A classic directory and much more
Active Directory is a directory, pure and simple, with deep roots in the original X.500-based Exchange Server directory store. Those moving from on-premises deployments to embrace the cloud, either in a pure or hybrid configuration, are often surprised by the expanded role that Entra ID (Azure Active Directory) plays in the Microsoft 365 ecosystem. This article discusses why Entra ID is more than a classic directory. Instead, it is the cornerstone of Microsoft 365.
Directory basics
First, it’s important to acknowledge that Entra ID performs all the roles that you’d expect from a directory service. Microsoft says that “Entra ID is a cloud-based identity and access management service.” In essence, Entra ID holds details of user accounts (Figure 1), groups, devices and applications. It responds to authentication requests and issues the necessary authority (OAuth2 tokens) to allow applications to access data. Entra ID has a backup authentication service to allow it to continue to service authentication requests if its primary service is unavailable for some reason.
Figure 1: Entra ID User management
All of this happens at massive scale. In July 2023, Microsoft said that Microsoft Entra ID has 610 million monthly active users. Roughly 400 million or two-thirds of Entra ID users come from Microsoft 365 tenants. In other words, a third of all Entra ID usage comes from non-Microsoft 365 sources like Workday and ServiceNow.
The thing about a cloud service is that its consumers shouldn’t need to know anything about its physical infrastructure. Microsoft runs datacenters around the world. Its Microsoft 365 datacenters host Entra ID, which uses a concept called the ‘Core Store’ to organize the storage of tenant data. The Core Store is composed of ‘scale units,’ each of which contains multiple tenants. Each tenant has a unique security token that’s used to access tenant data. Scale units are assigned to an Azure geo-location (like the U.S.). To ensure data resilience, data is replicated to physical datacenters in at least two Azure regions within the geo-location. See this video for more information about how the Core Store works.
To accommodate the needs of multinational organizations, Microsoft 365 supports multi-geo organizations comprised of a primary tenant and satellite tenants. Another recent innovation is the preview for multi-tenant organizations. This is a combination of Entra ID cross-tenant access policies and Microsoft 365 features to allow up to five tenants to combine into a virtual organization. It’s a way of identifying tenants to be more trustworthy than the norm. And when a tenant is more trustworthy, Microsoft 365 apps like Teams can permit a greater degree of access to users from those tenants.
The changing shape of authentication
Users and applications authenticate against the tenant instance without knowledge of servers, domains, forests or anything else. All that’s needed to authenticate is a user principal name (user account) or app registration. Over recent years, Microsoft has campaigned heavily to improve security and prevent compromise of Entra ID user accounts by removing basic authentication wherever possible and by enforcing multi-factor authentication (MFA) to stop password spray attacks. The preferred authentication methods have moved away from the traditional SMS-based challenge-response and include the Microsoft Authenticator app, Outlook mobile (which now includes ‘Authenticator Lite’ capabilities) and FIDO2 keys.
Because Microsoft is responsible for running the Entra ID service, it can nudge customers to change their working habits by gradually increasing the level of security necessary to connect. For example, Microsoft imposes Security Defaults on tenants, forces clients to use the strongest authentication method available and is currently running registration campaigns to convince users to upgrade their MFA method to the Authenticator app.
The platform difference
All Microsoft 365 tenants use a basic version of Entra ID as their directory. Two levels of premium features are available for tenants through add-on licenses or higher-level products like Microsoft 365 E5. For example, some Entra ID Premium features commonly used are:
- Conditional access policies: Exert control over inbound connections to make sure that the connections use the right level of authentication strength, come from the right location or use an approved device when attempting to access apps. It’s easy to make a mess of conditional access but these policies are an essential part of protecting many Microsoft 365 tenants.
- Group expiration policy: Uses signals gathered by the Microsoft Graph to detect when Microsoft 365 groups aren’t being used and can be deleted. Group owners and administrators have the chance to renew groups if necessary.
- Access reviews: Administrators can schedule reviews of group memberships at periodic intervals to ensure that the right people have access to information through groups.
- Privileged Identity Management: PIM is part of the Entra Identity Governance solution and allows organizations to exert tight control over permissioned roles to ensure that “privilege sprawl” doesn’t creep in by people retaining access to roles that they no longer need.
The point is that Entra ID isn’t just about basic directory management and authentication. A large amount of the value delivered by Entra ID comes from functionality that Microsoft has built on top of the platform. Sure, you must pay extra to gain access to the functionality, but in most cases it’s more economic and convenient to pay for Entra ID Premium licenses than attempting to build the same kind of features yourself. It’s possible to build code to expire obsolete groups or process access reviews with PowerShell and Graph API requests. You might even automate other aspects of directory management that Microsoft ignores, such as clearing out unused guest accounts. However, there’s always the trade-off between paying for licenses for off-the-shelf software and the ongoing cost for development and maintenance of bespoke code to consider.
License management
Speaking of paying for software, a big difference in the cloud is that Entra ID user accounts need licenses to access applications. Those licenses come with per-month costs, some of which can be hefty. License management is a huge area to focus on for any Microsoft 365 tenant. You don’t want to pay Microsoft any more than necessary to deliver service to active users.
Software vendors will be happy to provide license management software. However, this is an area that is reasonably easy to automate if you spend the time learning how Microsoft licensing works (a dark art) and how to retrieve and analyze license data from user accounts. Techniques like group-based licensing help organizations automate the assignment of licenses, and the Microsoft Graph PowerShell SDK includes all the cmdlets needed to keep a close eye on license assignments without buying any third-party software.
Reduce your AD attack surface.
Making the transition
Sometimes people who run Active Directory on-premises deployments wonder about their future when their organization moves to the cloud. Will they have work to do? Will their job continue? What will they end up doing?
My perspective is that if you’re in this situation, you’ll have no problems finding work to do. Figuring out the transition starts the ball rolling, followed by ongoing synchronization of information from Active Directory to Entra ID. This might be a one-way street, or perhaps Active Directory will remain the directory of record. Either way, there’s work to do to make sure that everything works smoothly and that users on both sides of the fence have equal access to the directory.
Once you make the transition, even more opportunity exists. The work for an Active Directory administrator often involves a lot of block-and-tackle (and extremely important) activities like server management. That goes away in the cloud to liberate time to explore the possibilities for the organization to exploit the Entra ID platform. This is goodness because administrators move from being support staff to leaders into areas like enhanced security to protect the tenant and confidential information (like using authentication context to mark sensitive SharePoint Online sites). As mentioned above, managing the cost of license use within a Microsoft 365 tenant is a good way to prove the advantages of having skilled administrative staff on hand. In short, you won’t lack work.
Entra ID is a platform
Equating Entra ID to a cloud-based version of Active Directory is just plain silly. Entra ID is much more of a platform than Active Directory ever was and ever can be. But that’s fine. The two products serve different purposes and different forms of computing. The important thing is to keep learning about the different aspects of Entra ID so that your organization can take advantage of new features and functionality as they appear. Based on the experience of the last few years, that work will be ongoing and constant. Good luck!