Many organizations are beginning to question the use of Microsoft Active Directory as their network authentication, identity, and connection foundation. With the rise of cloud-based network management, firms are considering Azure AD and cloud applications to replace traditional Active Directory functions.
While there are benefits to using Azure AD, it is important to evaluate the licensing costs and benefits as well as understand the basics. One advantage of Azure AD is with Windows 11, workstation can immediately join the service to take advantage of its authentication process. With an Azure P1 license, conditional access can further protect and manage deployment. Microsoft Intune can be used to manage security patches in lieu of group policy to manage devices.
Windows LAPS and Intune can be used to manage a local administrator password, and the ability to manage and store the password in Azure AD is in preview at this time. Although useful, one should not simply replicate what they do on-premise in the cloud as the types of attacks and weaknesses are different between the two systems.
When joining a Windows 11 workstation to Azure AD, the user will be prompted by the Microsoft account process and if multifactor authentication is mandated, they will be prompted accordingly. Azure AD enrollment will then be checked to verify whether enrollment in mobile device management is required. The user can check whether the device is connected in Settings > Accounts.
Many attacks on Azure AD deployments begin with password-spraying techniques for Microsoft online accounts. It is recommended to include multifactor authentication in deployment techniques. Conditional access that allows setting boundaries and alerts for unusual activities can better protect networks from threats and attacks. Password processes and policies should also be reviewed during the process to prove to Azure AD.
Azure AD can be utilized even if fully migrated to Azure. With a hybrid deployment, tools such as Azure AD password protection are available in Azure AD P1 or P2 licensing. With this feature, a password policy can be set for Azure AD to mimic what is already in on-premise active directory.
In preparation for Azure AD password protection, the following prerequisites are needed: Azure AD Password Protection Proxy installed on one (or more), ideally, servers in the environment, an Azure subscription with a Log Analytics Workspace, Domain Controllers on DFS-R for Sysvol replication, all Domain Controllers installed with Azure AD Password Protection agent, Domain Controllers onboarded via Azure Arc (or forwarding specific event logs to Azure via another method), and Azure AD Password Protection Proxy servers onboarded via Azure Arc (or forwarding specific event logs to Azure). A workbook can then be built to synchronize password policies so that Azure AD has the same structure as on-premise active directory policies.
Even if fully entrenched in on-premise Active Directory, keeping an eye out for new options and techniques to protect and expand networks is always beneficial. Azure Active Directory is another tool in the arsenal of identity and protection for organizations to consider.