From the course: Career Essentials in System Administration by Microsoft and LinkedIn

Azure AD and Directory Services

From the course: Career Essentials in System Administration by Microsoft and LinkedIn

Azure AD and Directory Services

- [Instructor] Azure Active Directory is unlike on-premises Active Directory, its main job is to hold usernames, passwords, groups and devices for user access to the applications and resources in Azure and Microsoft 365. Azure Active Directory Domain Services is completely different. Its sole purpose is to mimic on-premises Active Directory as much as it can. So sys admins can decide to replace on-premises Active Directory with this cloud version. Azure Hybrid is a combination of on-premises Active Directory and Azure Active Directory but without Azure Active Directory Domain Services. This creates a one way sync from on-premises to Azure AD so users won't have to use different passwords while accessing on-premises resources and Microsoft 365 resources. As an example, a user won't have to enter a second username and password when opening Outlook after logging into their computer. I'm in the Azure portal and I'm going to click on Azure Active Directory. And here we see users and groups. When I click on users, I can choose to create a new user just by clicking on the new user option. I'll still need to go into the admin center at admin microsoft.com in order to license that user. However, just to create the user, I can create them here, set up all the settings, the groups and things like that. Under the groups if I go back, I can click on groups and I can create groups. You can see I've already have some groups already created such as accounting, admin, and some were automatically created when a synchronization happened between on-premises Active Directory and the Azure Active Directory. If I click on accounting as an example, we can see by clicking on members that we can add members in a similar way as we can with on-premises. I'll click on Al, select and now Al has been added in. And here we can see Al's username, the user type, the member user type, as well as email information. Now I'm going to go back to home at the portal.azure.com site. And I want to go into Azure Active Directory Domain Services. So I'll click on all services or I can do a search, either way. And here's my option for Azure AD Domain Services. And this is going to mimic the type of Active Directory that is going to be seen on-premises. To create the Azure Active Directory Domain Services, you just need to click on it to start the wizard. You'll need to choose your subscription, your resource group which just organizes resources into various different groups and then pick your DNS domain name. Now they have to use a domain name that is already in Azure Active Directory. Otherwise you won't be able to synchronize anything with Azure Active Directory. Once again, you want to make sure that you're in the correct region and the type of SKU that you want. And then you can click next. And you'll need to create multiple different resources such as a virtual network, as well as a subnet. The subnet is a subset of your entire virtual network. And then you'll go through administration, synchronization security settings, et cetera. Once this is all done, you'll then be able to join computers to the Azure Active Directory Domain Services in the exact same way that you can join them to an Active Directory on-premises domain. The only difference is that you'll need to make sure that you have a tunnel set up. This is a VPN tunnel between your firewall or Windows server and Azure Active Directory. Once that tunnel is set up, you can join your computers to this Azure Active Directory Domain Services domain. There is a licensing consideration for joining the Azure AD DS which means that every user's going to have to have a P1 or P2 license added and that's going to be an additional cost per month and they both have different types of services that are included with each one. You don't need to have Azure Active Directory Domain Services. You could just use the free Azure Active Directory alone and keep your on-premises Active Directory if you'd like. When you use a hybrid configuration and you synchronize using the Azure Active Directory Connect Tool, then you'll be able to use single sign on to applications such as Microsoft Outlook, SharePoint, and others. Azure Active Directory Domain Services isn't for everyone. Larger organizations probably will not use it because of the additional monthly cost. However smaller organizations may use it because that way they won't have to have an on-premises Active Directory Domain Services server anymore. On-premises Active Directory and Azure Active Directory are both directory services that can work separately or together to service client, security, and authentication needs.

Contents