EMS (Enterprise Mobility Suite) by Microsoft – Episode 19
EMS Part 1 of 3 Part Series – Azure Active Directory Premium
In episode 19 Frank and Alfred take a deep dive into EMS Azure Active Directory Premium. One of three things that comes with the Microsoft Enterprise Mobility Suite. In the next two episodes The Device Pros will cover the other two components of EMS, Azure RMS and Microsoft Intune.
EMS includes Azure Active Directory Premium which enables:
- Self-service password reset for your people, to reduce helpdesk calls
- Multi-factor authentication options for greater security
- Group-based provisioning and single sign on for over 2000 SaaS apps
- Machine learning-driven security reports for visibility and threat management
- Robust sync capabilities across cloud and on-premises directories
What is Azure Active Directory?
Azure Active Directory is a service that provides identity and access management capabilities in the cloud. In much the same way that Active Directory is a service made available to customers through the Windows Server operating system for on-premises identity management, Azure Active Directory (Azure AD) is a service that is made available through Azure for cloud-based identity management. Learn more
Because it is your organization’s cloud directory, you decide who your users are, what information to keep in the cloud, who can use the information or manage it, and what applications or services are allowed to access that information.
When you use Azure AD, it is Microsoft’s responsibility to keep Active Directory running in the cloud with high scale, high availability, and integrated disaster recovery, while fully respecting your requirements for the privacy and security of your organization’s information.
Integration with your on-premises Active Directory
Azure AD can be used as a standalone cloud directory for your organization, but you can also integrate existing on-premise Active Directory with Azure AD. Some of the features of integration include directory sync and single sign-on, which further extend the reach of your existing on-premises identities into the cloud for an improved admin and end user experience. Learn more
Integration with your applications
Application developers can integrate their applications with Azure AD to provide single sign-on functionality for their users. This enables enterprise applications to be hosted in the cloud and to easily authenticate users with corporate credentials. It also enables software as a service (SaaS) providers to make authentication easier for users in Azure AD organizations when authenticating to their services. Developers can also use the Graph API to query directory data for managing entities such as users or groups. Learn more
While we work at Microsoft, this podcast is independent of Microsoft and it implies no warranty or guarantee of the products or services. We will not be sharing anything confidential and we do not represent the opinion of Microsoft in any way. We are just two passionate guys that love what we do, implementing Microsoft devices and services.
Welcome to the Device Pros Podcast. I’m Frank Pinto and my co-host is Alfred Ojukwu. This show is all about our experiences as consultants implementing solutions around the world. If you’re already an IT pro, or you’re trying to get started, you’ve come to the right place. We’ll discuss tech success and failures in the show, resources, tips, tricks and everything in between. You can find us at www.TheDevicePros.com, on Twitter @thedevicepros and Facebook as The Device Professionals. Hold onto your services, the episode is about to begin.
Frank: Welcome back to another amazing episode of The Device Pros episode number 19. I’m joined by my co-host, Alfred Ojukwu. Hey Alfred.
Alfred: Hey, what’s going on? Nice to hear from you.
Frank: Definitely excited to have you back in. Last time we had you in, we talked about the Enterprise Mobility Suite and so this week, we’re going to start a new series where we do a deep dive into three components of Enterprise Mobility Suite. So what are we going to talk about, which are the three awesome pieces of EMS we’re going to talk about today?
Alfred: Well, see, I’m really excited we’re going to talk about this portion because this is sort of dating me in years in terms of what I’ve worked on in the past, we’re going to talk about Azure Active Directory Premium and show you what the differences are between the Azure Active Directory Premium and some of the other solutions we’ve had in the past and how those two work together and sync together to take advantage of the features you typically would get in a standalone infrastructure.
Frank: Alright so what I hope to accomplish in this podcast is to provide the top five reasons why you would use Azure AD Premium. What do you think, can we do it?
Alfred: I think we can do it.
Frank: Can we do more than five?
Alfred: We can probably do close to 10.
Frank: Oh man, talk about over-deliverer. Okay. Okay so first of all, I know there are three different flavors of Azure Active Directory so let’s go over it. So the first one is free, right?
Alfred: Yeah, Azure Active Directory Free, it’s the free edition of Azure AD and basically, you can manage user accounts and synchronize on premise directories, you can get single sign on if you’re looking for some kind of single sign on process or Office 365 and just a number of different SAS applications. All of that is available through the Active Directory Free version of Azure Active Directory.
Frank: Well that sounds like a lot for free, that’s pretty cool.
Alfred: Yeah I mean, knowing you can manage your accounts, you have to kind of assess what you’re looking for and that free version gives you that basic ability to do what you want in terms of synchronizing those applications, those SAS applications that you have.
Frank: Okay, alright. And then we have Active Directory Basic.
Alfred: Active Directory Basic, it also provides the application access and self-service identity piece. So a little bit more than what you had with the free when you get that version but when you get the basic version of Azure AD, you also get some of the capabilities of free as well as group based access management so things like self-service password resets for your cloud applications, customizable environments for enterprise and to consumer cloud applications as well as just some level of SLAs for your applications. So you’re guaranteeing some level of up time at 99.9.
Frank: Wow, okay, 99.9, that’s pretty up there. So this is—if I look at it from, say, a medium to large size that would be business, I’d be looking at Active Directory Basic because that’s when we start to provide an SLA.
Alfred: Exactly, that’s when you want to start and that’s when those SLAs really matter because you need that up time, you need to guarantee your consumers that the service you provide will continue to remain up if there are any issues.
Frank: And then finally, the piece that is integrated in the Enterprise Mobility Suite offering Microsoft is Active Directory of Premium.
Alfred: Yeah, Premium is the top account and basically, you get all the capabilities of Free and Basic, all that they have to offer. You also just get additional feature rich enterprise identity management capabilities and some of that, we’ll talk about as we go through this. All this—you can take advantage of that, things like integration with Identity Manager, we already mentioned multi-factor authentication, you get advanced options to security report and alerting so you can find out what’s going on in your infrastructure. And as we mentioned—
Frank: So is that BI, is that business intelligence that we’re starting to get into?
Alfred: Absolutely. That’s information that you can now leverage and provide to your team so they know what the status is of your environment.
Frank: Okay. Alright. So maybe let’s start walking through some of the features of Premium and we’ll kind of just go through a little discussion about what each one does, what do you think?
Alfred: Yeah, no, totally. Do you want to start off with the company branding?
Frank: Yeah well that’s a pretty basic one but that’s nice. You certainly—if you’re a medium to large sized business, you want what your end users are seeing to be branded as your business. So we’ve got the ability with Premium to brand the portal with your company stamp.
Alfred: Yeah and you get just that sort of look and feel that it’s sort of your own localized version. I think that’s a great feature to have in your own Active Directory Premium Account. And then there’s group-based application access, right, so this is basically using groups to provision users and assign users access in bulk. So over thousands of applications and you can basically say I want these set of users to have access to that application in the cloud. And it can either be created solely in the cloud or you can leverage your existing groups in Active Directory that have been synced through your on-premise AD environment.
Frank: Okay so that’s an important bit to realize is that—or to mention that we can synchronize or already leverage the investment that the company has made in their inside Active Directory. So it’s not like they’re starting from scratch or managing two environments.
Alfred: Absolutely. Right, it really gives them the chance to continue on the work they’ve done with their environment and build it out on the cloud itself.
Frank: Alright so far we’ve counted down two of the top, we’re going ten, two top ten reasons. Alright, next on the list, I know we wanted to talk about the self-service password reset, what do you know about that?
Alfred: So again, self-service password reset, again, another really cool thing. Imagine sometimes how difficult it is to have accounts where the users don’t the ability to reset their accounts. What Azure AD Premium gives you is the ability to allow that user to make that request and with the AD Premium, you can just basically reduce your help desk calls when a user forgets their password by giving the users access to their directory and allowing them to be able to reset the password. This is very important when you’re dealing with Office 365 account resets.
Frank: Alright so you can use something like the multi-factor authentication piece, right, so the user goes in, they say hey, I’ve forgotten my password and then they have the option to get a temporary password code, one-time password to do the reset sent to their cell phone.
Alfred: Yep, exactly. And again, imagine just reducing that ops cost, right? Operations just basically gets reduced because a lot of times, that’s what you see is a lot of calls regarding the password resets and if you talk to anybody that’s on the help desk team during a migration process or during a transition process, that’s one of the bigger challenges they run up against.
Frank: Not to mention user frustration because then they have to call up and make a request, you submit a ticket and this is instant, if they forget it and they lock themselves out, they can do the reset right there.
Alfred: Yep, exactly.
Alfred: So another one that comes to mind is the self service group management which basically like I mentioned is only available in AD Premium and Basic, it’s not available in Free but what it does is—
Frank: I like this feature, this is pretty handy.
Alfred: Yeah, yeah, it does, it allows you to take advantage of what we call delegated group management, right? So take the example of an admin or resource who’s managing access to an application and they want to be able to control who has access to that application or which groups have access to that application. By delegating that rights, you can say basically you’re going to manage these applications and determine who has access and what they can do to it. And you as an overall administrator no longer have to worry about managing all the applications.
Frank: Alright so let’s put it into context, let’s say that I’m a sales manager and I have a sales application, maybe Sales Force or Microsoft Dynamic CRM and I’m in charge of that, my business owns that application and I get a new salesperson, I want to make sure that person has access to our app that’s in the cloud.
Frank: So I have the ability as the sales manager to add that individual in but would I have access to the rest of the administration panel, do I need like the Active Directory MMC snap in on my computer?
Alfred: No, no, exactly. The delegation happens where you as the overall admin can delegate it to application admins and then they would only have access to delegate who needs rights access to that specific application. So it’s giving you as the overall administrator the right to delegate who can control what access to the applications.
Frank: Okay. Alright.
Alfred: But we also want to mention just a self-service group management piece as well, that’s also part of this and it’s also made available through the Azure AD access panel.
Frank: Okay, okay. So I don’t need the ADMMC snap in for my end user when, you know, if I’m the sales manager, I just go to the Office 365 portal and I can do my management from there.
Frank: And of course, it follows the idea that we only show the users what they have access to do. So in other words, they wouldn’t have access to update all of Active Directory, they would only see the groups that they have access to manage.
Alfred: Yep. So a question for you, so what if I can create and manage groups in the Azure AD using Windows PowerShell? And one of the questions that came up was what future group management functionality will they have in terms of accessing Azure AD Premium? And basically some of the AD Premium offers delegate the group admins and self-service group managements is done to the point where you can also enable people who cannot use Windows PowerShell to do what they need to do.
Frank: Okay, wow. So if I—I mean that wouldn’t be probably for an end user, your average end user but if I’m an admin, I’m an IT admin, I can use the PowerShell command list and manage things from PowerShell directly to the cloud?
Alfred: Exactly, yes.
Frank: Wow, that’s pretty nice.
Frank: Alright. What about security, reporting, alerts, do we have any of that kind of stuff?
Alfred: That exists as well, right? We know that’s part of the overall solution that’s provided so the monitoring, it basically monitors and protects access to the cloud applications. And you can view detailed logs showing more advanced issues or anything that may be inconsistent or just patterns of access and be able to report on that and provide that to the business and say here’s what we’re seeing, we’re seeing this user that’s continuously trying to reset random passwords. But anything like that, you’re able to kind of provide that report and use that as a way to trend out you manage your AD Premium account.
Frank: Alright the other thing I think is really kind of exciting, there’s a new—it’s not really new but I guess it’s new to mainstream, is using something called machine learning. So our advance reports in the cloud actually use machine learning technologies to help gain a deeper insight of what’s going on. I think that’s pretty awesome.
Alfred: Yeah every time I hear the term machine learning, I think about 1984.
Alfred: 1984, you know, the book and just the idea that machines are going to be sort of taking over how things are done. But yes, Terminator as well.
Frank: I’ll be back.
Alfred: I’ll be back. You don’t sound like him.
Frank: Yeah, I don’t. I really don’t. I guess that’s okay.
Alfred: Yeah. Hasta la vista, baby.
Frank: Alright so what about multi-factor authentication? I touched on that earlier, I know that included within Premium, you get multi-factor authentication but what does that mean, what does that look like?
Alfred: So the idea on multi-factor authentication is now you can use your Azure AD Premium account to allow users access to multiple applications like online services like Office 365 and Dynamic CRM online and just a number of different non-MS cloud applications just by using a single—by using more than one method. So they might log in with their account and have requests sent to their phone to ensure that they have access to that application. And users will be prompted to set up additional verifications next time they sign in like, you know, a phone verification or text verification. All those are options that you can take advantage of in the multi-factor authentication scenario.
Frank: Okay well that makes really good sense if you have—I guess I’ve been kind of thinking about that, you know, a lot of our businesses that do have multi-factor authentication that requires like a physical connection that they would use a smart card or maybe need to pay for an additional service like some token.
Alfred: Yep. But something to keep in mind, smart cards and tokens, those are things that are coming. Right now, what we see more of are the automated phone calls, the text messages, one-time pass codes, notifications, all of those are a part of the—the last two are built into the multi-factor authentication apps where you get those notifications or that one-time pass code, you probably see that now with some of your phones when you put in a request, it sends a text to your phone, it’ll ask you to actually put in that verification code. That ensures your identity and prevents anyone from trying to hack in because they’re not validating that information that you provided up front.
Frank: That second factor.
Frank: Okay. Alright. What else? We’ve talked about—let me see here, let me just go through our show notes to see.
Alfred: There’s a lot of stuff built into it, I mean, we didn’t talk about the identity management. We kind of did but it comes with the option to grant users the Forefront Identity Management rights in their on-premises network to support any combination of hybrid ID solutions. So basically it’s a great option if you have a variation of on-premise directories and databases that you want to sync up with AD and there really is no limit on the number of identity management servers you can use. However, are granted based on the allocation of your premium user license.
Frank: Alright. So we have, at this point, talked about seven different benefits, right? So we’ve got three more benefits we need to give our listeners so that they get the top 10.
Alfred: Yeah, yeah.
Frank: What do we have left?
Alfred: I can give one really quick and one of them that I think is a real benefit is the SLAs, right, the 99.9, again, we mentioned you don’t get the SLAs in some of the other levels but at least with the Azure AD Premium and I believe the Basic, you get an SLA of 99% up to 99.9%, I have to be—it’s three nines, right, it’s always three nines. And that availability ensures your business continues to run as expected and there’s no delay in service.
Frank: Okay, that’s a good one, three nines. One thing that I would like to add, another reason is that because this is a cloud based offering, Microsoft is able to release updates to the service an add features to the service pretty rapidly. There’s a lot of things that Microsoft has announced publicly on the roadmaps that are coming out, you know, additional things that are coming out and one of those things that I really like is the application proxy. So Azure AD application proxy is on its way, bi-directional sync, password with write back, I mean, there’s some really cool things that they’ve announced and those features are possibly in public preview right now. Well actually, I know a couple of them are in public preview and then they’ll be added to the regular features then.
So that’s pretty cool, right? It’s really difficult to make updates to your on-prem active directory solutions because that’s on-prem and we have a different way of dealing with on-prem servers and managing them. And we have, as far as service-level Windows or service Windows where we can make updates and in the cloud, we don’t really have to do that. It’s a whole different way of being able to add features rapidly and I love that they’re really sharing that information.
Alfred: Well even more importantly, I think if you’re an admin or a business decision maker out there and you’re thinking about how to move forward in this new world of mobile first, cloud first, you definitely should consider Azure AD Premium because what that does is that allows you to extend your infrastructure into the cloud and take advantage of the same features you had on-prem without the limitations of being stuck within a certain domain, right? You can now access that information from home securely, right? You can now do transactions but be much more agile in getting things done securely and the keyword being securely, that’s one thing that we, within the Enterprise Mobility Suite, we continue to emphasize is the important piece of this is that we are providing those services to the end user and the consumer and the businesses and the enterprise through a secure channel. Everything is SSL, everything is encrypted and ensures that you can have that data transferred from one directory synchronized to another without having to worry about it being compromised as you’ve seen on the news in the last few days, weeks, months.
Frank: Okay, alright. So we’re at nine and I think number 10 might be—it’s a little cheeky, to take one of my UK words. By the way, I’m in Seattle now so woohoo—I forgot, we didn’t even talk about that at all, we didn’t get to that.
Alfred: I was gonna bring that up but I was like, nah.
Frank: Yeah once we get to number 10. So it’s a little bit cheeky but it is a directory as a service, right? So we’re really moving, we’re making that step in the right direction. We’re not saying throw away your investment which you’ve already done an active directory, we’re integrating with the cloud solutions and it’s your first step towards having a directory as a service and I think that’s an important thing to point out call out because you said it earlier, mobile first, cloud first. We need to be in the cloud, we need to have the presence and the services in the cloud to provide the end users. So this gives us that step by utilizing directory as a service.
Alfred: Well you know what’s true? You know what’s true about what you just said? It was a really cheesy response.
Frank: Do you have a number 10?
Alfred: I do, I do. Just to make up for that cheesy—
Frank: So we’ll call that a 99.5.
Alfred: That’s what it is, it’s a directory, I mean, active directory on-prem, active directory on cloud activity, yes, equals cheesy. But I still like that idea but I’ll throw one more out there, one of the main benefits of Premium Edition is that you basically get to take advantage of the no limit. This is not the music but the no object limits, no app limits in terms of what gets managed in your Azure AD—
Frank: Oh come on, get out of here, there’s no limits?
Alfred: No limits, no object limits—
Frank: Are you sure?
Alfred: So basically if you’re thinking of managing your cloud directory so your accounts are synchronized, you don’t have a limit. In the Free edition you have up to 5,000 objects that can be replicated. Same thing with the basic edition in terms of directories of service, the objects are synchronized. In addition to that, all the accounts—
Frank: Oh come on, there isn’t more. We’re actually going to give 11?
Alfred: Yeah no, that was 11, we’re going on 12 now.
Frank: So we’re doing 11 of the top 10 reasons? Nice, nice.
Alfred: Well you said or more so we’re going to add or more to that.
Frank: Alright, alright. Well let’s do this, or more.
Alfred: Central administration accounts can control access to your applications. So basically no app limit. And I think I mentioned it already but I’m gonna use the cheesy line, add that on top of it, you have central administration to your accounts. So those are some of the additional but I think it’s a great solution and I think a lot of businesses out there should be considering how do I get my infrastructure to take advantage of the cloud first Azure AD premium solution? And one way you can do that is through the Enterprise Mobility Suite offering.
Frank: Okay, alright. Well good, man, that was some good information and I’m looking forward to hearing from our users, our listeners and adopters if you’ve already adopted Azure Active Directory Premium to hear some feedback and what you guys think and how it’s working out. That is, I guess, component one of three in the Enterprise Mobility Suite so we’re gonna cover the other two components in the next two episodes, so number 20 and 21. Go ahead.
Alfred: I was gonna add, there’s a lot more to it so again, when you’re looking through it, check it out through Microsoft’s site, a lot of information on Azure AD premium. Understand the differences between Premium, Basic and Free. They have different levels of interest and basically if you buy it separately from the licensed bundle, you don’t get to take advantage of the other features that we’ll talk about in future podcasts.
Frank: Okay, cool. So I started talking about the fact that I am now in Seattle—well we say Seattle because that’s the major city that’s near here but Microsoft headquarters is located in a city outside of Seattle called Redmond. So I am here, I’m in my office right now doing my podcast, which is really nice, no dog in the background, trying to do my podcast recording from my studio at home which is wherever I can carve a corner out of the house quietly.
Alfred: And everyone talks with an American accent.
Frank: Yes, everyone does have an American accent. Well actually, you know what’s funny? There’s a guy who sits in an office cattycorner from me, he’s British.
Alfred: Makes you feel at home for a little bit, huh?
Frank: It does, yeah. We’ve share a couple of cups of tea or a cuppa, as they call it out there so yeah, it’s good stuff.
Alfred: Well congratulations on the move.
Frank: Thank you.
Alfred: Congratulations on the new environment, I think you’re gonna be a great addition to the Seattleites out there.
Frank: I appreciate it very much. I love music and Seattle is known for its music and innovation in music so I’ve already been here a couple of weeks but we’ve already been out there enjoying some of the music scene. Right on. Well I guess that wraps up another amazing episode of The Device Pros.
Frank: Woohoo. Episode 19. I don’t know why I’m so excited to hit episode 20 but it just feels like a milestone.
Alfred: It is a milestone. I mean, that means we’ve put out 20 really good episodes and that also means that we have a number of great episodes coming. The more we do, the more we understand the value that we, as a devices team, can bring to you as a consumer.
Frank: Yep, that sounds good. Alright well we’ll wrap it up, I’m gonna ask like I always do, please reach out to us, continue to give us the feedback that you guys have been providing to help us guide the podcasts, what it is that you want to hear about or how to use things that you already know about, where to leverage things. I think Alfred and I have been talking about putting out some podcasts that are business decision maker focused, BDM focused because I know we have a pretty—our audience is almost 100% IT folks and as IT changes, we do a lot more interfacing with the business side of the house and in corporations so I think we want to start integrating some of that BDM discussion so it’s easier for IT to go and have that discussion with their business and not talk about features but understand what the pain points of the businesses are and how we can help address that by providing IT as a service.
Frank: Alright so keep reaching out, we’re on Twitter, we’re on Facebook, you can come to the website, we have Speak Pipe that is now on the website so you can actually leave us a voicemail right from your computer. We have a voice number which is for voicemail if you leave us a voicemail, I may actually even play it on the show and we’ll answer your question. We are The Device Pros, go look for us everywhere better podcasts are found.
Alfred: Yep. And so what are we covering next week? We’re covering mobile devices or are we going to the other side of the fence and talking about identity?
Frank: You know what, I’m not even going to say, I think people need to tune in to find out what exciting topic, one of the last two, we’re going to talk about. Let’s leave them hanging.
Alfred: There we go.
Frank: Alright everybody, thank you for another great episode, Alfred, and we will talk to you again next time around.
Alfred: See you around.