Microsoft Entra ID Reviews

The use cases depend on my clients' specifications. If they have the on-premises Active Directory and it is a hybrid environment, then objects are synchronized with the cloud in Azure Active Directory. Services that are on-premises or in the cloud are synchronized with each other, to create a centralized management solution. 

If we're talking about Azure Active Directory only, the cloud-based, centralized management solution, we don't need to use a VPN to access the resources; everything is cloud. We just need to be connected with Azure Active Directory and we can use the resources anywhere in the world and resource security will be intact.

I use both the cloud and on-premises versions.

Everybody is moving from on-premises to Azure Active Directory because it's cost-effective. They don't need to spend a lot of money on the on-premises resources, such as an on-premises server and maintenance. Now, given that Microsoft has started Windows 365, which is a PC in the cloud, you don't need to have a PC. You can work on an Android tablet from anywhere in the world, using cloud technology.

In terms of the user experience, because the solution is in a cloud environment, people are not bound to work in a specific network. In the old-school way, if you worked from home and you had on-premises Active Directory, you needed to use a VPN. VPNs can be highly unstable because they depend on your home network. If your home network is not good, you won't get the same bandwidth as you would get when using the resources inside the office network. With Active Directory in the cloud, you can use your own network to access the resources. It's faster, reliable, and it's cheaper compared to Active Directory on-premises.

• Conditional Access
• Geofencing
• Azure Multi-Factor Authentication

are the major security features to secure resources.

For example, if I don't want users using the company resources outside of India, I will add managed countries within Conditional Access. Only the people from the managed country will be able to access things. If an employee goes out of India and tries to access the resources that have been restricted, they will not be able to open the portal to access the resources.

We have a lot of freedom in using the Group Policy Objects and, although Group Policy Objects are part of Azure Active Directory, there are still a lot of things that can be improved, such as providing local admin rights to a user. There are various, easy ways that I can do that in the on-premises version, but in the cloud version, it is a bit difficult. You have to create a bunch of policies to make it work.

I have been using Azure Active Directory for six years.

Microsoft works with suppliers and vendors. Certain vendors are very good at providing support and certain vendors are not very good at providing support. It depends on the time zone in which we are opening a ticket and which vendor the ticket is going to.

It's pretty straightforward in general, although it depends on what kind of requirements a client has.

If I'm deploying with Microsoft Autopilot, it usually takes at least 40 to 50 minutes to deploy one machine. If I'm deploying 1,000 machines in one go, you can multiply that 40 minutes for each of those 1,000 machines. Everything is configured in the cloud, in Azure Active Directory. You just need to purchase the machine, configure things, and ship the machine to the user. When they turn it on they will be able to work on it. Everything will be installed in the backend. If it's not on Autopilot, it's just in a matter of a few clicks to connect the machine to Azure Active Directory.

The deployment plan also depends on the client. If the client is not providing machines to their employees, they want the machine to be BYOD, we will work on the existing computer. In that case, we just set up the policies and ask the user to connect to Azure Active Directory. But if a client is concerned about complete security, and they want the machine to be used in a certain way, and they are providing the machine, then I prefer that it should be Autopilot. It becomes an enterprise-managed machine, and we have more control over it.

Clients only invest their money when they know that they are getting a really helpful platform. They want to see that I, as a consultant, am confident in the product I'm asking them to use. I have to be very confident that I am providing them a solution that will definitely work for them.

People have a tendency to keep their information in-house, but the cost of keeping information on-premises in SharePoint servers is very expensive. There is a good chance that, if something happens, they will lose the database. There is no backup. And to keep a backup, you have to pay more for a cloud backup solution to keep your data on another server. You are compromising with your data in a two-sided scenario, where one is on-premises and the other is on a data server as a backup. If you go for the cloud version of Active Directory, everything is secure and everything is in the Microsoft data center, which is reliable and secure. They have disaster management and recovery. That's a win-win situation.

My work is generally on device management, which is on Intune, Endpoint Manager, and Cloud App Security. These all work hand-in-hand. Azure Active Directory is just an assembler of management resources, but Intune makes the device secure. The policies create restrictions. These things work together. If you need Active Directory, you will definitely need Intune.

The largest deployment I worked on with one of my clients was about 2,500 computers. As far as managing them goes, it varies, between 200 to 300 computers at one time in one environment. If I'm working on providing a day-to-day solution, it is different because the queries are different. People usually have problems related to smaller queries, like their printer is not connecting, or they are not able to access SharePoint, or they do not have permissions for a given file. But as far as deployment and designing the architecture of Azure Active Directory goes, I work with midsize companies.

To summarize, the big advantages of this platform are the reliability, cost-effectiveness, and security. These are the features that make it one of the best solutions in the IT industry. Azure AD is the future. Everyone is adopting the cloud environment. I, myself, use Azure Active Directory for my own devices and resources. I encourage other people to accept the future. It gives you more security than the on-premises Active Directory. To me, it is the best solution.

We use Azure AD for user access and control.

Our deployment is a hybrid of on-premises and cloud.

We can see user activity and analyze user interaction between the websites and log files. It gives us a single point of control. Overall it has helped place our security posture in a good position.

In addition, using Microsoft Endpoint Manager, new laptops can easily connect to the MDM solution, making for a very good user experience, particularly for new systems. Users just log in with their email ID and multifactor authentication. Once they are logged in, they connect automatically to the back end and that helps make the user experience for configuration very good.

Among the valuable features are MDM and Microsoft Endpoint Manager. They are very useful. Intune is built-in. And deploying to MDM has features that are very advanced. It reduces the administration work. And security-wise, it has very advanced technology.

It also has features that help improve security posture. The most important of these features include multifactor authentication, which is very useful for connecting to the organization, especially from outside the boundaries of the organization. That is very helpful when it comes to user security. And in the COVID situation, MDM is very helpful for us due to work-from-home. It enables us to very easily connect to our domain and align new systems with the end-users. That is very helpful for us.

There are some difficulties in the hybrid version, things to do with firewall security, inside the organization. They need to work on that more.

In addition, everything should be in one package. There are so many different packages. They need to provide guidance because there are so many features and we don't know how to implement them in our organization.

I'm also expecting a Windows 365 virtual desktop. I would be interested in that feature.

I have been using Azure Active Directory for four years.

It's 100 percent stable.

The scalability is unlimited.

I would rate Microsoft's support at nine out of 10. It's not a 10 because in some cases they don't answer a call because they are engaged with other calls.

We tried ManageEngine but it was not useful for us. It was not up to the requirements of our organization. Azure AD is a very flexible solution. It is used in most of the organization.

It is very easy to configure if you are configuring a completely new cloud deployment. But with the on-premises deployment, there are some difficulties due to security issues, like credentials required.

It doesn't take more time to install AD Connect on-premises. The installation itself takes one hour and, within one to two days, we can take all the data over to it. But we then need to monitor it for at least two days to make sure everything is fine.

We have almost 400 users in our AD and we have six people involved in maintaining and administering it, including me in my role as senior IT engineer. I take care of Active Directory monitoring, as well as installation and configuration. We also handle patches and upgrades. One person takes care of the billing part.

We set it up with the help of a consultant from KPMG and our experience with him was good.

With COVID going on, part of our ROI from using the solution is that we can view the access of all the employees who are working from home. In these circumstances, that has been a notable return on our investment. 

The pricing, in the context of the COVID situation, is very high because the overseas aerospace industry, to which we supply products, has been hugely impacted. There are no projects coming in. 

The pricing should also be less for smaller organizations.

Our use case for Azure AD is principally to do the role-based access management for our resources. So, we essentially use it for authentication operations for our primary groups and users to secure access to resources.

It has helped in improving our security posture. It is modeled around that. It is an AD, which means it is a directory of users, objects, and resources, and there is a lot of security in terms of the access model and in terms of who is accessing those resources.

In terms of user experience, it is pretty seamless for any user to use Azure Active Directory. The way its security model works is that once you sign in to Azure Active Directory, you get access to a lot of applications and systems that have Single Sign-on enabled. So, Azure Active Directory works seamlessly as an identity provider for many applications such as Slack, GitHub, etc. That's one of the best parts of it. If it is used properly, only by using the Azure Active Directory sign-in, a person can access different resources, which really improves the user experience.

We've benefited from all the security or AD features of this solution. Azure Active Directory is the only directory we've been using, and we make use of pretty much all the features, including the user identity protection features such as MFA. The way it allows us to audit who is logging in and do our work in a secure manner is one of the best features of it.

Azure Active Directory provides access to resources in a very secure manner. We can detect which user is logging in to access resources on the cloud. It gives us a comprehensive audit trace in terms of from where a user signed in and whether a sign-in is a risky sign-in or a normal sign-in. So, there is a lot of security around the access to resources, which helps us in realizing that a particular sign-in is not a normal sign-in. If a sign-in is not normal, Azure Active Directory automatically blocks it for us and sends us an email, and unless we allow that user, he or she won't be able to log in. So, the User Identity Protection feature is the most liked feature for me in Azure Active Directory.

Generally, everything works pretty well, but sometimes, Azure Active Directory has outages on the Microsoft side of things. These outages really have a very big impact on the users, applications, and everything else because they are closely tied to the Azure AD ecosystem. So, whenever there is an outage, it is really difficult because all things start failing. This happens very rarely, but when it happens, there is a big impact.

I've been working as a DevOps engineer for the last four years, and I have been using Azure Active Directory during this time. I got to know it really well over the last two years in my current job and as a part of my Azure Security certification, where I get to know how to secure everything in the cloud by using Azure Active Directory.

It is available most of the time. Only once in the last six months, we faced an issue. So, it is very reliable.

It is managed by Microsoft, so it is not something that is in our hands. We don't manage the infrastructure side and the scalability side.

My present organization is a startup with around a hundred people. There are 5 to 10 people who primarily work in the CloudOps and DevOps space, and we work with Azure Active Directory at some point in time. All people who have resources in Azure, such as the cloud administrators and people from the CloudOps team and the DevOps team, work with Azure AD.

In terms of resources, there are around 100 to 150 resources that we manage within it.

Microsoft has extensive documentation on its website about how to set up things in Azure AD. There are also video tutorials. So, typically, we don't need to engage technical support to do anything.

Only when there is an outage or something like that, we had to engage someone from Microsoft. For example, when there was an outage, we didn't know what was happening. There were some strange behaviors in certain applications, and that's when we involved Microsoft's technical support. 

They are very reliable, and they are very fast to respond. The response time also depends on the support plan that an organization has with Microsoft. 

I haven't used any other Identity Provider solution.

Our organization has definitely seen a return on its investment from using Azure Active Directory. It ties really well with the Azure ecosystem, which is why it makes sense to use Azure Active Directory to access resources.

Azure Active Directory has a very extensive licensing model. Most of the features are available in the free and basic version, and then there are premium P1 and P2 editions. The licensing model is based on how many users you have per month. In Australia, for a P1 license, the cost is 8 dollars.

With P1 and P2 licenses, you get a lot of goodies around the security side of things. For example, User Identity Protection is available only in P2. These are extra features that allow you to have a pretty good security posture, but most of the required things are available in the free and basic version.

I would definitely recommend this solution. I have been using it extensively, and it works really well. It is one of the best Identity Provider solutions out there. You have all the guidance from Microsoft to set things up, and if there is an issue, their technical support is highly available. 

It has been around for a while now, and most organizations leverage Active Directory as their on-premises identity provider. This is just Azure managing your Active Directory for you. It is pretty popular and rock-solid.

I haven't used any other Identity Provider solution, which makes it hard for me to compare it with others. Based on my experience and the things that I have done and learned over time, I would rate Azure Active Directory a nine out of 10. 

I'm a computer engineering student in Portugal, and we used it during one of our classes for practically the whole semester. We used both the on-premise solution and the Azure, online one.

While we were learning, we used it primarily for user access management and also to define rules for the organization. For example, we created organizational units and defined domains for enterprise-level organizations. I was able to specify access to, for example, certain folders, including shared folders and shared resources.

We were using it in conjunction with SQL Server 2019.

Azure Active Directory works well to access the resources that the school has set up for the students. We can share between our groups, and we can set up shared assignments or shared project folders very quickly and easily.

We have access to shared storage space, which is great. It is managed through Azure Active Directory and appears to me as a Microsoft OneDrive account.

As an end-user, the access to shared resources that I get from using this product is very helpful. I also use it for my email, which is a domain that is part of the organization. 

The most valuable feature is the ability to define certain roles for the users and to give access to shared resources.

The options for user access management on the cloud are similar to those with the on-premises deployment. You can work directly on the cloud but control it from your on-premises server if you want, or you can make all of the changes directly on Azure.

One of the security features that Azure Active Directory provides is that it warns users about the usage of weak passwords. When we created user accounts and their passwords, it warned us about weak passwords and gave us the option to define password creation rules. We tested the feature and tried using invalid passwords, and it blocked access to the organizational units accordingly. We did not work with the more advanced security features within the scope of the course.

It has some good monitoring options that you can use to see how well it is working. In my class, we were able to see which users were accessing the solution, and what went wrong with the tests that we were doing.

The most challenging aspect I found was the creation of organizational units and specific domains. They have a tool called Bastion, which is expensive and a little bit confusing. I had to cancel the subscription because it was using my credits too quickly. For the students, it was not a very cheap way to learn it.

It would be helpful if they provided more credits for students who are performing test cases because we had to be really careful when we were using it. Making it cheaper for students would be great.

I have been using Azure Active Directory for one school semester.

Because we weren't using it on a large scale, it is difficult to estimate how good the stability is. That said, it worked fine for the small number of users that we had. Although it was not a good test, I think that it worked fine. It does have some good monitoring options, so we could watch the performance.

I do not have large-scale experience with this product, as I was using it for practice during my degree program. I don't know at this point whether I will be using it in the future.

In my class, there were half a dozen or fewer users.

In order for the solution to be scalable, it requires some upfront work. You have to well define the users, profiles, and roles that you want to have at your organization. We were already given some advice on that from our teachers, including which roles we should create and so forth. Once you have that done, I think it's pretty straightforward. You just have to add them through the interface that the solution has, and it's not very difficult to do.

I did not have to contact Microsoft technical support.

Our teachers explained what it was that they wanted us to implement and we were left to figure out how to accomplish the tasks on our own. When problems arose, I used Google to search for answers online. I also watched YouTube videos that included explanations and step-by-step tutorials.

Another solution that we learned about was the Apache Web Server. You can do the same things that you do with Azure, but it's more complex. You have to know a little bit more about Linux and you have to do it more manually.

In Azure Active Directory, there are already some default options available. That worked for us. It's easier for someone who doesn't want to have the headaches of understanding some of the more minor details.

For the initial setup, we mainly followed the tutorials that Microsoft has online. Initially, it was a little bit confusing because we discovered that there are many different versions of this same software. There are distinctions between an on-premise way of doing things versus a hybrid approach versus something that is on the cloud exclusively. There are limitations that each one of them has, as well as other differences that include mobile versus desktop solutions.

For a newbie like me, it was a little bit challenging to understand what the best approach would be. In this case, we were oriented by the teachers to implement the hybrid approach. When we were configuring Azure Active Directory for this, and also for the organizational units, we used the Bastion service. It is the one that creates the domains.

The deployment took perhaps half a day to complete the configuration, step by step. We had to make corrections between configurations, where we had made errors, which was part of the learning process. Overall, when you really know what it is that you have to do, it's pretty straightforward and quick to complete. Otherwise, it will take you a little bit longer.

From the documents that Microsoft has available, we understood that there are several ways to deploy this solution. There is an on-premises version, a cloud-based SaaS, and a hybrid option. 

We were using virtual machines with a license that was connected to our educational package. We have a product key, install it locally on the virtual machine, and that's how we worked with it. At that point, it was connected to the cloud.

Our Azure accounts are related to our college email address, and they are also administered by Active Directory.

We deployed it ourselves. With our small group and for the length of time that we used it, we did not perform any maintenance and I don't know how it is normally done on a day-to-day basis. Based on what I have learned, I think that one or two people are sufficient for maintenance if they know the product from head to toe.

Based on my experience, it would be difficult to estimate how long it would take to earn your investment back.

As this was being used in an academic setting, we were using the educational package. Azure has an educational package available for students with a variety of licenses and different software available. One of the applications included with this is the Azure SQL Server.

Each of the student accounts had an opening balance of $100 USD in credits. We used that to implement the solution and the code doesn't change if you are a student or a normal organization. Some of the things that we wanted to do were blocked by the organization, so we had to use our personal accounts. When we used our credits in this way, it was not specifically for students but for anybody who uses the service.

These credits are used on a pay-per-use basis and the price depends on the features that you use. The most expensive one that was relevant to our use case was Bastion, which allowed us to create and configure virtual subnets. Our use case required us to use it to connect our on-premises Windows Server with the cloud AD.

My advice for anybody who is implementing Azure AD is to study the basics. Get to learn how this access management solution works. We used Microsoft Learn and YouTube videos to assist us with doing so.

In summary, this is a complete solution for any company, but it requires some time and practice.

I would rate this solution a nine out of ten.

We use it for all of our internal colleagues. Every single user is synced from our internal on-prem directory to Azure AD. Every single user has a presence in Azure AD and that account or identity is then used for at least 10 to 15 different applications. They directly query what groups they're a member of within Azure AD. We use Azure AD for at least 15 different applications.

It has improved our security posture. Not only with the password feature but there were also things like conditional access, applications within Azure that you can use for better access. You can put conditional access rules in front of those applications, which means that either the device that they're accessing it with has to have a certain up-to-date version of antivirus, it has to have all of its Windows updates, or they have to use multi-factor authentication. All of those nice-to-have features help our security posture a lot.

When users are in Active Directory they can use single sign-on, which means once they've signed on to their machine, they then don't have to sign on again when they access things like their email. They can just go to those URLs. Because those applications are attached to our Azure AD and to our Azure tenant, they can just go to the applications. Those applications know who they are because they have a single sign-on enabled. So that has helped them so they don't have to turn on passwords when they have to access all these different applications.

Being able to integrate with third-party solutions is the most valuable feature. These are solutions that produced software as a service and we haven't then had to bring that service to our own data or in our own directory. We can use our Azure identity to connect to their solution. Being able to connect to third-party applications in these identities is the best thing we've found.

Being able to use Azure AD means that you can use some of the Azure AD security features like Advanced Password Protection. As well as querying your normal password requirements like lengths and complexity, Azure AD has a feature in which you can put specific words. It can be words to do with your company, words to do with your company location, or words that a lot of your employees would otherwise use. You can disallow them. It's very good at making more obvious passwords, ones they're not allowed to use anymore. That's a good feature.

It has something called Dynamic Groups so that when a user joins the company and they get added to specific groups, Azure AD will add them dynamically to other groups that will give them access to some of the base applications.

We have certain sets of software that they have to be able to access. Instead of somebody who deals with new users having to add them into 20 different application groups, you need access to this, this, and this. The Dynamic Group update feature from Azure AD means that you can just put them in one group and say that they have a role, and it will automatically then add them to about six or seven other groups, giving them default access to other things as well, instead of having to do that. It means there's a lot less manual work when you get new employees.

The conditional access rules are a little limiting. There's greater scope for the variety of rules and conditions you could put in that rules around a more factual authentication for other users. If you have an Azure AD setup, you can then connect to other people's Azure AD, but you don't have a huge amount of control in terms of what you can do. Greater control over guest users and guest access would be better. It's pretty good as it is but that could be improved.

I have been using Active Directory in my current role for around six months and in a previous role for three years. I recently moved companies about three months ago. Before that, I was working for another company. I was there for about five years and for at least half that time I was using Azure AD. 

We use the latest version. Azure AD doesn't really have version numbers, it's an evolving platform. In my current role, we're on the latest version of it. 

Stability is pretty good. In the lifetime of me using it, there have been outages of certain features within Azure. We use multi-factor authentication. There have been times when that authentication feature has gone down and people couldn't access things that required that when they log on. That has happened maybe twice in the last 15 or so years. So it's pretty good. The uptime is pretty good, but it's not 100%.

The company I used to previously work for had 90,000 users that were synced. That was nothing. There was room for loads more. I think they have a limit of a million or something objects within Azure AD. That's something you can ask to have increased if that's a requirement. Scalability is pretty unlimited. There is no issue there at all.

In the company I used to work for there were 90,000 people connected to Azure AD. As soon as they logged on, they were using Azure AD. In the current company, it's nearer five or 6,000, but all of those accounts have access to Azure AD. 

There are various roles including administrators who will have the ability to change any settings like sync settings and any settings on an individual user. Then we'll have a second line, which will be able to change some of the settings within a user's group and be able to reset their password or add them to different applications. There is a first-line service desk level set of users who will only have the ability to reset passwords, but if there's anything more complicated than that they'll pass it on. There are about three different levels of access that we currently have. There is level three and two access for not too difficult issues and then level one for password resets.

In the last place I worked, there were eight of us who took care of Azure AD which was for 90,000 people in Azure. There were people actively looking at the syncing engine, which does the sync between the two domains and there were four of us who managed that. We were called identity technical experts. So of a company of 90,000, we needed four of us, but that was only so that when people went on holiday, other people could still do the work. 

It's extensively used in that everybody has an account in Azure AD. I'm guessing we don't use all the features that are available. We still have our own mailboxes on-premise rather than in Azure. I would think that would be something in the future that they would look to move some or all of our mailboxes into Azure. But we all have a presence in Azure, so we are using a lot of the features, but I believe there are still a lot more we could use. 

Their support was excellent for the deployment. They were really good. It depends a little bit on who you get at the other end and the nature of your question, but with the Azure AD stuff, we got through to experts who were able to give us the right answer straight away. They were very good at that point.

We didn't use any other cloud solution. That was the first one that we used in the cloud. There's an on-premise Active Directory which is an additional Microsoft Active Directory. And the whole point of Azure AD is that it does connect to that. We haven't used any other directory service apart from those. The on-prem version of Active Directory I've used for 20 years. I haven't used any other active directory service. I'm sure there are others, but these are the main ones.

It's a level of responsibility, which is being passed over to Microsoft, that we no longer have to deal with. Certainly, the companies I've worked with were very happy for those bits of the technology being looked after by someone else. And so we were just in charge of the data that's in there rather than all the other, not-so-interesting things like backup and such.

It's moving the responsibility of the not very exciting bits over to Microsoft and their very good SLA. You can just concentrate on the bits that you're interested in.

The initial setup was pretty straightforward. The only complex thing is syncing your on-premise active directory into Azure AD. It's not overly complicated and they also give you very good support. It's not very difficult to set up.

The deployment took a couple of months in the end because we just wanted to do it at a pace that we were comfortable with. We did some initial tests on users. We synced them into Azure AD, made sure they could access what we thought they could access, and make sure they could still do the same job that they could do before. Then we synced across another set of test users, then a bigger test, and then eventually synced everybody else. We did it over the course of a month. Technically you could do it in less than a week, but we just wanted to be cautious and make sure that it worked as we expected.

In terms of the implementation strategy, we have two different Azure Active Directory setups. We have one in our development area, so we did the development area one first. We sure we worked out how to do the syncing correctly, making sure we can see all the attributes that were on the on-prem AD that were then turning up in Azure AD. And then once we did a development one and that worked as we expected, we then did the production one. We did it in a step-by-step approach. We did a small set of test users, a larger set of test users, and then the entire company. It was a phased approach.

We did the deployment ourselves. We spoke directly to Microsoft when we had a couple of queries because we had an enterprise agreement with them so we can raise a number of support tickets. There were a couple of questions we had about certain features, but the actual setup and deployment of it we did ourselves.

We've certainly seen returns on investment in terms of some of the security features around Azure. We've seen threats that have been detected much earlier. Previously, threat detection and that sort of thing was more of a response rather than doing anything preemptive. Something would happen and we'd then fix it. Whereas now in Azure AD, we've seen recommendations and those sort of things coming through from Microsoft saying, "You've got these accounts, these have all got weak passwords. We recommend getting these changed for end-users before they get hacked." We saw a marked decrease in the number of attacks and breaches against our credentials when we introduced multi-factor authentication for the entire company.

Had anybody, for whatever reason, passed on or shared their username or password, those could then be used to get into our services. Now with multi-factor authentication, we've seen a marked decrease in the number of threats we've seen come through. So there are some marked benefits of the security features.

SSPR, self-service password reset has also realized ROI for us. In the past, 60 to 70% of the calls coming into our help desk guys were for password resets. A large chunk, 50 to 60% of those are gone because people can just go to the URL we've shared with them and reset their password themselves without having to phone us, which means that our service desk guys can deal with real issues rather than just somebody to put on their password. So we saw a large decrease in password resets. We're still trying to get rid of even more of those, trying to make their job even easier, but we've seen a large reduction in the number of password request changes to our service desk.

There are various levels of licenses. There are things called E3 and E5 licenses. E5 licenses come with more features but aren't required for some of the kinds of users who are just using email and Office. They only need an E3 license.

Pricing depends on the size of your organization and the deal you get with Microsoft. If you're a public sector, rather than a private sector, you get a good deal. Academic sectors get very good deals. The vast majority of our users use E5. But we're a Microsoft partner who resells their product so we get favorable rates because of that.

They have various pricing levels and the higher level you buy, the more features you get within Azure. The basic one is perfectly good for most customers. The more advanced and greater security features come with the higher pricing. And so customers who require that like military, banking, government or something are willing to pay that. The private sector generally pays more than the public sector. I know some colleagues who work in the academic sector get extremely good deals because Microsoft is very keen to have academic institutions on board. If you're working in academia or you work in the public sector, you will get a much better deal than you would in the private sector, but that's just business.

An E5 or E3 license is on a per-user basis. So the number of users you sync into Azure AD is the number of licenses you need to report that is going to be consumed by the end-users. It's a per-user per-year license.

The only other cost you get with Microsoft over and above the license cost of using Azure is the cost of using their operating system and software. So if you use Windows, then you can pay for your Windows licenses again through Azure. And if you use Office, meaning Excel, Word, and all that other stuff, you can pay an extra bit and they'll get a 365 license for the entire suite of offices.

If you're buying an E5 Office plus Windows, then you'll get a greater discount than if you were buying those separately. Microsoft will charge you for what you actually use. So if you've got a user who isn't using Office, or isn't using Windows for whatever reason, but they are consuming services within Azure, then you just give them an Azure license. Microsoft will split up and you buy a license based on what you actually use.

There are a couple of other options. There's obviously Amazon AWS and there's now Google GCP. I'm not sure either of those particular cloud providers had a particularly enterprise-level directory service. At the point when we migrated our users to Azure, I believe Azure was the only one that was an enterprise standard. Whilst the other ones have options, they weren't really suitable for the size of enterprise that we were running. 

My advice would be to talk to Microsoft or a partner of Microsoft who will deploy it for you. You can do it yourself, it is absolutely possible but seek advice. Because the more users you sync into Azure, the more you have to pay for their licenses and not everybody has to be using Azure. Sync only accounts you need to, but in all cases, I would seek advice from a Microsoft partner or Microsoft themselves. They'll be able to talk through what you actually need, what you require, and then the best way to implement that. Whether that's syncing your entire user base or whether that's syncing a small subset of them because they're the only ones that are going to consume the services required.

I have learned two main lessons from using Azure AD. First, the introduction of multi-factor authentication. It was such a marked difference in the number of security incidents we had. There was such a reduction. If you have Azure AD, switch on multi-factor authentication, not just for the admin accounts and the highly privileged accounts that can access all the bits, but switch it on for everybody. It is a pain initially, while people get themselves set up. But once it's done the number of incidents you have relating to people losing their credentials is markedly reduced. It's a massive win.

I would rate it a nine out of ten. There are some things they can improve on, but those improvements are pretty small beans compared to what they've done.

I use this solution as an identity platform for Microsoft Applications including Office 365. We have found that users have third-party applications for authentication using an integrated identity infrastructure.

The most valuable features of this solution are security, the conditional access feature, and multifactor authentication.

The conditional access policies allow us to restrict logins based on security parameters. It helps us to reduce attacks for a more secure environment.

Multifactor authentication is for a more secure way of authenticating our use.

All our on-premises identities are synchronized to Azure Active Directory. We have an advanced license that enables conditional access based on logins, and suspicious behaviors. 

Active Directory is able to determine if a particular user signing in from a trusted IP or if there are two different sign-ins from two different locations. It will flag this latter incident as a potential compromise of a user's account. 

In terms of security, it provides us with the features to alert us if there are any fraudulent attempts from a user identity perspective.

It provides access to our Azure infrastructure and allows us to assign roles and specific aspects to different subscriptions. It has several built-in roles that you can assign to individual users based on their job scope. It allows for granular provisioning.

With onboarding applications, you are able to register applications in Azure Active Directory, which allows you to use it as a portal for access as well.

Azure Active Directory enhances the user experience because they do not have various IDs for different applications. They are using one single on-premises ID to synchronize and they are able to access various different applications that are presented to them.

If you have a new application, you will export the application within Azure AD and we add access to those who need that application and you are able to use the corporate ID and password to access it.

Azure Active Directory is a good platform for us. We rely heavily on providing our users a good system and interface that we seldom have issues with.

The management interface has some areas that need improvement. It doesn't give you an overview similar to a dashboard view for Azure Active Directory. The view can be complicated. There are many different tabs and you have to drill down into each individual area to find additional information.

There are too many features available, more than we can use.

I have been using Azure Active Directory for three years.

It's quite stable. There are no issues with the stability.

The identity platform is quite robust.

It is very scalable. We have deployed it globally for approximately 10,000 users and experienced not many issues. In fact, we have not encountered any issues so far.

Generally, we don't have issues that require technical support. We have multiple domains within the Azure AD and we had an issue where SharePoint users were not able to access the domain.

We had a prompt response and were able to identify what the issue was. We were given specific tasks which led to resolving the issue.

I would rate the technical support a nine out of ten.

Previously, we did not use another solution. Primarily it was an on-premises Active Directory that we synchronized to the cloud.

The initial setup was completed by a separate team.

We have five global administrators who are primarily responsible for providing access and assigning roles for all the various different groups and teams that have different subscriptions, and they will manage their subscriptions based on the roles that they are assigned.

In terms of deployment, Active Directory ensures that there is express route connectivity from an on-premises data center to Azure and ensures that there are sufficient redundancies in Azure Active Directory Connect Servers and Domain Controllers. 

We have seen a return on our investment. I would say that it is one of the key components of our identity solution

The pricing is very flexible. There are a few tiers of licensing, and it is a part of an enterprise contract.

It is bundled with other services and the pricing is quite reasonable.

We did not evaluate other solutions.

I would strongly recommend implementing Azure Active Directory.

For new organizations, it would be best to start implementing directly on the cloud, and for our existing organizations who have on-premises solutions, it would be seamless to synchronize the on-premises user with the cloud and use that. 

I would rate Azure Active Directory a nine out of ten.

It has allowed us to use other SaaS products that will authenticate with Office 365 as well as other Microsoft products and non-Microsoft products, so we can have a single sign-on experience for our users. Rather than them needing to have multiple usernames and passwords, they just use whatever they have as their main username and password to log onto their machine.

It is SaaS based, but we sync up from our on-prem into Azure AD.

With COVID-19 at the moment, this solution is a good example of where we needed to move a lot of our traffic from our on-prem authentication into the cloud. Last year, before I joined the company, we had to setup our VPN differently. It was easy enough for us to do because our machines were already joined to Azure AD. We just split the traffic and stopped having to rely on our on-prem VPN for our Office 365 traffic. We were just good to go into the Internet because we had all the features setup, e.g., MFA and Conditional Access, which made life a lot easier.

It has made our security posture better. There are always improvements to be made, but we feel more secure because of the way that things have been setup and how everything integrates together.

• Single sign-on is the most useful at the onset. 
• The dashboards offered are very granular, in terms of usages. 
• We find the Conditional Access element and Multi-Factor Authentication side of things very useful. 

These features let us have secure, yet user-friendly interactions, rather than having to be embroiled in various types of signups for each application. These allow us to be a lot more granular as well as making sure our environment is more secure. Our accesses and users remain secure too.

Multi-Factor Authentication (MFA) and Conditional Access have helped us be more secure. There is one place where all these features are posted, making life a lot easier. If we were to try and buy these separately, then it would be a painful experience. Whereas, if it is in one product, then all these features talk to each other and it is available for us in one go. For example, when you buy a car, if you buy the steering wheel and engine separately, then you need to make it work altogether. Whereas, you just want to buy a car with everything included, making life a lot easier.

It has made the end user experience a lot better. They only have one password to get into their online applications and that makes the user experience much better.

The one area that we are working on at the moment is the business-to-consumer (B2C) element. It is not as rich as some of the other competitors out there. The B2C element of Azure AD is quite niche. Some of the features that they offer, e.g., customized emails, are not available with B2C. You are stuck with whatever email template they give you, and it is not the best user experience. For B2C, that is a bit of a negative thing.

In my previous role, there would have been a few things that I would have liked added, but they have already introduced them. Those are already in the roadmap. 

I have been using the product for many years. I have only been at Adecco for six months, but I had experience with it at my prior role as well. Overall, I have used it in excess of five years.

The stability is fantastic. It is a big step from using Active Directory on-premise to now moving to something that has been completely rethought in the cloud. It is very impressive and fits into the whole Microsoft ecosystem, making life easier.

We have had some downtime, but I think a lot of that has been unavoidable from Microsoft's side of things. Microsoft made some changes in some instances which caused certain features to be unavailable, like Azure AD became unavailable a few weeks ago. I love that they were very frank, open, and honest as to what happened. However, the bottom line is that we prefer downtime not to happen. 

We have had no problems with it. We are not exactly the biggest organization, i.e., 30,000 accounts. IT makes up probably 5,000 of those accounts, or less. If we were an organization of hundreds of thousands, then we might be questioning scalability. However, I have never known it not to be scalable. For medium- to large-organizations, it is fine. I think it is when you get into multiple companies with multiple complexities then it becomes a struggle. For us, it is more than scalable for our purposes.

We still have many applications that need to be onboarded to Azure AD. Because we are moving to the cloud, there is a lot more that we need onboarded into Azure AD, but it is working well so far.

The technical support is great. We have a dedicated resource who understands our environment. We have regular meetings with them once a week where we get to discuss the current status of various tickets as well as our questions. The support that we get is very good.

We have Premier Support. We also have Premier Mission Critical Support on Azure AD, which is where we have someone who is dedicated to our setup and knows how our environment's setup. Therefore, if we do have a major issue, then they would be brought in to help resolve those issues.

It was a given that we would use Microsoft. To use Microsoft 365, you need to use Azure AD, so that is what we did.

I have always used AD and Azure AD.

In my previous role, the initial setup was quite simple. It was a simple case of install and follow some wizards, then you pretty much had it setup and synced to your Azure AD from the on-prem. Minimum effort was required.

The deployment was about three weeks, which was mainly the change process and getting it through our internal changes. It was quite quick. 

We did it ourselves internally with some help from Microsoft. There were four people involved in the deployment: the service owner, a Microsoft product engineer, and two internal engineers.

We have the maintenance outsourced to a partner. However, we have had trouble with this partner because of their lack of delivery.

Ideally, I would like around five people to work with the partner and maintain the environment. At the moment, we have one person and are recruiting two others. For our scale, three to five people would be great as well as working with a partner to do the operations. That is the model that I am using.

It is one of those costs where you can't really quantify a return on investment. In the grand scheme of things, if we didn't have it, we would probably have a lot more breaches. It would be a lot harder to detect issues because we would have people using static usernames and passwords for various sites, making us open to a lot more attacks. The amount of security and benefit that we get out of it is not quantifiable but the return of investment from a qualitative point of view is much higher than not having it. 

It is the one platform that should be used for all authentication. Azure AD allows you to have one username and password to access all of your sites, which makes life a lot easier. Therefore, the return on investment is good because people have to use the one ID and password.

Be sure:

1. You know your userbase, e.g., how many users you have. 
2. You choose the right license and model that suit your business requirements.

In the future, I would maybe like better integration with competitive products. Obviously, Microsoft would be selective on that anyway. For example, working alongside Okta as a competitor, their product seems to be a bit richer in its offerings. From what I have seen, Okta has a bit more of an edge, which is something that might benefit Azure AD.

Be prepared to learn. It is a massive area. There are a lot of features offered by Azure AD. It works well within the Microsoft realm but also it can work very well with non-Microsoft realms, integrating with other parties. The fact it is Microsoft makes life so much easier, because everyone integrates with Microsoft. Just be prepared to absorb because it is a big beast. It is also a necessary evil that you need to have it. The advantages outweigh the disadvantages of having it.

The learning curve is both steep and wide. You can only focus on what you can focus on with the resources you have in your organization. It is such a big product and changing all the time. This means that you need dedicated people to be on it. There is a lot of keeping up with what Microsoft puts out there with Azure AD, which is great. This makes its feature-rich, but you need to be able to learn how it integrates into your business as well.

What Azure AD does for my current organization is sufficient, but we are probably not adopting most of what Azure AD has. We do not have it at a mature place at the moment, but we hope (over the next couple of years) to get it up to the latest and greatest.

It is an integral part of using Microsoft stuff, so we are not going to move away from it any time soon. If anything, we will ensure that everything is on Azure AD and authenticating users use Azure AD. That part will still take some time to do. Like most large organizations who have been around for a long time, we have legacy to deal with and some of that legacy does not support Azure AD. So, we are working towards that.

If you come from a company with legacy technology, then there will be a lot of business and technological changes for you to make.

The adoption of Azure AD B2C is progressing somewhat well. That is something that we just started in the last couple of months. We are having more of our products being onboarded into it. We will be moving other implementations of Azure AD into the one Azure AD implementation, and it has been great so far.

I would rate it as a nine out of 10. I would have given it a 10, but it is impossible for something to be perfect. The product does itself a disservice when there is an impact due to downtime, which we have had over the years. Because you rely on it so heavily, you can't afford for it to go down for a few minutes because then there will be user impact. 

We are using Azure Active Directory (AD) for:

• Application authentication, which is single sign-on. 
• Multi-factor authentication (MFA). 
• Conditional access for people coming in from non-trusted networks, which are interlinked. 
• Azure AD B2B. 

These are the four big items that we are using.

The flexibility around accessing company systems from anywhere at any time has proven to be very helpful. Organizations decided during the COVID-19 pandemic, on a very short notice, to announce that everyone should be working from home. The good part was that our company was already working under Azure Active Directory, and most of our applications were under Azure at that time. For us, it was a very seamless transition. There were no major impacts on the migration nor did we have to do any special setups or need to configure networks. So, it was a very seamless experience for our users, who used to come into our office, to access systems. They started working from home and there was no difference for them. We did not have to do anything special to support that transition from working from the office to working from home. It was seamless. There was no impact to the end users.

Bringing our many hundreds of applications onto Azure Active Directory single sign-on authentication has had a big impact on users' productivity, usage, and adoption of enterprise applications because they don't need to log in. It is the same credentials and token being used for days and months when people use our systems with hundreds of applications being integrated. From a user perspective, it is quite a seamless experience. They don't need to remember their username, passwords, and other credential information because you are maintaining a single sign-on token. So, it is a big productivity enhancement. Before, we were not using a single sign-on for anything. Now, almost 90 to 95 percent of applications are on Azure Active Directory single sign-on.

The single sign-on is an amazing product. Its integration with the back-end, like MFA and conditional access, is very helpful for enterprise class companies because of changing dynamics as well as how companies and workers interact. Traditionally, companies used to have their own premises, networks, network-level VPN and proxy settings, and networks to access company systems. Now, anyone can work from anywhere within our company. We are a global company who works across more than 60 countries, so it is not always possible to have secure networks. So, we need to secure our applications and data without having a network parameter-level security. 

Azure Active Directory provides us with identity-based authentication, which secures access at the user level and also integrates with conditional access policies and multi-factor authentication helping to increase the identity security for that person. So, the hacking and leaking of passwords is a secondary problem because you will not authenticate a person with one factor. There is a second factor of authentication available to increase the security premise for your company.

The analytics are very helpful. They give you very fine grain data around patterns of usage, such as, who is using it, sign-in attempts, or any failed logins. It also provides detailed analytics, like the amount of users who are using which applications. The application security features let you drill-down reports and generate reports based on the analytics produced via your Active Directory, which is very helpful. This can feed into security operation centers and other things.

One of the areas where Microsoft is very actively working on enhancing is the capabilities around the B2B and B2C areas.

Microsoft is actively pursuing and building new capabilities around identity governance.

There is a concept of cross-tenant trust relationships, which I believe Microsoft is actively pursuing. That is something which in the coming days and years to come by will be very key to the success of Azure Active Directory, because many organizations are going into mergers and acquisitions or spinning off new companies. They will still have to access the old tenant information because of multiple legal reasons, compliance reasons, and all those things. So, there should be some level of tenant-level trust functionality, where you can bring people from other tenants to access some part of your tenant application. So, that is an area which is growing. I believe Microsoft is actively pursuing this, and it will be an interesting piece.

I have been using it for three and a half years.

We have worked very closely with Microsoft over the past few years. We were one of the early adopters as an enterprise. We worked very closely with Microsoft to develop many products and features.

Looking at our journey over the last three and a half years, there were a few stability incidents, which is understandable from any technology platform provider perspective. However, it was overall a very good experience with a stable platform. There were two or three major incidents in the last three years.

There are about eight people who handle the day-to-day maintenance. These people focus on single sign-on, multi-factor authentication, and Azure B2B.

The scalability is amazing. Microsoft gets billions of logins every day. They are scaling it every day. They announced an increase in the availability that the SLA guarantees from 99.9 to 99.99 percent from April of this year. Overall, it is very stable and scalable. These are things that we don't need to worry about.

It is fully rolled out to everyone in our organization.

Overall, the technical support is very good. Overall, if you follow the customer support route and raise an incident ticket, then they are very prompt. They work very closely and collaboratively with us. We have a dedicated technical account manager (TAM). We have governance in place. We engage with them bi-weekly. So, we have a pretty good working structure with them.

Identity within Microsoft is a separate division, and we work very closely with them.

We didn't use another solution before Azure AD.

The initial setup was straightforward.

How you plan the tenant and set it up is quite key. There are major components that you need to be aware of: 

• Are you planning to implement multi-factor authentication at the tenant level? 
• What type of conditional access policies do you want to implement? 
• What type of access governance do you want to put in? 
• What type of role catalogue do you want to maintain? 
• What type of structure of the AD organization you want to maintain? 
• What type of device registrations do you want? 

There are some prerequisite checklists available from Microsoft. However, these are quite fundamental decisions. If you don't take the lead on them, these decisions will impact you, then you have to go back and fix them later on. So, plan ahead. 

Initial deployment took us a few months across our organization, but we decided to use most of the elements at a very early stage. So, our use case could be different than other companies. Some organizations that I know have chosen not to deploy multi-factor authentication nor do self-service password reset to deployment, then the user community is impacted with that. It can differ organization to organization based on the scale, number of users, locations, etc. So, there are many factors involved. 

We phased out our deployment over a couple of years, focusing on single sign-on and multi-factor authentication, then self-service password reset and other components. So, we did it as a phased deployment with a small team of four or five people.

I strongly recommend the Microsoft GTP Teams, which are with their R&D division. They have a go into production, dedicated team who work with customers from an end-to-end lifecycle perspective. So, they will help you to build the tenant from scratch, following the right standards and guidelines. For us, it was straightforward, but we started this journey in 2017/2018. It is quite a mature product now.

We work with most managed service providers, like Infosys, TCS, Wipro, etc. We have had good experiences with them. Initially, we worked with Infosys.

We are closing all data centers. Therefore, to build or enhance any existing capability in applications, it could have been very a costly effort for us. Rather than building an authentication platform, we are using a standard-based approach where we just need to plug and play. Instead of going in and reinventing the wheel for every application, we are using a standard out-of-the-box service offering from Azure Active Directory, where we just consume that service, then users have a seamless experience.

Having a single supplier saves you loads of headaches from:

• Multiple suppliers and multiple technologies
• Integrating everything.
• Doing upgrades.
• Maintenance.
• In-house deployment
• Having multiple components of those solutions to work together.
• Managing multiple vendors, supplier support teams, contracts, renewals, and licenses. 

If you are dealing with one supplier with an out-of-the-box solution, which provides you end-to-end capabilities, then it is naturally cheaper and less of a headache to manage and operate.

This solution was the natural choice. There is no vendor nor supplier providing this type of capability right now in the market, especially considering people in organizations are using Office 365. So, it is the natural choice to not to go with a third-party supplier, then try to integrate those third-party solutions and technologies into Microsoft. It is one box and the same Office 365 tenant in the same environment where you operate all your settings. Therefore, it is a very natural, out-of-the-box solution.

Look at the market. However, look at it from an end-to-end perspective, especially focused on your applications and how a solution will integrate with your overall security landscape. This is key. Azure Active Directory provides this capability, integrating with your Office 365 tenant, data security elements, classifications, identity protection, device registrations, and Windows operating system. Everything comes end-to-end integrated. While there is no harm evaluating different tools, Azure AD is an out-of-the-box solution from Microsoft, which is very helpful.

Every day we are increasing the number of users and onboarding new applications. Also, we are growing the B2B feature. We try to use any new feature or enhancement coming in from Microsoft, working very closely with them. It is an ongoing journey.

Dealing with a single supplier is easier rather than dealing with five suppliers. Historically, if you have to do anything like that, then you will end up dealing with at least 10 different vendors and 10 different technologies. It is always interesting and challenging to manage different roadmaps, strategies, upgrade parts, licensing, and contracts. The biggest lesson learnt is wherever you can go with native-cloud tools and technologies, then go for it.

I would rate this solution as 10 out of 10.

I use it for managing identities, access, and security in a centralized way. I help other people use this product.

Using Azure AD has improved our security posture overall, more than anything I've ever worked with.

It enables end-users to be more secure without it actually affecting their work. Usually, security solutions makes it harder for them, so many start using other solutions instead, solutions that are not managed or monitored by the organization. But when we use Azure AD's Conditional Access, for example, as long as they behave, users don't even notice it.

The passwordless feature means they don't even need to have a password anymore. It's easier for users to be more secure. You can invite anyone to collaborate in a secure way. 

Passwordless sign-in, which is one of the new features where you no longer need to have a password, is one of the great features. Passwords have always been hard for end-users, but not so hard to bypass for bad guys. It often doesn't matter how complex or long your password is. If a bad guy can trick you into giving it to him or can sniff your keyboard or your network, or access it through malware, your password doesn't matter anyway. So all the complexity, length of the password, and having to regularly change it is hard for users, but it doesn't stop hackers. And that's what makes passwordless so valuable.

Multi-factor authentication is good as it allows you to answer a notification or even an SMS or a phone call, but that has become more unsecure now because the bad guys are learning new way to bypass these methods. But using passwordless technology, you're not even using a password anymore. You're basically just signing a logon request without actually sending, typing or storing the password. This is awesome for any user, regardless of whether you're a factory worker or a CFO. It's secure and super-simple.

It also stops phishing, which is amazing. If someone tricks a user into going into the "Macrosoft" store or some other site that looks like the real site, they can trick the user into signing in there and then they can steal the password. But if the user is using passwordless, the passwordless solution would say, "Sorry, I don't have a relationship here. I can't sign in." In that way, it can stopping phishing, which is one of the most common attack vectors right now.

Another feature that has improved our security posture is Conditional Access where we can not only say "yes" or "no" to a sign-in, but we can also have conditions. We can say, "Sure, you can sign in, but you need to be part of the right group. You need to come from a managed client. You can't come in with a risky sign-in. You need to come in from a certain platform or a certain network." You can have a really complex set of rules and if those rules are not fulfilled you will not be able to sign in, or we can require MFA or even control the session. That is also a really good security feature.

The B2B feature is another good one where, if I want to give someone access to my my apps or data, instead of creating an account and a password and giving that info to the user, I can invite that user so he or she can use their own existing account. That way, I don't need to manage password resets and the like. The B2B feature enables collaborating with anyone, anytime, anywhere.

The Azure AD Application Proxy, which helps you publish applications in a secure way, is really good, but has room for improvement. We are moving from another solution into the Application Proxy and the other one has features that the App Proxy doesn't have. An example is where the the role you're signing in as will send you to different URLs, a feature that App Proxy doesn't have (yet).

With Azure AD, if you look in detail on any of the features, you will see 20 good things but it can be missing one thing. All over the place there are small features that could be improved, but these improvement is coming out all the time. It's not like, "Oh, it's been a year since new features came out." Features are coming out all the time and I've even contacted Microsoft and requested some changes and they've been implemented as well.

I have been using Azure Active Directory for close to eight years now.

The stability or availability is incredible. It's super-good. However, just the other week, there was an outage for a few hours, so it's not 100 percent. But in Microsoft's defense, that hasn't happened for a long time.

What I also usually point out to people is that if you host your own solution and things break in the middle of the night, who's going to look at it? With this solution, you know that in the first millisecond that something breaks, 10 people or 100 people are looking at it. You get constant feedback about what's going on and you usually get a full report afterwards about what actually happened and how they will prevent them in the future. They are really good at managing these outages.

I don't know what the uptime is, but it's still 99.999 or something like that. It's super-trustworthy, but it's not 100 percent. What is? Still, it's likely much better than a private on-premises solution could ever be.

In terms of scalability there are no limits. I have customers with 10 people and others with up to 300,000, and everything in between. There is no difference. I haven't had to think about memory or disk space or CPU in a long time because everything just works. It's super-scalable.

We have 100 customers and all of them use Azure AD. They are spread all over the world. In Sweden, where I'm from, we have government municipalities, we have private corporations, hospitals, manufacturing. Everybody needs this. It doesn't matter which market or which area you work in. I don't see a target audience for this. It's everyone.

Their tech support is pretty good, depending on who you end up talking to. If you open a support request, you can be asked quite basic questions at first: "Have you tried turning it on and off again?" Sometimes we need to go through five people to get the correct people, the people who know the problem area really well. We usually dig really deep into the area and learn al lot first. We need someone who is expert in this product and who knows exactly how that area of the product works. Sometimes it takes a while to get to the correct person, but once you get there, they're usually super-knowledgeable, super-friendly and quick to reply. It can be tricky to find the right person. But I suppose that is the same in any company. 

Over the years, we have built up a contact network so we can usually contact the right people right away, as we are a Microsoft partner. But because this review is for everyone, I would suggest that you keep asking until you'll end up at the right people.

Overall, Microsoft is really attentive. Previously, you could say, "Can you show me the roadmap for the next three years?" and they would say "Sure." They don't really do that anymore because they say, "It now depends on what you want." We can help influence Microsoft how to prioritize. They have daily and weekly meetings where they discuss "What do people want now? How should we prioritize?" It's a totally new Microsoft compared with a few years ago. If I see something missing, they usually come up with it pretty quickly.

I see people moving from other solutions into Azure AD because they're not satisfied with the other solutions. 

The initial setup is a straightforward process, for such a complex technology. Although there are a lot of moving parts involved in actually setting it up, it is quite easy.

I've set this up for many and, in general, it takes less than a day to get things up and running. Then, of course, there's tons of optional configuration to improve and secure things, but just getting it up and running takes less than a day.

The implementation strategy used to be helping them get to the cloud, by doing things like making sure that they clean up the accounts in the on-premises solution and setting up the synchronization rules. But nowadays, most of my customers are people who have Azure AD in place already. So now I'm trying to enable and configure and improve security configuration. For example, you don't have to set up the passwordless feature and you don't have to do multi-factor authentication. They are optional. So my task now is more one of improving their configuration and turning on security features. A lot of it is secure by default, but some features require you to configure and set them up.

With the licensing there are so many features involved, and different features for different licensing levels. Those levels include the free version, as well as Premium P1, Premium P2. My approach with my clients is usually, "What kind of licenses do you have? Okay, let's improve this, because you have it already. You're paying for it already. Why not use it?" 

The next step is, "These features are included in the licensing you don't have. Do you think it's worth it?" I talk to them, I explain them, and I demonstrate them. They will usually say, "Yeah, we need that one."

I don't know other solutions really deeply. I know of them, but I'm a specialist who is focused on this one. But I realize, when I talked to other specialists in other areas, that they are solving the same problem, so they usually have similar solutions.

What Microsoft is winning on is that people used to say, "Buy the best product, the best in class or best in breed for each area." But that has changed now. "Buy the best ecosystem" is the better approach. If I have Azure AD as my identity and access solution, and if I also use Microsoft Defender for Endpoint and the Defender for Office 365, and other Microsoft solutions, I can then go to one portal, one place, and see how my apps are doing, how my users are doing, how my devices are doing, and how my data is doing. You get this super-integrated ecosystem where everything talks to each other. That is the strength.

In my opinion Azure AD is a fantasic standalone product, but you have so much more benefit from using it together with other Microsoft solutions.

The user usually doesn't care if we use Microsoft or any other vendor's to protect his identity or his computer or his data. They just want to do their jobs. But as admin, I see the advantage of using the same provider. I can actually create a query saying, "Show me all users who logged in to Azure AD from a device with this operating system, accessing this application, and who have a risk on their device, where a document is classified as sensitive." I can do all of that in one query for identity application devices and the data. That's the strength, having that insight into everything. And when it comes to security and Azure AD, Microsoft has 3,000 full-time security researchers, and they spend over a billion dollars each year on security research alone.

What's amazing is that the CIA, the FBI, and these big companies or organizations are using Azure AD, and they have really high requirements for audits and protection. As a "regular" organization, you can get the same level of security without have to ask for it. You get to ride on the coattails of that amazing security without spending $1 billion yourself.

If another Microsoft customer is hit by something bad, Microsoft is going to stop it for the rest of its customers. If you're the first to get hit by new bad malware, that may be tough, but all of the other customers are instantly protected because different customers share threat intelligence, in a way. You get the benefit of all the security discoveries that Microsoft makes, instantly.

Talk to someone who knows a lot about it. Sure, you can look at everything on the docs.microsoft.com page, but it can be hard to understand what each feature is and the value it give you. Talk to someone who knows both licensing and technology, to understand what's there and what you should pay for and what you should not pay for.

There are also a lot of good videos out there, like sessions from Microsoft Ignite. You also have the Microsoft Mechanics video series on YouTube with a lot of videos. So if you like to learn through video, there's a lot available for you. You can also go to docs of Microsoft.com and search for Azure AD. You will get like a starting page where you can learn the identity and access basics or also how you integrate apps. There is a link collection with everything and anything you would like to know. Or you can call me.

We are Security advisors. We help people, we train people, we implement it for them, we document it, we teach them, and we talk at seminars. We sell our knowledge. We don't sell solutions. There are 25 people in our company and five to 10 people are working with Azure AD. It's not that we need five for our daily operations, it's just that's how many of us are working with it. In general, a company might need one to five people working on it. If I need to set up a feature for five people or 500,000 people I do the same steps. The thing that is different in bigger companies, is that you need to communicate, you need to educate, you need to write Knowledge Base articles, you need to inform the service desk. All of those things are just to prepare users. But that has nothing to do with Azure AD. The technology is super-simple. It's more that the process around it is different in different companies.

We run in a hybrid model. We have our Active Directory on-premise directory services that we provide. We basically went to Azure so we could provide additional capabilities, like single sign-on and multi-factor authentication.

We are running in a hybrid environment. It is not completely cloud-native. We sync our on-premise directory to the cloud.

It definitely has improved our security posture, certainly from providing that second factor of authentication. It provides more visibility. We can see all facets of the business, e.g., when people are logging into our resources. This solution makes it highly visible to us.

It enhanced our end user experience quite a bit. Instead of the days of having to contact the service desk with challenges for choosing their password, users can go in and do it themselves locally, regardless of where they are in the world. This has certainly made it a better experience accessing their applications. Previously, a lot of times, they had to remember multiple usernames and passwords for different systems. This solution brings it all together, using a single sign-on experience. 

Is this specific to Azure? No. We have had other IdPs that gave us that same experience, but we have more apps that are integrated into Azure today from single sign-on than we had previously. Having that one handy "my apps" page for folks to go to as their one source for being able to gain access to all their apps is a much better experience from my point of view.

• Azure Application Proxy
• Single sign-on capabilities for SAML
• OAuth integrated applications
• The multi-factor authentication piece was desirable.
• Defender for Identity, as of recently.
• Some of the services, like Microsoft MCAS solution. 

These features offer additional layers of security, which is kind of what we were looking for. 

Some of the self-service password utilities certainly helped, given the scenario of the world today with COVID-19 and lockdowns. We certainly benefited from being able to say, "Have our users changed their password remotely." When they connect to the VPN, then sync them back up with the domain. So, that was very beneficial for us as well.

The thing that is a bit annoying is the inability to nest groups. Because we run an Azure hybrid model, we have nested groups on-premise which does not translate well. So, we have written some scripts to kind of work around that. This is a feature request that we have put in previously to be able to use a group that is nested in Active Directory on-premise and have it handled the same way in Azure. That is something that is actively being worked on. 

One of the other things that we felt could be improved upon is from an Application Proxy perspective. We have applications native to SSH, and we want to be able to do app proxy to TCP/IP. It sounds like that is actively on the roadmap now, which was amazing. It makes us very excited that it is coming, because we do have use cases with that as well.

I have been using it for a few years now.

The stability has been pretty rock solid. For the first time, we have seen some instability over the last month. I know there were some issues with Microsoft in terms of one of their stacks. That was something that they addressed pretty quickly though. We were appraised of the issues by our technical account manager, so we were in the know. We weren't left in the dark when something happened, and it was remediated pretty quickly.

We have about five to six folks whose main role is to manage identity, and that is my team at the company. However, we also have administrators all over the globe, handling service desk tickets, e.g., resetting passwords. There are about 30 or 40 people, if you include that level of things. However, from a global admin perspective, we probably have a total of eight people.

It is certainly scalable. Whether you are connecting to a local on-premise directory services organization, or if you are using B2B and B2C. This is part of the vision: At some point, leverage some of the B2B features that we have appointed to us in Azure, which we don't do today. This is certainly something that we are looking at internally as a potential for moving forward. 

We are managing 7,000 to 8,000 users within Azure AD.

This is room for growth.  

We are part of the DPP program. So, we talk to the identity folks at Microsoft on a weekly basis, who are amazing. It has been such a great experience with those folks.

The technical support that we get through the GTP program is amazing. Microsoft Premier Support is pretty good as well. We have called them, but typically we don't have the type of issues that we are calling all the time for. We have a pretty savvy team, and just being plugged into the GTP team has helped us understand new features which are coming out, whether we are part of an active preview or attending an evening where they are doing a webinar to introduce new features to us. The cool thing about that is you do have that line of sight if you need to ask questions or get technical answers. Between our technical account manager and our GTP partner, we do relatively well without having to open too many cases.

We had a different identity provider at one point in time. At the time that we were looking at identity providers, Microsoft really wasn't there from a technical perspective. They are there now, far surpassing some of the things that we have done in the past. So, it was a no-brainer for us. We are very much a Microsoft organization. Primarily, it is the operating system of choice, not only for endpoint service, but it was a pretty good deal to move over and leverage some of the licensing and whatnot for our end users.

From an IdP perspective, we had Okta for quite some time. We had some limitations with Okta that we were looking at Azure to handle. I got pulled in kind of mid-project. I am not really sure when the decision was made, or how it was made, but certainly cost was a factor. We were already licensed for a lot of what was needed to go with Azure, where we were paying Okta separate licensing fees. So, we saved money by switching from Okta to Azure.

The initial setup would have been complex if it had not been for being part of the GTP program. We have gotten a lot of value out of that program in terms of cross-training our team members, catching up on any new features that come out as well as any of the gotchas that the Microsoft team has seen. So, those have benefited us quite a bit.

The deployment probably took six to eight months. Standing up Azure and sinking your directory services, like creating a connector, takes minutes. We could stand that up in the day. What took time was taking all of the applications that we have throughout the environment, migrating them across and doing integrations with single sign-on. You need to have conversations with different application owners as well as potentially pulling in some vendors to do some of the configuration. There may be some apps which are not as straightforward as others, but we thought that the experience was pretty straightforward (to a point) where we can handle a lot of the work ourselves.

When we needed Microsoft, we were able to reach out, talk to them, and get the assistance that we needed. That was super beneficial to us.

There are a lot less calls to our service desk. For some of the traditional, "Hey, I need to reset my password," or "Hey, I'm locked out." So, we're seeing a lot of that self-service, gaining access to the different apps, and having it all be integrated with Azure will take away some of the headache. For example, "I don't know what my password is for GitHub," or, "I don't know what password is for Slack." We are like, "Well, it's the same password that you use every day." So, that has dropped call volume.

If you have a different IdP today, I would take a close look at what your licensing looks like, then reevaluate the licensing that you have with Microsoft 365, and see if you're covered for some of this other stuff. Folks sometimes don't realize that, "Oh, I'm licensed for that service in Azure." This becomes one of those situations where you have the "aha" moment, "Oh, I didn't know we can do that. Alright, let's go down this road." Then, they start to have conversations with Microsoft to see what they can gain. I would recommend that they work closely with their TAM, just to make sure that they are getting the right level of service. They may just not be aware of what is available to them.

We look to gain new features when updating licensing. Every time we go to negotiate an enterprise agreement, we are looking at:

• What are the benefits?
• What are we getting back from Microsoft?
  
  They are very good at working with us to get what we are looking for in terms of working on packaging for pricing.

We did not evaluate other options. The decision was pretty easy. When we initially looked at Okta years ago, Microsoft was also one of the folks that we looked at. Okta was a little more advanced than some of the gallery apps. Then, Microsoft made a huge play and added more gallery-type apps. That helped us quite a bit to move things along.

For others using Azure ID, take cookie online training. They are widely available, free, and give you a very good idea of what path you need to go to. So, if you want to take some professional training to become a guru, then you know what classes to go take and the fundamentals that you need to take before you get into that class. So, I highly recommend taking the video term.

I come from an Active Directory background for more than 20 years. Coming into Azure was actually great. We had somebody leave the company who was managing it, and they said, "Hey David, I know you are working for this other pocket of the business. How would you like to come back to the identity platform?" I said, "Absolutely." So, it was easier for me to come up to speed in several of the advanced areas of Azure, e.g., conditional access policies. We are starting down a zero trust methodology, which has been very exciting for me.

I would give it a solid eight (out of 10). It has a lot of the features that we are looking at. I don't think there are any tools out there that will give you that one magical wand with everything that you are looking for, but certainly this comes close. Microsoft has been working with us to help us through some of the new features and additions that are coming.