Energetic Listing (AD) is a Microsoft expertise that manages and organizes customers, computer systems, and different assets in a networked surroundings. This text will talk about the essential ideas of Energetic Listing and its differing kinds. We may even discover the variations between Azure AD and on-premises AD and dive into multi-tenant Azure AD, Azure AD B2B, Azure AD B2C, Azure AD Graph API, and the totally different licensing choices accessible for Azure AD.
Contents
- What’s an Energetic Listing (AD)?
- Variations between Azure AD and on-premises AD
- Understanding Azure AD B2C and Azure AD B2B
- Multi-tenant Azure AD
- Options and Capabilities of Azure AD
- Licensing Choices for Azure AD
- Azure AD Graph API
1. What’s an Energetic Listing (AD)?
AD stands for Energetic Listing, a Microsoft expertise used to handle and set up customers, computer systems, and different assets in a networked surroundings. You’ll be able to summarize AD below the following advice:
- It offers a central listing service for community directors to handle person and laptop accounts, teams, and permissions.
- With AD, customers can log in as soon as and acquire entry to community assets, akin to recordsdata and printers, with out having to offer credentials every time.
- AD additionally offers options akin to Group Coverage, which permits directors to regulate and handle the configuration settings of computer systems and customers in a company.
2. Variations between Azure AD and on-premises AD
Azure Energetic Listing (Azure AD) is a cloud-based identification and entry administration service offered by Microsoft as part of the Azure cloud platform. It’s a trendy, cloud-based model of the standard on-premises Energetic Listing (AD) utilized in many organizations.
Azure AD is a central repository for person accounts, passwords, and entry permissions to cloud-based and on-premises assets. It offers authentication and authorization companies to cloud-based functions and companies, together with Microsoft 365, Azure companies, and third-party SaaS functions. Azure AD additionally permits single sign-on (SSO) for customers, permitting them to entry a number of functions with a single set of credentials.
Azure AD offers lots of the similar identification and entry administration capabilities as on-premises AD however with added options akin to multi-factor authentication, conditional entry insurance policies, and integration with Microsoft’s cloud-based safety companies.
On-premises AD is a server-based service that runs on bodily or digital servers inside a company’s community. A key distinction is that whereas on-premises AD requires important IT infrastructure and administration, Azure AD is a totally managed service that Microsoft offers, decreasing the operational overhead for organizations.
As we perceive the basic distinction between cloud and on-prem AD. Now we transfer on to cloud Azure AD and dig deeper.
3. What are Azure AD B2C and Azure AD B2B
Azure AD B2C (Enterprise to Buyer) is a service inside Azure AD that permits companies to handle identification and entry for his or her clients. It offers person registration, authentication, and self-service password reset options, permitting companies to customise the person interface and person expertise of their customer-facing functions.
Azure AD B2B (Enterprise to Enterprise) is a function inside Azure AD that enables companies to share assets and collaborate with customers outdoors their group, akin to companions or distributors. It permits companies to offer entry to their functions and assets to customers from different organizations whereas sustaining management over their knowledge and assets.
The principle distinction between Azure AD, Azure AD B2C, and Azure AD B2B is their focus and target market. Azure AD is designed to handle identification and entry for workers and companions inside a company. In distinction, Azure AD B2C is designed to handle identification and entry for purchasers accessing enterprise functions, and Azure AD B2B is designed to handle identification and entry for exterior companions and distributors.
4. What’s Multi-tenant Azure AD
Multi-tenant Azure AD is a kind of Azure AD that enables organizations to handle a number of tenants or clients inside a single listing. This may be helpful for corporations that present companies to a number of clients, akin to software-as-a-service (SaaS) suppliers.
An actual-world use case for multi-tenant Azure AD might be a healthcare software program supplier providing a number of healthcare organizations a affected person administration system. Every healthcare group can be a separate tenant within the multi-tenant Azure AD, permitting the healthcare software program supplier to handle authentication and authorization for every tenant individually.
With multi-tenant Azure AD, every tenant can have their very own set of customers, teams, and functions and handle their listing knowledge. The healthcare software program supplier can even arrange customized branding for every tenant, so the login pages and different components of the person expertise could be personalized to every tenant’s model.
5. Options and Capabilities of Azure AD
- Azure AD offers person and group administration, password administration, and multi-factor authentication to assist safe entry to functions and knowledge.
- Azure AD permits single sign-on (SSO) for cloud and on-premises functions and integration with hundreds of pre-integrated SaaS functions.
- Azure AD helps conditional entry insurance policies, which allow you to implement entry controls based mostly on varied circumstances akin to person, gadget, location, and threat degree.
- Azure AD affords superior menace safety, together with risk-based conditional entry insurance policies, person threat detections, and sign-in threat detections.
- Azure AD offers a spread of reporting and monitoring capabilities to assist directors observe person exercise, monitor sign-ins, and detect suspicious exercise.
- Azure AD Join permits synchronization of on-premises identities with Azure AD to assist hybrid identification situations.
6. Licensing Choices for Azure AD
The three primary choices are:
- Free: Offers fundamental identification and entry administration options for as much as 500,000 objects.
- Fundamental: Consists of SSO for cloud apps, self-service password reset, and group administration. They’re priced per person per 30 days.
- Premium: Consists of all Fundamental options plus superior identification safety and entry administration options akin to conditional entry and identification governance. They’re priced per person per 30 days.
7. Azure AD Graph API
Azure AD Graph API is a RESTful API that permits builders to entry and handle Azure Energetic Listing assets akin to customers, teams, and functions. It permits builders to programmatically entry and handle person accounts, teams, and different assets in Azure AD. The Graph API can be utilized to construct functions integrating with Azure AD.
With the Azure AD Graph API, builders can carry out varied operations, akin to creating and managing customers and teams, managing gadget registrations, and retrieving person and group info. The Graph API additionally helps filtering, sorting, and paging operations, which may retrieve solely the required knowledge and scale back the quantity of knowledge transferred over the community.
An actual-world use case for the Azure AD Graph API might be to construct a customized utility that integrates with Azure AD for person authentication and authorization. For instance, an organization might use the Graph API to construct a customized internet utility that enables workers to view and handle their info in Azure AD, akin to their contact info, group memberships, and utility entry rights. One other instance might be to make use of the Graph API to construct an automatic course of that creates new person accounts and assigns them to particular teams based mostly on sure standards, akin to division or position.
Take a look at the easy instance of a .NET Core console utility that makes use of the Microsoft Graph API to listing the present person’s contact info, group memberships, and utility entry rights in Azure AD.
First, you should register your utility with Azure AD and grant it the required permissions to entry the Graph API. You’ll be able to comply with the directions within the Microsoft documentation for extra info on how to do that: https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
Subsequent, set up the Microsoft Graph SDK for .NET by working the next command within the Package deal Supervisor Console in Visual Studio:
Set up-Package deal Microsoft.Graph
Then, you should use the next code as a place to begin on your utility:
utilizing System;
utilizing System.Threading.Duties;
utilizing Microsoft.Graph;
utilizing Microsoft.Id.Consumer;
class Program {
static async Job Predominant(string[] args) {
// Change these values with your personal
string clientId = "<your-client-id>";
string tenantId = "<your-tenant-id>";
string[] scopes = new string[] {
"https://graph.microsoft.com/.default"
};
// Authenticate with Azure AD
var app = PublicClientApplicationBuilder.Create(clientId).WithAuthority(AzureCloudInstance.AzurePublic, tenantId).Construct();
var consequence = await app.AcquireTokenInteractive(scopes).ExecuteAsync();
// Create a GraphServiceClient to name the Graph API
var graphClient = new GraphServiceClient(new DelegateAuthenticationProvider(async (requestMessage) => {
requestMessage.Headers.Authorization = new System.Web.Http.Headers.AuthenticationHeaderValue("Bearer", consequence.AccessToken);
}));
// Get the present person's profile
var me = await graphClient.Me.Request().GetAsync();
Console.WriteLine($ "Identify: {me.DisplayName}");
Console.WriteLine($ "Electronic mail: {me.Mail}");
// Get the present person's group memberships
var teams = await graphClient.Me.MemberOf.Request().GetAsync();
Console.WriteLine($ "Group memberships:");
foreach(var group in teams.CurrentPage) {
Console.WriteLine($ "- {group.DisplayName}");
}
// Get the present person's utility roles
var appRoles = await graphClient.Me.AppRoleAssignments.Request().GetAsync();
Console.WriteLine($ "Software roles:");
foreach(var appRole in appRoles.CurrentPage) {
Console.WriteLine($ "- {appRole.AppRoleId}");
}
}
}
This code makes use of the Microsoft Id Consumer (MSAL) to authenticate with Azure AD and purchase an entry token for the Graph API. It then makes use of the Microsoft Graph SDK to name the Graph API and retrieve the present person’s profile, group memberships, and utility roles.
Notice that that is only a easy instance to get you began. In a real-world situation, you’ll seemingly wish to add extra error dealing with and validation, and assist for pagination and filtering massive datasets.
See one other instance of how you would use the Microsoft Graph API to automate the creation of latest person accounts in Azure AD and assign them to particular teams based mostly on sure standards utilizing .NET Core.
utilizing Microsoft.Graph;
utilizing Microsoft.Graph.Auth;
utilizing Microsoft.Id.Consumer;
utilizing System;
utilizing System.Collections.Generic;
utilizing System.Linq;
utilizing System.Threading.Duties;
namespace UserCreationAutomation {
class Program {
static async Job Predominant(string[] args) {
// Arrange the Graph API consumer
IConfidentialClientApplication confidentialClientApplication = ConfidentialClientApplicationBuilder.Create("<YOUR_APP_CLIENT_ID>").WithTenantId("<YOUR_TENANT_ID>").WithClientSecret("<YOUR_APP_CLIENT_SECRET>").Construct();
ClientCredentialProvider authProvider = new ClientCredentialProvider(confidentialClientApplication);
GraphServiceClient graphClient = new GraphServiceClient(authProvider);
// Arrange some fundamental parameters
string division = "Gross sales";
string position = "Supervisor";
int pageSize = 50;
// Get all customers that match the desired standards
Listing < Person > customers = new Listing < Person > ();
var userRequest = graphClient.Customers.Request().Filter($ "division eq '{division}' and extension_f59d5564e4f34a4c9b9ac334cd8f2a2f_Role eq '{position}'").High(pageSize);
do {
var batch = await userRequest.GetAsync();
customers.AddRange(batch.CurrentPage);
userRequest = batch.NextPageRequest;
} whereas (userRequest != null);
// Create new customers and add them to a specified group
string groupId = "<YOUR_GROUP_ID>";
foreach(Person person in customers) {
strive {
var newUser = new Person {
AccountEnabled = true,
DisplayName = person.DisplayName,
GivenName = person.GivenName,
Surname = person.Surname,
UserPrincipalName = $ "{person.GivenName}.{person.Surname}@<YOUR_DOMAIN>.onmicrosoft.com",
MailNickname = $ "{person.GivenName}.{person.Surname}",
PasswordProfile = new PasswordProfile {
Password = "Pa$$w0rd123",
ForceChangePasswordNextSignIn = true
}
};
await graphClient.Customers.Request().AddAsync(newUser);
var group = new DirectoryObject {
Id = groupId
};
var member = new DirectoryObject {
Id = newUser.Id
};
await graphClient.Teams[groupId].Members.References.Request().AddAsync(member);
} catch (Exception ex) {
Console.WriteLine($ "Error creating person {person.DisplayName}: {ex.Message}");
}
}
}
}
}
On this instance, we begin by organising the Graph API consumer utilizing the app consumer ID, tenant ID, and consumer secret. We additionally specify some fundamental parameters for the script, such because the division and position standards and the web page measurement for pagination. Utilizing the Filter technique, we use the Person object to retrieve all customers that match the desired standards. We retrieve customers in batches of the desired web page measurement utilizing the High technique and the NextPageRequest property. Lastly, we create new customers utilizing the AddAsync technique and add them to the desired group utilizing the Members.References.Request().AddAsync technique. We additionally embody error dealing with utilizing a try-catch block.
Keep in mind that that is only a fundamental instance that I attempted to indicate, and it’s best to modify the code per your particular necessities.
Conclusion
Azure Energetic Listing (Azure AD) is a cloud-based identification and entry administration service that gives authentication and authorization companies to cloud-based functions and companies, together with Microsoft 365, Azure companies, and third-party SaaS functions. It’s a trendy, cloud-based model of the standard on-premises Energetic Listing (AD) utilized in many organizations. Azure AD B2C and Azure AD B2B are two companies inside Azure AD that enable companies to handle identification and entry for his or her clients and exterior companions, respectively. Multi-tenant Azure AD is a kind of Azure AD that can allow organizations to handle a number of tenants or clients inside a single listing. Azure AD offers a variety of options and capabilities for managing person identities and entry to functions, together with identification administration, utility entry administration, conditional entry, identification safety, reporting and monitoring, and Azure AD Join. The Azure AD Graph API is a RESTful API that permits builders to entry and handle Azure Energetic Listing assets.
