Microsoft provides each cloud-based services subscriber, such as Microsoft 365, an instance of Azure AD (a tenant). Organizations can choose to add additional subscriptions, such as Microsoft Azure, and use the same Azure AD tenant for authentication and authorization. Alternatively, organizations can implement a separate Azure AD tenant for each subscribed service or app.
When you subscribe to a cloud service, like Microsoft 365, you can select a specific edition of Azure AD. The free version of Azure AD provides capabilities useful to most organizations; however, paid Azure AD Premium editions are also available, adding capabilities more relevant to large organizations.
It’s important not to think of Azure AD as Active Directory in the cloud; instead, it’s an entirely different authentication and authorization solution designed to support the cloud environment, unlike AD DS. Azure AD has the following features:
- Is flat, with no container hierarchy
- Provides for less fine-grained administrative control
- Uses role-based access control (RBAC)
- Supports administration management with profiles and group assignments
- Relies on Security Assertion Markup Language (SAML) and Open Authorization (OAuth)
When working with devices, you can add devices to Azure AD that are running a variety of operating systems, including
- Android
- iOS
- Linux
- macOS
- Windows 10 and newer
FIGURE 2-2 The Microsoft Entra admin center displaying the Azure Active Directory | All devices folder.
Implement user authentication on Windows devices, including Windows Hello for Business, passwordless, and tokens
You can sign in to your Windows 11 computer by using a variety of user accounts, depending on the configuration of your computer. The following list describes these account types:
- Microsoft account A consumer Microsoft account, often with an Outlook.com or Hotmail.com suffix.
- Microsoft 365 account An Azure AD account, usually called a Work or School account. Typically has an organizational suffix, such as Contoso.com. When a user adds a Work or School account to their device, they sign in using those account details, all services and apps accessed by the user automatically use the account to authenticate; this provides for cloud-based SSO.
By default, all Azure AD accounts are configured with a default tenant domain suffix. This default suffix is created when you obtain your Microsoft 365 subscription and always ends with .onmicrosoft.com. When configuring your Azure AD tenant, you typically add a custom domain name, such as Contoso.com, that your organization owns. Users can then sign in using either the custom domain suffix or the default domain suffix, although users find it easier and more logical to use the custom domain suffix.
- Domain account An AD DS account. If a computer is AD DS domain-joined, then a user can sign in at their computer using a domain account. When a user signs in using a domain account, all services and apps accessed by the user automatically use the account to authenticate; this provides for AD DS forest-wide SSO.
- Local account A computer user account. Typically, Windows 11 computers have local user and group accounts. A user might sign in using a local account when the computer belongs to them rather than the organization they work for. When users sign in using local accounts, they must configure the organizational account for each app or service they want to connect to. For example, they must add a Work or School account as part of a Microsoft Outlook profile to connect to Exchange Online.
Most users are probably familiar with signing in using a username and password. While that’s acceptable and fairly common, Microsoft has added support for different authentication methods in Windows 11. These methods are designed to improve the sign-in experience and help make it more secure.