decided during the COVID-19 pandemic, on a very short notice, to announce that everyone should be working from home. The good part was that our company was already working under Azure Active Directory, and most of our applications were under Azure at that time. For us, it was a very seamless transition. There were no major impacts on the migration nor did we have to do any special setups or need to configure networks. So, it was a very seamless experience for our users, who used to come into our office, to access systems. They started working from home and there was no difference for them. We did not have to do anything special to support that transition from working from the office to working from home. It was seamless. There was no impact to the end users.

Bringing our many hundreds of applications onto Azure Active Directory single sign-on authentication has had a big impact on users' productivity, usage, and adoption of enterprise applications because they don't need to log in. It is the same credentials and token being used for days and months when people use our systems with hundreds of applications being integrated. From a user perspective, it is quite a seamless experience. They don't need to remember their username, passwords, and other credential information because you are maintaining a single sign-on token. So, it is a big productivity enhancement. Before, we were not using a single sign-on for anything. Now, almost 90 to 95 percent of applications are on Azure Active Directory single sign-on.

The single sign-on is an amazing product. Its integration with the back-end, like MFA and conditional access, is very helpful for enterprise class companies because of changing dynamics as well as how companies and workers interact. Traditionally, companies used to have their own premises, networks, network-level VPN and proxy settings, and networks to access company systems. Now, anyone can work from anywhere within our company. We are a global company who works across more than 60 countries, so it is not always possible to have secure networks. So, we need to secure our applications and data without having a network parameter-level security. 

Azure Active Directory provides us with identity-based authentication, which secures access at the user level and also integrates with conditional access policies and multi-factor authentication helping to increase the identity security for that person. So, the hacking and leaking of passwords is a secondary problem because you will not authenticate a person with one factor. There is a second factor of authentication available to increase the security premise for your company.

The analytics are very helpful. They give you very fine grain data around patterns of usage, such as, who is using it, sign-in attempts, or any failed logins. It also provides detailed analytics, like the amount of users who are using which applications. The application security features let you drill-down reports and generate reports based on the analytics produced via your Active Directory, which is very helpful. This can feed into security operation centers and other things.

One of the areas where Microsoft is very actively working on enhancing is the capabilities around the B2B and B2C areas.

Microsoft is actively pursuing and building new capabilities around identity governance.

There is a concept of cross-tenant trust relationships, which I believe Microsoft is actively pursuing. That is something which in the coming days and years to come by will be very key to the success of Azure Active Directory, because many organizations are going into mergers and acquisitions or spinning off new companies. They will still have to access the old tenant information because of multiple legal reasons, compliance reasons, and all those things. So, there should be some level of tenant-level trust functionality, where you can bring people from other tenants to access some part of your tenant application. So, that is an area which is growing. I believe Microsoft is actively pursuing this, and it will be an interesting piece.

I have been using it for three and a half years.

We have worked very closely with Microsoft over the past few years. We were one of the early adopters as an enterprise. We worked very closely with Microsoft to develop many products and features.

Looking at our journey over the last three and a half years, there were a few stability incidents, which is understandable from any technology platform provider perspective. However, it was overall a very good experience with a stable platform. There were two or three major incidents in the last three years.

There are about eight people who handle the day-to-day maintenance. These people focus on single sign-on, multi-factor authentication, and Azure B2B.

The scalability is amazing. Microsoft gets billions of logins every day. They are scaling it every day. They announced an increase in the availability that the SLA guarantees from 99.9 to 99.99 percent from April of this year. Overall, it is very stable and scalable. These are things that we don't need to worry about.

It is fully rolled out to everyone in our organization.

Overall, the technical support is very good. Overall, if you follow the customer support route and raise an incident ticket, then they are very prompt. They work very closely and collaboratively with us. We have a dedicated technical account manager (TAM). We have governance in place. We engage with them bi-weekly. So, we have a pretty good working structure with them.

Identity within Microsoft is a separate division, and we work very closely with them.

We didn't use another solution before Azure AD.

The initial setup was straightforward.

How you plan the tenant and set it up is quite key. There are major components that you need to be aware of: 

• Are you planning to implement multi-factor authentication at the tenant level? 
• What type of conditional access policies do you want to implement? 
• What type of access governance do you want to put in? 
• What type of role catalogue do you want to maintain? 
• What type of structure of the AD organization you want to maintain? 
• What type of device registrations do you want? 

There are some prerequisite checklists available from Microsoft. However, these are quite fundamental decisions. If you don't take the lead on them, these decisions will impact you, then you have to go back and fix them later on. So, plan ahead. 

Initial deployment took us a few months across our organization, but we decided to use most of the elements at a very early stage. So, our use case could be different than other companies. Some organizations that I know have chosen not to deploy multi-factor authentication nor do self-service password reset to deployment, then the user community is impacted with that. It can differ organization to organization based on the scale, number of users, locations, etc. So, there are many factors involved. 

We phased out our deployment over a couple of years, focusing on single sign-on and multi-factor authentication, then self-service password reset and other components. So, we did it as a phased deployment with a small team of four or five people.

I strongly recommend the Microsoft GTP Teams, which are with their R&D division. They have a go into production, dedicated team who work with customers from an end-to-end lifecycle perspective. So, they will help you to build the tenant from scratch, following the right standards and guidelines. For us, it was straightforward, but we started this journey in 2017/2018. It is quite a mature product now.

We work with most managed service providers, like Infosys, TCS, Wipro, etc. We have had good experiences with them. Initially, we worked with Infosys.

We are closing all data centers. Therefore, to build or enhance any existing capability in applications, it could have been very a costly effort for us. Rather than building an authentication platform, we are using a standard-based approach where we just need to plug and play. Instead of going in and reinventing the wheel for every application, we are using a standard out-of-the-box service offering from Azure Active Directory, where we just consume that service, then users have a seamless experience.

Having a single supplier saves you loads of headaches from:

• Multiple suppliers and multiple technologies
• Integrating everything.
• Doing upgrades.
• Maintenance.
• In-house deployment
• Having multiple components of those solutions to work together.
• Managing multiple vendors, supplier support teams, contracts, renewals, and licenses. 

If you are dealing with one supplier with an out-of-the-box solution, which provides you end-to-end capabilities, then it is naturally cheaper and less of a headache to manage and operate.

This solution was the natural choice. There is no vendor nor supplier providing this type of capability right now in the market, especially considering people in organizations are using Office 365. So, it is the natural choice to not to go with a third-party supplier, then try to integrate those third-party solutions and technologies into Microsoft. It is one box and the same Office 365 tenant in the same environment where you operate all your settings. Therefore, it is a very natural, out-of-the-box solution.

Look at the market. However, look at it from an end-to-end perspective, especially focused on your applications and how a solution will integrate with your overall security landscape. This is key. Azure Active Directory provides this capability, integrating with your Office 365 tenant, data security elements, classifications, identity protection, device registrations, and Windows operating system. Everything comes end-to-end integrated. While there is no harm evaluating different tools, Azure AD is an out-of-the-box solution from Microsoft, which is very helpful.

Every day we are increasing the number of users and onboarding new applications. Also, we are growing the B2B feature. We try to use any new feature or enhancement coming in from Microsoft, working very closely with them. It is an ongoing journey.

Dealing with a single supplier is easier rather than dealing with five suppliers. Historically, if you have to do anything like that, then you will end up dealing with at least 10 different vendors and 10 different technologies. It is always interesting and challenging to manage different roadmaps, strategies, upgrade parts, licensing, and contracts. The biggest lesson learnt is wherever you can go with native-cloud tools and technologies, then go for it.

I would rate this solution as 10 out of 10.

BDO is a network of firms and a firm is what we call a country. So, we are present in about 160 countries. I am involved in BDO Global, which is not really a firm in the sense that we don't deal directly with clients, but BDO Global hosts IT services for all those 160 countries. A couple of those solutions are a worldwide audit solution that our firms use for financial audits for customers. We have a globally running portal solution, which firms are using to collaborate with our customers directly. All these services are basically based on Azure AD for authentication and authorization. This has been a lifesaver for us, because BDO firms are legally independent, so, we don't have a single identity store worldwide, like other big companies potentially do. We created an IAM solution based on Azure AD that ties all 160 dispersed identity stores back into one. We use that to give access to our services that we run globally.

Azure AD doesn't really give you a version. You just need to take the version as-is because it is a service that Microsoft delivers as a SaaS service. So, we don't have a lot of influence over the version that we use.

Besides tying together all authentications for our 160 countries, it has also been instrumental in getting the collaboration going between our firm countries since normally they are quite isolated. Also, their IT firms are quite isolated. So, Azure AD has made sure that we can collaborate with each other in multiple different systems: the global portal, the Audit application, and Office 365. This allows us to collaborate closer together, even though we are still separated as different countries.

Because it is an identity store, it handles all our authentication. We also use it with a combination of conditional access, which is a way to limit people's authentication or authorization based on where they are, the compliance of their device, and on a whole bunch of other variables that we can set. So, it definitely has been influential as well on the security side. Because it is a SaaS, you have central management over that. You can see all the logins and get reports on who signs in from where. 

There is a lot of artificial intelligence in Azure AD that can monitor behavior of users. If users behave in a strange way, then the authentication can be blocked. For example, if you have a user logging in from China, but it looks like the same user is logging in from America just a few seconds apart. That is a seemingly risky behavior that Azure AD flags for you, then you can block that behavior or have the user provide you with a second factor of authentication. So, there are a lot of security features that come with Azure AD too.

In our scenario, we use a lot of the business-to-business (B2B) features in Azure AD, which allows us to tie multiple Azure AD instances together. That is what we heavily use because every firm or country has their own Azure AD instance. We tie those together by using the B2B functionality in Azure AD. So, that is the most valuable part for us right now.

It has been very instrumental towards a lot of services we run, especially on the single sign-on side. For example, we have 160 countries that all run their own IT but we still are able to provide users with a single sign-on experience towards global applications. So, they have a certain set of accounts that they get from their local IT department, then they use exactly the same account and credentials to sign into global services. For the user, it has been quite instrumental in that space. It is about efficiency, but also about users not having to remember multiple accounts and passwords since it is all single sign-on. Therefore, the single sign-on experience for us has been the most instrumental for the end user experience.

We are using a whole bunch of features:

• We are using privileged identity management, which is also an Azure AD feature. This allows us to give just-in-time, just enough access to privileged accounts. For example, normally you have a named account and you get a few roles based on that named account. If that is a very privileged role, that role always sits on your account all the time. When your account is compromised and the role is on the account, the people that compromise your account have that role. With privileged identity management, I can assign a role to a certain account for a specific amount of time and also for a specific amount of privileges, e.g., I can give somebody global administrator access, then revoke that after an hour automatically. So, when his/her account gets compromised, that role is not present anymore. 
• We use conditional access. 
• We use access reviews, which is basically a mechanism to access reviews on Azure AD groups automatically. So, the group owner gets a notification that they need to review their group member access, and they use that to do reviews. That is all audited and locked. For our ISO process, this is a very convenient mechanism to audit your group access.

We have a custom solution now running to tie all those Azure ADs together. We use the B2B functionality for that. Improvements are already on the roadmap for Azure AD in that area. I think they will make it easier to work together between two different tenants in Azure AD, because normally one tenant is a security boundary. For example, company one has a tenant and company two has a tenant, and then you can do B2B collaboration between those, but it is still quite limited. For our use case, it is enough currently. However, if we want to extend the collaboration even further, then we need an easier way to collaborate between two tenants, but I think that is already on the roadmap of Azure AD anyway.

I have been using it for about six years.

The stability has been very good because it is an underpinning service for many things that Microsoft does:

• The underpinning identity store for Office 365.
• The underpinning identities over Azure services. 

So, the stability has been very good. We haven't had major issues with Azure AD so far.

On the global side, we have around two to three FTEs aligned to this. On the firm side, in the countries, FTE's are aligned to managing identity as well. These FTE numbers differ per firm. In our case, there are about two to three FTEs who are aligned to this. That is normally probably not what you would need, but since we run some custom code around this to be able to do the B2B process, we need about two to three FTEs.

Scalability is not a problem. We don't have to control that because Microsoft does it as a SaaS. However, we have never seen any real performance issues on the authentication stuff. I think they handle that under the hood. Since it is such an important service for them, they keep the scalability quite well. We don't have any scaling concerns. We also can control the scale. It is basically taken care of because it is a SaaS.

It is fully deployed to about 80,000 people worldwide.

We have Microsoft Premier Support, which has been quite good. It is quick. We are mostly into the engineering group quite quickly, and that has been good. I think they also have non-paid support, which has somewhat lower response time SLAs, but we have Premier Support.

Before, we only used local Active Directories because we were not in the cloud. Currently, in BDO Global, we are 100 percent cloud. So, we use Azure AD only.

We haven't run any other solutions than Azure AD.

The initial setup is a relatively straightforward process because Microsoft gives you a lot of guidance on how to do it. They also have a tie-in with local Active Directory. So, if you are running a local Active Directory, you can easily integrate it with Azure AD. It is also one of the more powerful features of the solution because it is a SaaS solution, but you can still tie it in with your local identity store. That makes it quite powerful because many companies, before they go to the cloud, have a local identity store, e.g., Active Directory. Microsoft has a very easy process and some tooling to make it integrate with Azure AD, so your local identities, you can still be leading, but you can sync all those identities up to Azure AD quite easily and keep the identity storage up to date.

We are exclusively using Azure AD in BDO Global. In other BDO countries, most countries use local Active Directory in combination with Azure AD.

If you look at it from a BDO country perspective, you have everything up and running in about a week, if not quicker. In our global setup, that took a little bit longer, because we had to create a solution to synchronize multiple Azure ADs towards the global one. We did that via B2B, so our setup took a little bit longer as it also involved some custom development. If you only deploy Azure AD from a single company perspective, then it should be a relatively quick process.

Deployment is not that hard because it is a SaaS solution, so you don't have to deploy any infrastructure. All that is taken care of by the solution itself. It is a matter of configuring first-time use, then setting up a sync between your own identity store and Azure AD, which is quite an easy process. If you read through the documentation, then you can have that sync running in about a day.

We mostly did the implementation and the custom coding ourselves in combination with people from Microsoft.

The ROI has been quite good because we looked at competitors as well, Ping and Okta, but their license fees were quite high. Also, Azure AD can meet all our use cases. In the beginning, we only used the free version, so that was quite cheap to run. We had some custom code that we needed to develop, but that was due to our specific use case. Overall, the return on investment has been very positive. The solution is not very expensive to run. It is quite stable. For us, it brings a whole lot of capabilities to provide people with a single sign-on experience across the world.

Compared to other big vendors over the past six years, I think we are close to saving $5 million on FTEs and licensing, which is substantial.

MS has a free version of Azure AD as well. So, if you don't do a lot of advanced stuff, then you can use the free version, which is no cost at all because it is underpinning Office 365. 

Some of the services that I mentioned, like conditional access, privileged identity management, and access reviews, come with a certain premium license per user. We negotiated those license fees in what we call a GEA. This is a global Microsoft contract that we have. So, the pricing seems to be quite fair. If I compare it to its competitors, Azure AD is a lot cheaper.

Because Microsoft gives it to you as a SaaS, so there are no infrastructure costs whatsoever that you need to incur. If you use the free version, then it is free. If you use the advanced features (that we use), it is a license fee per user. 

Premier Support is an added cost, but they do it based on the amount of services that you consume. We don't have it specifically for Azure AD because we run a lot of Microsoft technologies. We have an overall Premier Support contract, which is an additional cost. 

We looked at many different vendors for identity because our identity store is quite complicated within BDO, because you don't have that single identity store across all the countries like you see in many other global companies. So, we had a strategy. We looked at other products that could potentially do the same. However, the features that Azure AD gave us the option to do this as we wanted to do it. The other tools that we looked at, Okta and PingFederate, were not able to do the same thing for us back in the day. This is especially because we have many different identity stores within the BDO countries that have to be under the control of those countries. BDO Global cannot and is not allowed to control those identities. We need to allow the countries to control those identities themselves, but we still need a way to tie those altogether on the global side. Azure AD was the only solution that could do that for us.

From a BDO Global perspective, we don't. The firms and countries own their identities and the management around them, and they also need full control on those identities. We as BDO Global are not even allowed to control those, but we do need to provide them with single sign-on experiences. So, Azure AD is the service that allow us to do that. 

Our primary use case was about that control, which is a very specific use case because countries need to control their own identity stores and we are not allowed to control that from a global perspective. Specifically, the control requirement and still being able to have that single sign-on experience led us to Azure AD. The other big vendors that we looked at couldn't do that.

This solution is a prerequisite with some of the bigger Microsoft services, so if you want to use Office 365, Dynamics, etc., then you need Azure AD. However, it is also quite good to use for other services as well because they are currently supporting tens of thousands of other applications that you can sign into with an Azure account. So, it is not only for Microsoft Office, and I think that is probably a misconception in many people's heads. You can use it for many other cloud services as well as a single sign-on solution. My biggest point would be that it can be used for Microsoft services, but people tend to forget that you can also use it for many other services. In that sense, it is just an identity store that you can use across many services, not only Microsoft.

It continues to be one of our primary fundamental services around authentication, so we will keep using it in the future. We are planning to reduce the amount of custom code that we need to tie all these things together. Microsoft has a few things on the roadmap coming up there. We hope that we can decrease the amount of custom code that we need to run around this. The custom code is mostly about synchronizing identities from 160 countries to us. Microsoft will bring some stuff out-of-the-box there so we can hopefully decrease the custom code. It is a fundamental solution for us for identity and single sign-on, so we definitely plan to keep using it.

The biggest thing we learned is that the security boundaries are shifting from what used to be networks, firewalls, and data centers that you owned yourself. The security boundary is more shifting to identity in these cases because people are using cloud services. They use a single identity, and in this case, Azure identity to sign into those cloud services. You are not always controlling where people are signing in from anymore because those services live in the cloud. Where you used to have servers running in your data center, you had far more control on the network, firewalls, and all that stuff to keep those services secure. You now have to rely much more on the identity because the services are running in the cloud. You don't always have control over the network, so people can sign in from every device.

The security boundary is really shifting towards identity. Azure AD gives you a lot of options to secure your identity in a proper way. We use multifactor authentication, the conditional access piece, and privileged identity management, which are all services that Azure AD provides and quite hard to implement on a traditional Active Directory. 

I would rate this solution as 10 out of 10. It is instrumental to everything that we do.

The solution grants users access to various apps built on the portal. 

There was a lot of logic and a lot of improvement overall in terms of improvement. On the user access side, it improves the company a lot, specifically in regard to security. It really does help with access and protection.

My experience so far has been amazing. I'm in the intermediate phase of understanding it. Loading users and creating groups and so forth is very easy. We can also run multifactor authentication.

The dashboard is very good. It's outstanding.

It offers very good support.

The virtual machines you can run through it are great.

We are provided with a single pane of glass for managing user access. It helps provide more insights and creates consistency in the user experience. It works perfectly. Only admins can control access. That makes it safe. If a user requests something, only the admin would be able to assign the permissions.

My assessment of Active Directory's admin center managing all of your identities and access tasks is that it is very effective. 

I do use the verified ID at this time to onboard employees. Onboarding new users is very easy. It's very quick and doesn't affect the users. It's simply sped up the process. It also helps with privacy and control of identity data for remote employees. It's good to have and it assists with security. 

Permission management is quite good. The visibility and control in the clouds are good - at least over Microsoft. 

The product has helped save time for our IT administrators and HR department. It's helped a lot of time. It might save around 70% of our time from an IT admin support perspective.

It's very good at not disrupting the user experience. 

I'm still new to the solution. I need to look at the solution more before commenting on what to enhance. 

I do not need any extra features from my side. 

Having more training would be quite helpful. 

Having a faster interface could be helpful.

I've used the solution for two years. 

The solution is stable. 

We use the solution across multiple locations. We have multiple systems and apps that we built that run through Azure. We have about five people actively using the solution. We only have about seven people in our organization. 

The solution can scale well. I'd rate scalability nine out of ten. 

I've never dealt with technical support. My colleagues have used it and I've heard from another user that the turnaround was almost immediate. My understanding is that it is quite good. 

Positive

We did not previously use a different solution. 

The initial setup was straightforward. It does not require any maintenance. 

I'm not sure if we've saved money specifically using the solution, yet, if that wasn't the case, I'm not sure why we would use it.

We have not evaluated other solutions. 

I'm a customer and end-user.

I don't use the conditional access feature. 

I'd personally recommend the solution to anyone. I'd rate the solution ten out of ten. 

Azure AD helps us manage application and hybrid identities.

I like Azure AD's conditional access policies. Microsoft Entra provides a single pane of glass for managing user access, improving the overall user experience. 

The workflow management for registering new applications and users could be improved.

I have used Azure AD for about eight years.

Azure AD is stable.

Azure AD is scalable. 

Azure AD is so stable and easy to administer that we don't need to contact support. 

Setting up Azure AD is straightforward. 

I rate Azure Active Directory a nine out of ten. You should use premium licenses or Azure directly whenever possible to take advantage of the new security features since E3. 

I am using Azure AD to assist a client with COCC level one and level two certifications. The primary use of the solution is its conditional access feature to enforce fine-tuned and adaptive access controls. The robustness of a zero-trust strategy to verify users has helped in implementing zero trust right now.

The client has to have a clone network storage and manage the services it provides to the handful of people he works for. The control and identify data do what it is supposed to do, as advertised, but the client is not utilizing those features.

The security and compliance features are very helpful. The online information on the site is well documented.

One thing I would like to see is when you're doing control measures if you could globally apply them instead of going through every user individually. I looked at this problem twenty years ago, and it has stayed the same. In twenty years, it's still the same one by one. The default is whether you get group permissions or role-based assignments, you still have to go in individually to everyone every time, which is cumbersome to me. My problem with Azure AD is that it's designed for medium to large systems, and we're not that large.

I rate it an eight out of ten.

I have been using the solution for less than a year, and the client that I'm consulting with has been using it for about four and a half, five years.

It is a stable solution.

Since we're starting with three people, it's probably not going to grow to more than ten people in the next five years. So the scalability is fine for my client's needs.

We have not contacted Azure's technical support.

The initial setup was straightforward. The client has got three people working for him.

For a small business buying individual licenses, it is an affordable solution.

We use the solution for single sign-on, provisioning, de-provisioning, conditional access, and identity governance.

The access governess feature improves our compliance.

Privilege Identity Management is the most valuable feature.

The licensing and support are expensive and have room for improvement.

I have been using the solution for five years.

I give the stability a nine out of ten.

I give the scalability a nine out of ten.

The support is really good.

Positive

The initial setup was straightforward. The time required for deployment will vary depending on the features that we plan to use. Typically, two to three weeks should be sufficient for deployment.

The implementation was completed in-house.

We have seen a return on investment.

I give the cost a three out of ten. The licensing is expensive.

We evaluated Google Cloud Identity.

I give the solution a nine out of ten.

Two to three engineers are required for the Maintenance. The majority of the maintenance is completed by Microsoft.

I recommend the solution to others.

We deployed the solution across multiple geographical areas.