What is our primary use case?
We use it for all of our internal colleagues. Every single user is synced from our internal on-prem directory to Azure AD. Every single user has a presence in Azure AD and that account or identity is then used for at least 10 to 15 different applications. They directly query what groups they're a member of within Azure AD. We use Azure AD for at least 15 different applications.
How has it helped my organization?
It has improved our security posture. Not only with the password feature but there were also things like conditional access, applications within Azure that you can use for better access. You can put conditional access rules in front of those applications, which means that either the device that they're accessing it with has to have a certain up-to-date version of antivirus, it has to have all of its Windows updates, or they have to use multi-factor authentication. All of those nice-to-have features help our security posture a lot.
When users are in Active Directory they can use single sign-on, which means once they've signed on to their machine, they then don't have to sign on again when they access things like their email. They can just go to those URLs. Because those applications are attached to our Azure AD and to our Azure tenant, they can just go to the applications. Those applications know who they are because they have a single sign-on enabled. So that has helped them so they don't have to turn on passwords when they have to access all these different applications.
What is most valuable?
Being able to integrate with third-party solutions is the most valuable feature. These are solutions that produced software as a service and we haven't then had to bring that service to our own data or in our own directory. We can use our Azure identity to connect to their solution. Being able to connect to third-party applications in these identities is the best thing we've found.
Being able to use Azure AD means that you can use some of the Azure AD security features like Advanced Password Protection. As well as querying your normal password requirements like lengths and complexity, Azure AD has a feature in which you can put specific words. It can be words to do with your company, words to do with your company location, or words that a lot of your employees would otherwise use. You can disallow them. It's very good at making more obvious passwords, ones they're not allowed to use anymore. That's a good feature.
It has something called Dynamic Groups so that when a user joins the company and they get added to specific groups, Azure AD will add them dynamically to other groups that will give them access to some of the base applications.
We have certain sets of software that they have to be able to access. Instead of somebody who deals with new users having to add them into 20 different application groups, you need access to this, this, and this. The Dynamic Group update feature from Azure AD means that you can just put them in one group and say that they have a role, and it will automatically then add them to about six or seven other groups, giving them default access to other things as well, instead of having to do that. It means there's a lot less manual work when you get new employees.
What needs improvement?
The conditional access rules are a little limiting. There's greater scope for the variety of rules and conditions you could put in that rules around a more factual authentication for other users. If you have an Azure AD setup, you can then connect to other people's Azure AD, but you don't have a huge amount of control in terms of what you can do. Greater control over guest users and guest access would be better. It's pretty good as it is but that could be improved.
For how long have I used the solution?
I have been using Active Directory in my current role for around six months and in a previous role for three years. I recently moved companies about three months ago. Before that, I was working for another company. I was there for about five years and for at least half that time I was using Azure AD.
We use the latest version. Azure AD doesn't really have version numbers, it's an evolving platform. In my current role, we're on the latest version of it.
What do I think about the stability of the solution?
Stability is pretty good. In the lifetime of me using it, there have been outages of certain features within Azure. We use multi-factor authentication. There have been times when that authentication feature has gone down and people couldn't access things that required that when they log on. That has happened maybe twice in the last 15 or so years. So it's pretty good. The uptime is pretty good, but it's not 100%.
What do I think about the scalability of the solution?
The company I used to previously work for had 90,000 users that were synced. That was nothing. There was room for loads more. I think they have a limit of a million or something objects within Azure AD. That's something you can ask to have increased if that's a requirement. Scalability is pretty unlimited. There is no issue there at all.
In the company I used to work for there were 90,000 people connected to Azure AD. As soon as they logged on, they were using Azure AD. In the current company, it's nearer five or 6,000, but all of those accounts have access to Azure AD.
There are various roles including administrators who will have the ability to change any settings like sync settings and any settings on an individual user. Then we'll have a second line, which will be able to change some of the settings within a user's group and be able to reset their password or add them to different applications. There is a first-line service desk level set of users who will only have the ability to reset passwords, but if there's anything more complicated than that they'll pass it on. There are about three different levels of access that we currently have. There is level three and two access for not too difficult issues and then level one for password resets.
In the last place I worked, there were eight of us who took care of Azure AD which was for 90,000 people in Azure. There were people actively looking at the syncing engine, which does the sync between the two domains and there were four of us who managed that. We were called identity technical experts. So of a company of 90,000, we needed four of us, but that was only so that when people went on holiday, other people could still do the work.
It's extensively used in that everybody has an account in Azure AD. I'm guessing we don't use all the features that are available. We still have our own mailboxes on-premise rather than in Azure. I would think that would be something in the future that they would look to move some or all of our mailboxes into Azure. But we all have a presence in Azure, so we are using a lot of the features, but I believe there are still a lot more we could use.
How are customer service and technical support?
Their support was excellent for the deployment. They were really good. It depends a little bit on who you get at the other end and the nature of your question, but with the Azure AD stuff, we got through to experts who were able to give us the right answer straight away. They were very good at that point.
Which solution did I use previously and why did I switch?
We didn't use any other cloud solution. That was the first one that we used in the cloud. There's an on-premise Active Directory which is an additional Microsoft Active Directory. And the whole point of Azure AD is that it does connect to that. We haven't used any other directory service apart from those. The on-prem version of Active Directory I've used for 20 years. I haven't used any other active directory service. I'm sure there are others, but these are the main ones.
It's a level of responsibility, which is being passed over to Microsoft, that we no longer have to deal with. Certainly, the companies I've worked with were very happy for those bits of the technology being looked after by someone else. And so we were just in charge of the data that's in there rather than all the other, not-so-interesting things like backup and such.
It's moving the responsibility of the not very exciting bits over to Microsoft and their very good SLA. You can just concentrate on the bits that you're interested in.
How was the initial setup?
The initial setup was pretty straightforward. The only complex thing is syncing your on-premise active directory into Azure AD. It's not overly complicated and they also give you very good support. It's not very difficult to set up.
The deployment took a couple of months in the end because we just wanted to do it at a pace that we were comfortable with. We did some initial tests on users. We synced them into Azure AD, made sure they could access what we thought they could access, and make sure they could still do the same job that they could do before. Then we synced across another set of test users, then a bigger test, and then eventually synced everybody else. We did it over the course of a month. Technically you could do it in less than a week, but we just wanted to be cautious and make sure that it worked as we expected.
In terms of the implementation strategy, we have two different Azure Active Directory setups. We have one in our development area, so we did the development area one first. We sure we worked out how to do the syncing correctly, making sure we can see all the attributes that were on the on-prem AD that were then turning up in Azure AD. And then once we did a development one and that worked as we expected, we then did the production one. We did it in a step-by-step approach. We did a small set of test users, a larger set of test users, and then the entire company. It was a phased approach.
What about the implementation team?
We did the deployment ourselves. We spoke directly to Microsoft when we had a couple of queries because we had an enterprise agreement with them so we can raise a number of support tickets. There were a couple of questions we had about certain features, but the actual setup and deployment of it we did ourselves.
What was our ROI?
We've certainly seen returns on investment in terms of some of the security features around Azure. We've seen threats that have been detected much earlier. Previously, threat detection and that sort of thing was more of a response rather than doing anything preemptive. Something would happen and we'd then fix it. Whereas now in Azure AD, we've seen recommendations and those sort of things coming through from Microsoft saying, "You've got these accounts, these have all got weak passwords. We recommend getting these changed for end-users before they get hacked." We saw a marked decrease in the number of attacks and breaches against our credentials when we introduced multi-factor authentication for the entire company.
Had anybody, for whatever reason, passed on or shared their username or password, those could then be used to get into our services. Now with multi-factor authentication, we've seen a marked decrease in the number of threats we've seen come through. So there are some marked benefits of the security features.
SSPR, self-service password reset has also realized ROI for us. In the past, 60 to 70% of the calls coming into our help desk guys were for password resets. A large chunk, 50 to 60% of those are gone because people can just go to the URL we've shared with them and reset their password themselves without having to phone us, which means that our service desk guys can deal with real issues rather than just somebody to put on their password. So we saw a large decrease in password resets. We're still trying to get rid of even more of those, trying to make their job even easier, but we've seen a large reduction in the number of password request changes to our service desk.
What's my experience with pricing, setup cost, and licensing?
There are various levels of licenses. There are things called E3 and E5 licenses. E5 licenses come with more features but aren't required for some of the kinds of users who are just using email and Office. They only need an E3 license.
Pricing depends on the size of your organization and the deal you get with Microsoft. If you're a public sector, rather than a private sector, you get a good deal. Academic sectors get very good deals. The vast majority of our users use E5. But we're a Microsoft partner who resells their product so we get favorable rates because of that.
They have various pricing levels and the higher level you buy, the more features you get within Azure. The basic one is perfectly good for most customers. The more advanced and greater security features come with the higher pricing. And so customers who require that like military, banking, government or something are willing to pay that. The private sector generally pays more than the public sector. I know some colleagues who work in the academic sector get extremely good deals because Microsoft is very keen to have academic institutions on board. If you're working in academia or you work in the public sector, you will get a much better deal than you would in the private sector, but that's just business.
An E5 or E3 license is on a per-user basis. So the number of users you sync into Azure AD is the number of licenses you need to report that is going to be consumed by the end-users. It's a per-user per-year license.
The only other cost you get with Microsoft over and above the license cost of using Azure is the cost of using their operating system and software. So if you use Windows, then you can pay for your Windows licenses again through Azure. And if you use Office, meaning Excel, Word, and all that other stuff, you can pay an extra bit and they'll get a 365 license for the entire suite of offices.
If you're buying an E5 Office plus Windows, then you'll get a greater discount than if you were buying those separately. Microsoft will charge you for what you actually use. So if you've got a user who isn't using Office, or isn't using Windows for whatever reason, but they are consuming services within Azure, then you just give them an Azure license. Microsoft will split up and you buy a license based on what you actually use.
Which other solutions did I evaluate?
There are a couple of other options. There's obviously Amazon AWS and there's now Google GCP. I'm not sure either of those particular cloud providers had a particularly enterprise-level directory service. At the point when we migrated our users to Azure, I believe Azure was the only one that was an enterprise standard. Whilst the other ones have options, they weren't really suitable for the size of enterprise that we were running.
What other advice do I have?
My advice would be to talk to Microsoft or a partner of Microsoft who will deploy it for you. You can do it yourself, it is absolutely possible but seek advice. Because the more users you sync into Azure, the more you have to pay for their licenses and not everybody has to be using Azure. Sync only accounts you need to, but in all cases, I would seek advice from a Microsoft partner or Microsoft themselves. They'll be able to talk through what you actually need, what you require, and then the best way to implement that. Whether that's syncing your entire user base or whether that's syncing a small subset of them because they're the only ones that are going to consume the services required.
I have learned two main lessons from using Azure AD. First, the introduction of multi-factor authentication. It was such a marked difference in the number of security incidents we had. There was such a reduction. If you have Azure AD, switch on multi-factor authentication, not just for the admin accounts and the highly privileged accounts that can access all the bits, but switch it on for everybody. It is a pain initially, while people get themselves set up. But once it's done the number of incidents you have relating to people losing their credentials is markedly reduced. It's a massive win.
I would rate it a nine out of ten. There are some things they can improve on, but those improvements are pretty small beans compared to what they've done.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer.