Microsoft Entra ID Reviews

We have integrated our internal applications and cloud applications with Azure AD. We also have a few external applications for which we need to implement a self-service portal and handle requests such as password reset.

We have external applications such as Cloudspace, and we have integrated Azure AD with Cloudspace. We mainly use a single sign-on. Our main target is to go through all single sign-on applications and integrate them with Azure AD. We also need to audit everything in Office 365. Our mail system is Office 365, and we also do some auditing.

We are also implementing Intune. We have deployed some basic policies for mobile devices, and we are working on improving those policies. We need to configure conditional access and improve policies for the applications and devices. We are doing some testing, and it is in progress.

In terms of deployment, we have a hybrid deployment of Azure AD. We have the 2019 version of AD on-prem.

We are able to do complete onboarding through AD. The users have access through the AD login, which is synced with Azure AD. We have a hybrid environment, and every cloud application is accessed through AD. We have defined AD policies related to password expiration, limitations, etc. It has provided smoother accessibility.

Previously, when we had on-premise AD, to reset their own passwords, users had to use a VPN or bring their laptop to the office. With self-service, users can easily change their passwords. This reduces the workload for IT support. If their password gets locked, they can unlock it themself by using Azure AD. Previously, it was also difficult to integrate with external applications, but with Azure AD, integration with external applications is easier. 

Azure AD makes it easier to see and monitor everything in terms of access. We can see sign-in logs or audit logs, and we can also integrate devices by using Intune. So, we can manage BYOD devices inside the organization.

We are using Conditional Access, MFA, and AIP. We have integrated it with Intune, and we already have DLPs.

Application integration is easy. MFA and password self-service have reduced most of the supportive work of IT. We use multi-factor authentication. Every access from a user is through multi-factor authentication. There is no legacy authentication. We have blocked legacy authentication methods. For people who use the MDM on mobile, we push our application through Intune. In a hybrid environment, users can work from anywhere. With Intune, we can push policies and secure the data. 

The audit logs are very good for seeing everything.

We started using it at the end of last year.

It is stable. I haven't faced any issues. There could be some issues related to syncing because of on-prem, but overall, it is quite stable.

I don't have much experience with scalability. I only use tier one or Premium P1, and I want to move to Premium P2 that has more security levels and more advantages.

In my previous companies, there were a thousand users. In my current company, we have less than 500 users. It is working fine, and there are no issues.

We plan to expand our usage. If it is possible, we plan to upgrade our subscription to Premium P2. We have introduced it to one or two companies who were looking for such a solution. We have already introduced the Azure AD hybrid platform for companies that had only an on-prem setup.

Sometimes, there are issues, but they are usually because of user mistakes. We are able to fix such issues. We are able to find the issue and do troubleshooting. We are able to find information about what is wrong and how to fix it. 

Their support is okay. They are able to resolve the issue, but sometimes, there is a delay because the ticket goes to the wrong person or the wrong time zone. I would rate them an eight or a nine out of 10.

We have only been using Microsoft solutions.

It is easy to deploy and not complex, but it also depends on your requirements. We have tenants and subscriptions, and we connect AD to Azure AD through Azure AD Connect, and they are periodically synced.

The connectivity took a day or two. It doesn't take long. Sometimes, there could be issues with on-prem because of not having a standardized setup or because of parameter duplication, but after we resolve the issues, it doesn't take long. For its setup, only one person is generally required.

It was implemented by me, and I also had one guy's support. 

Our infrastructure team takes care of the maintenance part. They are taking care of monitoring. If there is an alert or something happens, they take care of it. It doesn't require much maintenance. One person can manage it.

We have been able to achieve our target and requirements for security. After the move to Azure AD, the security level is high. The users have to change passwords and do MFA a few times if something goes wrong, and if they can't, the device is going to block them. Sometimes, users are not happy, but at the organizational level, it is good. It is costly, but the improvement is good in terms of performance and security.

It is a packaged license. We have a Premium P1 subscription of Office 365, and it came with that.

Two or three years ago, we were looking at some open-source solutions.

I would rate Azure Active Directory a nine out of 10.

The solution allows us to assign and give the access and controls. It allows us to monitor privileges with the users so that we can then be in control of the access given to digital resources.

The best example of how it has helped our organization is when we migrated toward Azure. We were able to take all the users which were there on-prem and migrated them over. If those facilities were not there in Azure Active Directory, then we would likely have to create individual users and one by one give them specific access. We'd have to look at their needs and set authentication. It would be hard to control users that needed higher admin-level access. Without the Active Directory, we would not have the control we needed. 

Azure AD has features that have helped improve our security posture. That's one of the basic fundamentals of having an Active Directory. The whole concept of Azure Active Directory came from the Active Directory on-prem version. There’s this tunnel of authentication that it has.

When you migrate, you can migrate your Active Directory on-prem onto the Azure Active Directory which has tightly integrated features due to the fact that they both are from Microsoft. Based on that, you can give access based on what privileges are needed. Basically, if you're talking about security, everything is related to role-based access. The security aspect is linked to providing the proper access.

My understanding is, in the future, they will be able to bring everything into one single platform and they are not there yet. We are loving third-party authentication, however, those authentications will be further scrutinized by AD itself.

For example, if you want to book a flight, you go to any website to book. Booking the flight can be divided into two parts. One is creating a log-in with a particular website and then booking. However, if there are five to ten websites and you want to compare prices on all of them. You aren’t going to set up a log-in for each and every site. That's not feasible.

Instead, you can use your own login credentials, for example, from your Hotmail or Google account. Then, you have a token authenticated by Google, et cetera, which gives you the privilege to do the booking for a particular session. This is similar to what Azure AD should do in the future for authentication and allowing access.

I've been using the solution for at least four to five years. 

The stability is good. It's always there. If it is down then that's it. Anyone can log in. Anyone can do anything, whatever they want to do. That's why it's considered the backbone of the security pillar. There has never been any downtime, however.

Azure AD is scalable. You don't need to take care of it as it's a part of the service which is taken care of by Azure itself based on how our company grows. Basically, it's a hidden feature, and scaling it for the end-user is always happening. It's always scaling.

We have about 3,000 users on Azure AD currently.

I've been working as an architect and therefore have never directly dealt with technical support. 

I work on different platforms. For example, I work on AWS and GCP (Google Cloud Platform), et cetera. Azure AD is very good and very powerful and offers a basic foundation having the highest status or dominance in terms of providing access management. It's tightly getting integrated with the on-premise solutions. That’s true irrespective of what cloud you're using - whether GCP, AWS, Oracle, or IBM - whatever the cloud provider, you're using the services you will be using a laptop or dashboard.

We are now working remotely. However, having remote access doesn't mean that you are not entering the company premises virtually. Basically, everything is going through your company's network. You're just going through to a cloud. You can move across platforms to validate. You can still use the AWS site to authenticate and verify the users. No matter the cloud, you’re still using Azure AD to get access.

I wouldn't say the initial setup is complex. If you have a good understanding of the product, you can break down your tasks. Then, slowly, step by step you can complete all the tasks.

Our operations team did the migration from on-prem AD to Azure AD. Therefore, I cannot speak to the exact length of time it took. My work was to design the architect and provide them with the solution. 

I have clients who have seen an ROI.

I'm not a Microsoft partner. I work as a consultant.

I'm predominantly using the SaaS deployment version. 

My advice to potential users is on the security side. There was a famous article on Gartner which clearly stated that by the end of about 2023 or 2024 if someone tries to access your network or if anything becomes accessible or has been exposed, it is not the cloud provider that is the problem. It is due to a misconfiguration of the services.

It's not really with the user. It's really with how and what kind of access you provide to that user. For example, if I give someone an admin status, and they provide access to someone, they are providing not only basic access, they’re giving access privilege or admin rights. If they’re giving admin rights to the wrong person, even though they may have the best intentions, due to a lack of knowledge, that person may do something stupid and it may be a disaster to the company. That has nothing to do with the AD users themselves. You need to be aware of the security and the access that you're granting your users at all times.

I'd rate the solution at a nine out of ten.

We are using it for all non-structured data and as an identity manager for all of our accounts. In addition, we use it also to authenticate Google services, because we have Google Workspace for email, and to integrate other tools with our services. We are able to keep it all going, balanced, and synchronized. It's very good. We use it for just about everything that we need to do an identity check on.

We couldn't live without the Active Directory services. It has helped to improve our security posture. We have a lot of users and hardware to manage and we can do that with Active Directory.

The most valuable feature is the ability to deploy and make changes to every workstation that I need to. We use it to control policy and I can apply the right policies to all our 1,500 workstations, notebooks, et cetera.

I have been using the Active Directory solution for three years. I'm responsible for almost all infrastructure services in our organization.

It's pretty stable. In the three years, the service has never been down.

As far as I know, it works for 10,000 and 100,000. It's just difficult to find current information, such as how much hardware and how many licenses we would need to keep it going. But it's scalable and works really well. We can keep adding servers and scale up or out.

We don't have another company that provides support for Active Directory. On my team, there are three people who work with it, and we have about 2,000 users in our company.

To be honest, I can barely navigate Microsoft's support. Microsoft is so well-known and there is so much information to look up on the internet, that we have never come to the point where we have actually had to open an issue with Microsoft's team. We can almost always find out the information that we need by looking it up with Google or in Microsoft's Knowledge Base.

We used to use LDAP, a free tool, but since almost all of our hardware needed integration, we had to move to Active Directory. We couldn't apply the policies that we needed, using open source, and we couldn't keep the integration going the way we needed to.

We are really happy with how the functionality Azure Active Directory gives us. I have a security policy applied to all workstations. Before, all of our users could configure their machines the way they wanted to. As a result, we often had to reconfigure and do other things to them as well because the computers were crashing. We almost don't have to do that anymore.

The trick was to immigrate from LDAP. We had to get all the properties from the files into Active Directory, so it took some time. When we did that, there were some issues with the system and we had to do it manually. It would be nice if they had a service that would make it easier to migrate from LDAP to Active Directory, keeping all of the properties from files and non-structured data as well.

It gives a good return on investment. The amount of first-level support we have had to give internally has dropped a lot since we applied the policies and restricted our users. But our users are now more satisfied because their computers don't have the issues that they had before. Before Active Directory, there were many issues that our users complained about, like worms and malware. We don't have those issues anymore. Even with endpoint protection we had some cases of viruses in our company, but now we don't have them either.

Directly, I couldn't calculate the return on investment, but indirectly we saved by reducing work for our team, and we are keeping our users satisfied.

The process for buying licenses from Microsoft is somewhat messy and really hard to do. We have to talk to someone because it's hard to find out how many licenses we need. If I'm applying for 2,000 users, how many Windows licenses do we need?

They could also charge less for support. You buy the license, but if you want to keep it in good standing, you have to pay for the support, and it is expensive. It's okay to pay for the license itself, but to pay so much for support...

We were thinking about buying another tool, to be capable of managing and keeping all the identities within our organization current. But we had to go straight to Microsoft because there are no other solutions that I know of. By now, almost all organizations are using Windows 10 or 11, and it would be hard to achieve the possibilities that we have with Active Directory if we used another service.

We are integrated with NetApp because we use NetApp storage. It's pretty awesome. We are also integrated with many others, such as our data center hardware with storage from IBM. We're using it for logging switches, as well. It works really well.

My advice to others would be to look at the options and focus on how you can pay less. Do the research so that you buy just the essential licenses to keep it going. If you don't do the sizing well, you can buy more, but it's expensive to keep it going and pay for support.

We use the Azure portal to create users, assign rights, build policies, etc. I'm not an administrator for that part of our system but that is basically what we use Azure AD for.

Conditional access has helped us to better provide more security for our users and MFA has helped us to provide more security for users who are working from home. They use their own personal devices.

Azure AD has helped us to provide security for applications that I didn't have access to.

This product has improved our overall security posture. Everybody is working from home using a VPN. We recently migrated everybody to MFA, which is required to connect using the VPN. People are now more aware of their passwords and overall, gives them better security.

Using the Self Service Password Reset functionality has helped to improve our end-user experience because they no longer have to deal with the service desk to do so. It also helps the service desk because it relieves them of the need to help users when it comes to password changes, allowing them to focus on other things.

We use all of the services that are offered by Azure AD. We use Azure AD Connect, SSPR, app registration, application proxy, and more. We use everything for different services that include conditional access, authentication methods, etc.

Conditional Access is a helpful feature because it allows us to provide better security for our users.

I would like to see improvements made when it comes to viewing audit logs, sign-in logs, and resource tags.

We have been using Azure Active Directory for approximately six years.

In my opinion, the on-premises deployment is still king with respect to stability.

We are able to control what's happening there, unlike the cloud instances when the service is down. If Azure AD is down then it will affect the ability of our users to log in.

Both Azure AD and the on-premises Active Directory solutions are scalable.

We have approximately 30,000 objects hosted in Azure AD. Usage will be increased as need be, as we have more users and we have more objects to add.

I would rate Microsoft support and eight out of ten.

Support provides access to good resources and good backend tools that we can use to resolve issues.

We migrated to Azure Active Directory from Windows Active Directory.

In my previous organization, I was involved in the implementation and it was very straightforward. It was straightforward in the sense that we didn't encounter any major issues because we were already using Windows Active Directory. The only issue we had was that we had to move people in batches, and not at the same time.

Our deployment took approximately one month.

As part of the implementation strategy, we first moved our Exchange to Office 365. This was the initial migration of users from on-premises to Azure AD. The primary phase was to start using Office 365 for our email instead of Exchange.

We migrated from our on-premises Exchange solution to Azure AD with our in-house team. There are some of us in the infrastructure team, plus my manager.

In terms of our overall Azure experience, I can see that this solution yields a return on our investment. However, it is difficult to quantify.

The cost is billed on a per-user licensing basis.

We did not evaluate any other options.

I think that overall, using Azure AD is very straightforward.

My advice for anybody who is considering Azure AD is to look at the products, understand the role of AD, and see how it works in their environment. Then, before they roll out, test it well.

The biggest lesson that I have learned from using this product is that it helps with better organization and allocation of rights and security.

I would rate this solution a ten out of ten.

We provide single sign-on, app syncing, and API seamless access to more than 2,000 users with the syncs into Azure. We provide access to email, SharePoint Online, Skype, and other services on the cloud to half of those users. We have services in the cloud, such as app registration and documents for SharePoint Online.

The single sign-on is the most valuable aspect of the solution. It allows for storing passwords in secure vaults. For developers, we use a vault for SSH. Mainly, we have replication from all services on-prem to the cloud.

With a single sign-on, in the case something happens on-premises, users can still use a single sign-on to a PC to access the cloud.

We can deploy policies, which improves our security posture. It's mainly very similar to on-premises, however, some new features can be used on the cloud as well, such as labs and password rotation. Some features have improved, which has been great.

The solution improves the way our organization functions. I can deploy a policy that will search for unused accounts, for example, and delete or just move them to a different organization unit that handles unused accounts. We can change unsecured passwords. We can detect intrusion and inform a security group on how to disable that account immediately. We can also perform security checks on services.

We can easily migrate services and improve the quality and improvement of bandwidth of the service. It's easy to scale.

There are some searches, such as a global search, which have powerful query capabilities if you configure it in a certain way.

It's easy to use. The portal experience provides a dashboard of what's happening. With the dashboard, you can see what's happening with the service faster. Of course, I’m talking about the cloud. On-prem you don't have that dashboard.

Active Directory has affected our end-user experience. It has improved it as we have centralized management now and we have centralized administration, and things can be automated easily. You can have most tasks automated. It's good.

The security needs to be improved. For example, in terms of changing from one version to the latest, meaning going from 2008 to 2012, or 2016 to 2019, you need to get rid of all the operating systems and they need to ensure the security is upgraded and improved.

They need to bring BitLocker into the VMs and the servers.

LAPS could also be improved. LAPS are used to rotate passwords on a server. That can be improved upon to increase security levels.

Protocols SSL 2.0 and SSL 3.0 need to be removed and they should change my TLS 1.2 for every application.

I've been using Azure for about 13 years. However, I've used Active Directory for 25 years. It's been a long time.

We have found some servers do not have enough CPU or memory which meant there was not enough stability. I scaled up the service to ESX, to a virtual host, and I installed multiple DCs, virtualized. As the solution has physical machines, CPU and memory were not enough. However, the scaling provided much more stability.

The scalability is good now, and I find it to be more stable and faster since scaling up to ESX.

We tend to increase usage every month. We have five countries with multiple forests. Currently, we have 200 users or so on the solution.

The technical support is not so bad, however, it's lacking in faster response times sometimes.

We did not previously use a different product.

The initial setup was complex. It has several forests connected to multiple domains in several countries, and it's going through multiple data centers. Typically, we have a solution for the VPN. It's different in every country sometimes. On top of that, centralized services are not so easy to manage in different forests.

The initial deployment was set initially for six months, and then we’ve been doing improvements for the last six months as well. It’s been a year in total.

Our initial implementation strategy was to sync a forest with multiple domains.

We have ten to 15 people who are capable to handle maintenance on the product. These include a cloud architect to Active Directory architect engineers, help desk engineers to deploy and manage solutions, and engineers to manage the servers.

We did not use an integrator, reseller, or consultant for the deployment. We handled it in-house. That is my understanding.

We have seen a bit of an ROI.

The solution is not the cheapest in the market. It could be improved and possibly lowered slightly.

We moved right into Active Directory, however, as a cloud architect, I am familiar with other solutions. I advised the client to go right to Active Directory based on my past experience. Due to the complexity of services they offered, I knew integration would be easy.

We are a Microsoft partner.

We use several versions of the product, including 2016 and 2019. For one customer, they're running 2008, which is the old version, and I just upgraded them to 2012. The domain controller is 2012 R2 and has the latest patches.

I'd advise new users to do an original design with an architect, and think about scaling up while considering services you will be adding in the future. It's important to plan the security tightly and do a neat design and consider services such as BitLocker and other resources that will be needed.

I'd rate the solution at an eight out of ten.

We're using Azure AD as a centralized identity management tool, to keep all identities in one place. For example, if we have an application that needs authentication, we use Azure AD. It is not only for user authentication and authorization.

We also use Azure AD as a synchronization tool from on-premises instances to the cloud, and we are using Azure ID Join to join machines directly to the cloud. We use it for access policies, as well as the registration of services.

With MFA, if there has been a password leak and someone tries to access the system, Azure AD will send a notification to the real user's cell phone and ask, "Are you trying to login? Please approve or decline this login." If the user declines the login, he can send a report to IT and the IT guys can automatically block the account, change the password, and review everything else. That helps us prevent unauthorized access to the system, and that's just through the use of MFA.

Through access policies, if my account was stolen and the guy got his hands on the MFA information for some reason, if the real user is in one country and the thief is in another country, the account will be blocked by our geolocation policy, even when the password is right and the MFA has been approved. We can lock it down using geolocation.

If we're talking about applications, one of the most valuable features is the administration of enterprise applications. It helps us to keep them working. We don't always need to authenticate a user to make an application work, but we do need some kind of authorization. We use service principal names for that. Managed identities for applications are very useful because we can control, using roles, what each resource can do. We can use a single identity and specify what an application can do with different resources. For example, we can use the same managed identity to say, "Hey, you can read this storage account." We can control access, across resources, using a single managed identity.

When it comes to users who have a single account, the most valuable feature is the authorization across applications. In addition, access policies help us to keep things safe. If we have a suspicious login or sign-on, we can block the account and keep the environment safe. It's also important, regarding users, to have a centralized place to put everything.

The user functionality enables us to provide different levels of access, across many applications, for each user. We can customize the access level and set a security level in connection with that access. For instance, we can require MFA. That is a feature that helps enhance our security posture a lot. And through access policies we can say, "If you just logged in here in Brazil, and you try to log in from Europe five or 10 minutes later, your login will be blocked."

One thing that bothers me about Azure AD is that I can't specify login hours. I have to use an on-premises instance of Active Directory if I want to specify the hours during which a user can log in. For example, if I want to restrict login to only be possible during working hours, to prevent overtime payments or to prevent lawsuits, I can't do this using only Azure AD.

I have been using Azure AD for the last five or six years. I have been using the on-premises solution, Active Directory, since 2005 or 2006.

We have never faced an outage situation with Azure AD. The stability is great, very reliable.

The scalability is okay for us. While there are limitations on the number of users, it's a very huge limitation. We have not hit that limitation so far. No matter how many users or groups or SPNs (service principal names) we have, it works fast. The response takes two to three seconds if we use the API.

Currently, we have more than 5,000 users. We are at 100 percent adoption. All our users from on-premises are synced to the cloud and they are fully using the features available.

The technical support is not going in the right direction. Sometimes the first-level support agents don't have the proper knowledge. Some of them take a lot of time to discover simple things because of that lack of knowledge. Sometimes a guy takes three or four days to give up and to ask for help from a higher level of support. The technical support can be improved in that area.

Neutral

Before Azure AD, we either used Active Directory for on-premises or a Linux solution, but it was almost a miracle finding Linux solutions for identities. In our location, the majority of enterprises and companies are using Active Directory. The free Linux solution is basic. You can choose a user, a password, and a level of access, but it does not go as deep as Active Directory.

The initial setup of Azure AD is very straightforward. There is even a wizard for it, making it very simple. The wizard guided us and pointed us to articles in the Microsoft Knowledge Base, in case we had any doubts about what was going on. It was a matter of "next, next, and finish."

Deployment took less than 60 minutes. It was very fast.

There are almost always issues when it comes to synching on-premises instances because they almost never follow best practices. When migrating to the cloud, there is a tool that Microsoft provides to run in your environment that tells you, "Hey, you need to fix this and this about these users, before you initiate the migration." It's complicated because on-premises solutions are like that. But if you want to have identities in Azure AD, you must have a proper set of User Principal Names, because these will be the anchor for the synchronization. If my on-premises instance has a bad UPN, it will not be able to properly sync to the cloud. But once we finished fixing the irregularities in the on-premises accounts, the migration was easy. We just installed the synchronization server and it did the job.

We have seen ROI using Azure Active Directory in the fact that we don't need to have four or five local servers. We can have just one local server and the heavy jobs can be run over the cloud. There is some money saved on that.

The pricing for companies and businesses is okay, it's fair. 

But if you are trying to teach someone about Azure AD, there is no licensing option for that. There is a trial for one month to learn about it, but there is a need for some kind of individual licensing. For instance, I personally have an Azure tenant with Azure AD and I use this tenant to study things. It's a place where I can make a mess. But sometimes I want to do things that are blocked behind the licensing. If I were to buy that license it would be very expensive for me as an individual. It would be nice to have a "learning" license, one that is cheaper for a single person.

Plan what you want. Think about whether you want native authentication and authorization in Azure AD. And if you want to have servers on-prem, you have to plan the kind of synchronization you want. Do you want passwords synced to the cloud or not? Instead of going headlong into using Azure AD and running into issues, the kind that require a change in access which could be problematic, plan before doing the deployment.

We are a small consultant company, and we help customers to build hybrid environments. We synchronize on-premises AD to Azure AD and help our customers decide which one they want to use.

In our own company, we use Office 365, so we use Activity Directory directly for authentication and authorization.

The most valuable feature is Conditional Access. As there are more and more people working from home, security is a challenge for a lot of companies. To build a general trust solution, we need Conditional Access to make sure the right people use the right device and access the right content.

In our company, we use Conditional Access with Trend to make sure that our employees can use the device from the company. We can make sure that there is higher security. We can also use Trend to set up a group policy and to set up Windows Defender as well.

Microsoft Azure AD is easy to install and is a stable solution.

There is no documentation about how Microsoft will scale Azure AD for customers. It only mentions that it will scale out if you have a lot of requests but does not mention how in detail.

More documentation on some complete scenarios, such as best practices to integrate forests into Azure AD when a customer has several on-premises forests, would be helpful.

I've been using it for four years.

In my experience, it has been working fine.

Scalability is a pain point. There is no documentation about how Microsoft will scale Azure AD for customers. We do, however, plan to increase usage.

We used on-premises Active Directory before using Azure Active Directory.

The initial setup is pretty simple. Microsoft Azure AD can be deployed in one or two minutes.

If you have an Office 365 subscription, Microsoft will build Azure AD for you.

Microsoft Azure AD has P1 or P2 licensing options, and it depends on the customer's needs. To use Conditional Access, you need to have the P1 license, and to use the PIN features, you need the P2 license. We use the P1 license as we use Conditional Access.

It will be a very good solution if your company is already using on-premises Windows Active Directory. Microsoft has provided a useful tool called Azure AD Connect. So, you can easily sync your on-premises Active Directory to Azure Active Directory, and you can easily implement the SSO.

Overall, we are satisfied with the solution and the features provided, and on a scale from one to ten, I would rate this solution at nine.

We have users, groups, and applications, and the purpose of this product is authentication, authorization, and attestation. We use it for the services connected to those three "A"s. The use cases in all organizations are more or less the same, even if some side services differ. Azure AD is used for authentication and authorization. It's about managing identities and granting access to applications.

It has features that have definitely helped to improve our security posture. The identity and access management, at the end of the day, are about security. It also offers features like multi-factor authentication, Privileged Identity Management, and access review and attestation, and all of these are connected to security and typically help improve security posture.

Many of its features are valuable, including: 

• facilitating application authentication 
• privileged access management 
• processes for attestation
• access reviews.

The multi-factor authentication, similar to when you use your mobile banking application when you want to do a transaction, doesn't rely only on your username and password. It triggers a second factor, like an SMS to your mobile. It requires another factor for authentication. This is one of the standard services Microsoft offers with Azure AD Directory.

Privileged identity management is also a standard feature of Azure AD for privileged accounts. We make sure we do privileged role activation when it's needed so that we do not have sensitive roles active every day.

A lot of aspects can be improved and Microsoft is constantly improving it. If I compare Azure AD today with what it was like five years ago, or even three years ago, a lot of areas have been improved, and from different angles. There have been improvements that offer more security and there have been some improvements in the efficiency domain. Azure AD is not a small product. It's not, say, Acrobat Reader, where I could say, "Okay, if these two features are added, it will be a perfect product." Azure is a vast platform.

But if we look at multi-factor authentication, can it be improved? Yes. Perhaps it could cope with the newest authentication protocols or offer new methods for second or third factors.

I'm also willing to go towards passwordless authentication. I don't want anyone to have passwords. I want them to authenticate using other methods, like maybe biometrics via your fingerprint or your face or a gesture. These things, together with the smart card you have, could mean no more passwords. The trends are moving in that direction.

When it comes to identity governance, the governance features in Azure AD are very focused on Microsoft products. I would like to see those governance and life cycle management features offered for non-Microsoft products connected to Azure AD. Currently, those aspects are not covered. Microsoft has started to introduce Identity Governance tools in Azure AD, and I know they are improving on them. For me, this is one of the interesting areas to explore further—and I'm looking to see what more Microsoft offers. Once they improve these areas, organizations will start to utilize Microsoft more because, in that domain, Microsoft is a bit behind. Right now, we need third-party tools to complete the circle.

In addition, sometimes meeting the principle of least privilege is not easy because the roles are not very granular. That means that if you are an administrator you need to do small things connected to resetting passwords and updating certain attributes. Sometimes I have to grant access for the purposes of user management, but it includes more access than they need. Role granularity is something that can be improved, and they are improving it.

Again, if I compare Azure AD today to what it was like three years ago, there have been a lot of improvements in all these domains. But we could also pick any of these specific feature domains in Azure AD and have in-depth discussions about what could be improved, and how.

We have been using Azure Active Directory for more than five years.`

Azure AD is very scalable. The only concern is around role-based access control limitations at the subscription level. That is something Microsoft is improving on. Currently, per subscription, you can have a maximum 2,000 role assignments. Sometimes big organizations hit the limit and need to implement workarounds to resolve that limitation. But that is something Microsoft has already confirmed it is improving. That is a limitation of the Azure platform, it's not specific to my organization. A smaller organization may never hit the limit, but bigger organizations do.

Apart from that, their application integrations, the service, MFA, and everything else, are quite scalable. It is moving in the right direction.

Setting up Azure AD, is about moving toward the cloud journey. I cannot say setting up Azure AD is easy, but on the other hand, organizations are not moving to the cloud in one go. It's not all or nothing, that you have it or you don't have it. It depends on which services you are receiving from Azure AD. Some organizations, like ours, start with a limited number of services.

You usually start with syncing your identities to the cloud so that you can offer your employees certain cloud services. You want to enable them to use certain SaaS applications, where they are relying on a cloud identity, and that's why you need to have your accounts in the cloud. Without that, you cannot grant them access.

Later, you may offer the ability for business partners to use and benefit from certain cloud applications, and gradually the use cases increase. For example, someone may become a privileged user to take responsibility for an application and manage it. When that happens you start to think about what other features in the Azure platform you can offer to do administration in a more secure way. Or, once you have thousands of users benefiting from cloud applications, how can you make sure that you protect their assets and their data? That leads you to start implementing other security features, such as multi-factor authentication. Over time, you may have users benefiting from Office 365 and they need to collaborate by using Teams and SharePoint. Again, you start to build something else around that.

Whether large or small, organizations are on a journey, where they start from on-premises with servers and all these server rooms and applications in the organization. They then shift workloads to the cloud. That process is still ongoing in my organization and in many organizations. Ten years ago, workloads were all on-premises. Five years ago, maybe 90 percent were on-premises. Today it might be 50 percent cloud and 50 percent on-premises. There is value from the cloud: elasticity and flexibility, even for big organizations. A server on-premises is a different story compared to having it on the cloud. If I need to upgrade a server on the cloud, it takes five minutes. If it's on-premises, I need to order hardware and then change the hardware. The usage of Azure Active Directory is due to the evolution of the cloud.

The bottom line is that the implementation is gradual. It's not difficult or easy, although we started with things that were easy to adopt, and then we continued the journey.

The staff required for maintenance of Azure AD depends on how you organize your support. Some organizations outsource their end-user support to other companies, while other organizations staff that completely internally. It can also depend on the users. Is your organization a global organization or a small, local organization? For us, to make sure we maintain the support and availability and all the services we need, including change management, we need at least 15 to 20 resources for a global application with more than 20,000 users, to maintain the platform.

We worked with a lot of consultants for Azure AD. There are many features and no one expert or professional can help with all aspects. Organizations, during their journeys, have to work with different partners and integrators. It may be that there is a specific application you need to integrate with Azure AD and you need some skills there. It may be that you want to better manage Azure resources, so you would talk to a different type of resource. You may want to increase your identity security scores, depending on how you configure Azure AD, and for that, you would need to talk to an Azure security expert. I think this applies to all big enterprises. We need different skills to better utilize Azure, including Azure AD, and to do processes in a more secure way.

We have Microsoft Professional Services. That's the primary source for many organizations that are utilizing Microsoft services. If you have an enterprise agreement or a unified agreement with Microsoft, they offer you consulting services. Of course, you have to pay for Professional Services, but we get value there. The number-one consulting and integration support provider is Microsoft.

They also work with certified partners like Accenture or Avanade. These organizations are connected with Microsoft and they offer consultancy services to enterprises like ours. Depending on the subject, we may use services from any of these providers. We usually go with Microsoft-certified partners.

Multi-factor authentication means you need to do an extra step, but that is normal because the attack surface is wider. We want to make sure you are who you say you are. That extra step impacts the end-user experience, but it's needed. The way authentication happens today is far different from 10 years ago. It may result in some added difficulty, but it is there to protect employees, organizations, customers, business partners, IT assets, data, et cetera.