Active Directory – the login process that connects your computer and user accounts to the resources you use all day, every single working day.
For decades, Microsoft Active Directory has existed on Microsoft servers built for and hosted in physical company offices, known in technical jargon as on-premise. In very simple terms, Active Directory is a database of users, computers and entities that controls access to network resources. In other words, when new users and computers were added to the network, these were added to Active Directory on the server, then when the user logs in, Active Directory provides the user the resources the user and computer, or a combination of these are permitted to use. It also allows users to login to any machine that is connected to the server, as the machine is logging into Active Directory on the server, as opposed to the local machine.
Fast forward to today, and many companies still have on-premise servers, with on-premise Active Directory. The main decision maker for this is if applications are required on premise that are either not built for cloud usage, high risk being accessed online, or if the company is of a structure where it makes more sense to go the capex model and pay for hardware and licenses upfront, rather than monthly via Office 365. However, if none of these apply, it no longer makes sense to use on-premise servers both in terms of cost, and in terms of maintenance and reliability. And if this is the case, we can join machines to Azure Active Directory.
Wait. What is Azure Active Directory?
If you are a client of Carden IT Services, we will already be syncing your on-premise Active Directory with Azure Active Directory. This is to provide your Office 365 accounts, and password synchronisation between your in office and cloud accounts. In other words, changes are made on your servers, which then syncs to Azure. This is known as ADSync. Therefore, Azure Active Directory is a cloud replication on your on-premise Active Directory, which then also allows us to connect machines to the cloud for login purposes, as well as a bunch of other handy benefits.
Nobody will disagree that the evolution of technology has been incredible over the last 10 years. Our lives can live in our pocket, and our data can live on the cloud. And this is not set to slow down. With internet connections becoming faster, it becomes more feasible to run everything online, and Azure Active Directory functionality will increase, then more machines will be connected directly to Azure Active Directory over on-premise.
Wave goodbye to local accounts, please!
Traditionally, as noted above, machines would login to on-premise servers. For businesses without servers and pre Office 365, companies tended to create local user accounts on individual machines. This is far from secure, as a simple engineers USB stick can reset this in minutes if a machine is lost or stolen and access can be gained to the whole system. Also, with the local account, data by habit tends to be saved on the local device, also increasing the risk of data theft or loss if a drive fails. We do not recommend creating local accounts on devices if you are an Office 365 user. Join that machine to Azure!
The functionality of Azure Active Directory
Azure Active Directory allows us to connect your machine directly to Office 365, meaning machines will login to Office 365 on the “ctrl alt delete” screen, rather than logging into the local system or server. This means a machine is more difficult to break into if lost, stolen, or in the event of an employee holding a device at home if an event occurs, say dismissal. Following an Office 365 password change by an administrator, once logged in with the old cached credential. corporate data can even be wiped remotely from the machine from the Office 365 admin portal. This requires the addition of Microsoft Intune however.
There are also some disadvantages of Azure Active Directory on its own over on-premise Active Directory, which is the omission of Group Policy. Group Policy is the application that exists on on-premise servers, and is responsible for the policies for the machines, for example mapped network drives, printer deployments and more. This is solved by using Microsoft Intune on top of Azure Active Directory, and you can find our post on the benefits of Intune here.
Single sign on
Single sign on is as the name suggests, and it is using a single sign on for many services. Of course, Office 365 itself is a single sign on to all of the applications within it, Outlook, SharePoint, Teams and so on, but you will also find that providers of other applications will use the Office 365 platform to allow the same credentials to be used in their application as you use in 365. This is carried out perfectly securely.
This brings the point of another added benefit of logging into Office 365 during the machine login, is that you are authenticating with the machine at first opportunity. This brings a range of benefits as you are then authenticating with all the Microsoft services, as well as any external applications that support single sign on.
Moving to Azure Active Directory
Sadly, there is no clear automated way of migrating machines from on-premise Active Directory to Azure Active Directory. And even though your machines exist in Azure due to ADSync, machines have to be disconnected from on-premise, and joined onto Azure. This process creates new Windows profiles on each machine, that will need to be configured, most of which can be automated if Intune is in place.
As a process, we will always connect single machines to Azure as phase one, following phase 2 of larger batches of machines, to ensure the project is delivered successfully with minimal disruption to the business we are managing.
If you would like to hear more about this service, do not hesitate to get in touch.