Microsoft licensing, especially Azure Active Directory licensing, can be confusing for some businesses. As Microsoft continues to add various license options to establish themselves across industry verticals (e.g., F1 for first-line workers, GCC for governments, etc.), trying to figure out which licensing fits your specific business IT makeup is tricky.
A core component of the modern IT infrastructure and security is identity management. You need to control which users have access to which resources across your cloud and on-site ecosystem. Also, you don’t want unprivileged accounts accessing privileged data and apps. It’s bad for business, and it’s certainly going to introduce you to compliance risk factors.
Most businesses that utilize Microsoft at some level within their IT ecosystem should be using Azure Active Directory to help manage identity services. In fact, you may already be using Azure AD — it’s bundled with Microsoft 365 and Azure subscriptions.
Microsoft has four Azure Active Directory editions that businesses can choose from. Today, we’re going to compare these services and talk about the value of Azure Active Directory on the corporate level, as well as its overall function within Microsoft’s scheme.
What is Active Directory?
Active Directory (AD) helps businesses manage users, groups, and objects within their networks. So, you can assign users to groups, and assign each of those groups access to specific network resources, apps, and devices. This ability to control access at a variety of levels gives businesses the freedom to distribute resources to specific subgroups, which is critical for both resource management as well as compliance and regulation. Not all Active Directory services are built the same. While Active Directory services like Windows Server Active Directory help businesses manage in-house assets and user identities throughout the corporate network, Azure Active Directory is built with cloud services in mind.
Understanding Azure Active Directory
Azure Active Directory (or Azure AD) enables you to manage identity (users, groups, etc.) and control access to apps, devices, and data via the cloud. That means that both identity and access are managed entirely from the cloud, and all of your cloud apps and services will utilize Azure AD. It’s important to note that Azure AD is immediately valuable for Microsoft apps, but it can be used to power the identity and access controls of your entire organization. Many organizations build a hybrid AD system using both Azure AD and another on-premise AD (typically Windows Active Directory.)
Azure AD vs Windows Active Directory
Managing identity across Azure, Windows, and internet-connected apps requires Azure Active Directory. It’s best to think of Azure Active Directory as a service existing outside of the Windows Server Active Directory ecosystem. While Windows Server Active Directory provides domain services, lightweight directory services, federation services, etc. to handle identity, network policy, and servers on enterprise networks, Azure AD was built with web apps in mind. The value of Azure AD is immediate when we talk about cloud apps and resources. On-site Active Directory Services (think Windows Server Active Directory) are suitable for handling SSO, identity, etc. within your network, but they can’t handle the complexity identity for cloud apps. Azure AD will handle your cloud Active Directory while Windows Server AD will handle your on-premise Active Directory needs.
So, they both have value, and you’ll likely use both of them to handle your user/group control and access. Azure AD is especially valuable for organizations that have already moved apps to the cloud and are dealing with multiple user/password issues due to their current Active Directory being unable to handle the migration.
*It’s important to note that the enterprise protocol languages differ between Azure AD and Windows Server AD. While Windows Server AD uses Kerberos, LDAP, etc., Azure AD uses Rest APIs and OAuth 2.0 tokens. This means that apps need to be built from the ground-up with Azure AD in mind (which all Microsoft web apps are.)
Different Azure Active Directory Licensing
Let’s take a look at some of Azure Active Directory licensing options. Before we begin, it’s important to note that Azure AD is already bundled into Office 365 licenses AND Azure licenses. However, Office and Azure clients can still purchase P1 and P2 versions for the additional benefits.
So let’s jump into the different Azure Active Directory licensing choices.
Azure Active Directory Free
- Application launch portal (My Apps)
- Automated user provisioning to apps
- Basic security and usage reports
- Cloud authentication (Pass-through authentication, password hash synchronization)
- Delegated administration—built-in roles
- Directory synchronization—Azure AD Connect (sync and cloud sync)
- Federated authentication (Active Directory Federation Services or federation with other identity providers)
- Global password protection and management – cloud-only users
- Multifactor authentication (MFA)
- Passwordless (Windows Hello for Business, Microsoft Authenticator, FIDO2 security key integrations)
- Role-based access control (RBAC)
- SaaS apps with modern authentication (Azure AD application gallery apps, SAML, and OAUTH 2.0)
- Secure hybrid access partnerships (Kerberos, NTLM, LDAP, RDP, and SSH authentication)
- Self-service account management portal (My Account)
- Self-service password change for cloud users
- Single sign-on (SSO) unlimited
- User and group management
- User application collections in My Apps
- Azure Active Directory Free features, plus
- Self-service sign-in activity search and reporting
Azure Active Directory Premium P1
- Office 365 features, plus
- Advanced group management (Dynamic groups, naming policies, expiration, default classification)
- Advanced security and usage reports
- Application Proxy for on-premises, header-based, and Integrated Windows Authentication
- Automated group provisioning to apps
- Azure AD Connect Health reporting
- Cloud app discovery (Microsoft Defender for Cloud Apps)
- Conditional Access
- Global password protection and management – custom banned passwords, users synchronized from on-premises Active Directory
- Group assignment to applications
- HR-driven provisioning
- Microsoft Identity Manager user client access license (CAL)
- Self-service group management (My Groups)
- Self-service password reset/change/unlock with on-premises write-back
- Service-level agreement
- Session lifetime management Learn more
- SharePoint limited access
Azure Active Directory Premium P2
- Azure Active Directory Premium P1 features, plus
- Access certifications and reviews
- Entitlements management
- Identity Protection: risky sign-ins, risky users, risk-based conditional access
- Identity Protection: risk events investigation, SIEM connectivity
- Identity Protection: vulnerabilities and risky accounts
- Privileged Identity Management (PIM), just-in-time access
- Self-service entitlement management (My Access)
Free and Office 365
For those that want barebones Azure AD offerings, you’ll be looking at Azure Active Directory Free or Office 365. Typically, both of these Azure AD environments will be part of your existing license. So, if you only have an Azure license, you’ll use the free version. Also, if you only have an Office 365 license, you’ll use the Office 365 version. The Office 365 version has all of the capabilities of Azure Active Directory Free with the addition of self-service sign-in activity search and reporting. They key offering of each of these editions is more than one layer of authentication—a business imperative in today’s remote work world.
Azure Active Directory P1 vs P2
For those that are looking to upgrade into the AAD P1 or P2 space for additional features, Azure AD resources become abundant. These two tiers start to offer some critical components that aren’t available in the free versions — which are all extremely helpful for security, compliance, and identity management.
What do P1 and P2 Share in Common?
Both of these options include:
- Provide unlimited directory objects
- Give you identity management capabilities
- Provide single sign-on for an unlimited amount of apps and unlimited users for those apps
- Have B2B collab capabilities — which lets you grant access to guest users for collaborative abilities
- Give self-service password change capabilities to users
- Have Connect — which syncs Windows Server AD (or other on-premise AD) and Azure AD
- Have advanced reports (see how apps are being utilized by users, see where risks exist, and troubleshooting capabilities)
- Give you branding capabilities for portals/login pages
- Have multi-factor authentication
- Have app proxy
- Include Group-based access management and provisioning
- Have Microsoft Identity Manager user CAL
- Come with a Service Level Agreement
- Have Cloud App Discovery
- Have Connect Health
- Give you conditional access based on user location/devices
- Have automatic password rollover
- Give you the ability to integrate 3rd party identity governance partners and MFA partners
- Provide Sharepoint Limited Access
- Give you limited access to OneDrive Business
- Have CloudApp security integration
What’s the Difference Between P1 and P2
There are three core differences between P1 and P2. Firstly, P2 has Identity Protection, which lets you manage conditional access to apps (specifically, risk-based conditional access, like impossible travel and sign-ins from unfamiliar locations). Secondly, P2 gives you Privileged Identity Management (PIM). That means you with additional management over privileged accounts. Finally, you get Access Reviews.
Azure AD Q&A
Is Azure AD available for governments?
Yes! Both Azure Government and GCC High come with Azure AD.
Is Azure AD available for educational institutions?
Yes! Azure AD Free is bundled into education licensing for Office 365.
Are there any unique Azure AD features available for those with a Windows 10 License?
Yes! Azure AD can be used with Windows 10 licenses. Also, it offers unique features like the ability to join a device to Azure AD, Windows Hello for Azure AD, and Administrator Bitlock recovery.
*P1 and P2 also have MDM self-enrollment, Azure AD join, and Enterprise State Roaming.
Every business has unique needs when it comes to Active Directories. These are the four core Azure Active Directory licensing options that Microsoft offers to cater to companies of all shapes and sizes. Agile IT is a 4x Microsoft Partner of the year. Also, we hold 16 Gold Competencies across Microsoft services. We can help you set up your Active Directory services with Microsoft, and we can help you find the license that’s right for your hyper-specific business needs — whether you’re a small business, enterprise, government agency, or educational institution. So contact us today for a free quote!