If you are familiar with Active Directory and Identity management, it becomes very apparent that there is some kind of identity manager working behinds the scenes as soon as you add a domain to Office 365. Once you overlay your domain and start assigning your new users you might notice that your original generic *@company.onmicrosoft.com domain doesn’t go away, but you are using something similar to User Principal Names now (UPN’s). Even if you don’t opt to purchase the Azure Active Directory module to work with Office 365, it’s still there working behind the scenes but your interaction with it will be extremely basic and only what Office 365 allows you to see. If you opt to purchase the Azure Active Directory modules for your Office 365 tenant, you will be exposed to many new features such as
- Multi-Factor Authentication configuration
- Azure Active Directory Reporting
- Access Control
- Applications Listings
and so much more. Where I find Azure Active Directory to be extremely valuable is when you are using it as your sole identity manager. If you’re running in a hybrid configuration, it might be ok if planned properly to use your on-premise Active Directory as the identity manager and forego access to Azure Active Directory, but they really do work better together.
Once you’ve purchased the option for Azure Active Directory under subscriptions, you can access it in the Admin center drop downs and select Azure AD
This will bring you into Windows Azure, the cloud based everything manager for Microsoft. This page might seen a little bit intimidating and it does offer a plethora of options, right now we’re only worried about Azure AD which you will see under ALL ITEMS
Once in Azure AD you will have a list of options across the top. I will try to quickly walk you through the important parts of every item.
Here you can add a custom domain. If you’ve started in Office 365, you’ve likely already done this but if you’ve started your journey in Azure, you can add your custom domain here. The setup is very similar to adding it through Office 365. You can also start integrating with Active Directory here to manage your hybrid setup, there is a link to the Download Azure AD Connect which will be the software that will walk you through your Hybrid setup.
Here you can add and manage users and groups as well as multi-factor authentication. In the old Office 365 Admin center, you managed multi-factor authentication via the users page. It has moved to Azure AD now.
Here you can manage and add applications you maybe developing using the Office 365 or Azure API’s. There are also a wealth of videos and resources to help you on that journey.
The Configure Tab
Across the top bar there is a tab called configure. I’ve found this one of the most useful places to work since it has alot of Access control features for Azure AD and Office 365. Starting at the top you can custom brand the Microsoft Online Services login page for your users. This is great for making it feel and seem more like your company is offering these services.
What else can I configure?
- You can set the user password reset policy with notification options for when users or admins reset their passwords to keep track of compliance.
- You can set multi-factor authentication
- You have options on allowing users to join devices to Azure AD.
- Allow organizations public IP ranges. This is useful when you have Office 365 users connecting from offices all over the globe. Some countries may be flagged as high risk areas and be required to provide additional authentication. This can get annoying, but you can flag their IP address so when they come in over this IP range, they won’t be hassled to get in.
With Windows 10 and the ability to add systems to authenticate directly with Azure AD and Office 365, this area will be useful. In this section you can allow, restrict or block users from joining Azure AD. You might want to block this if you don’t want users moving from your AD to Azure AD. You can setup multi-factor authenication here and setup the maximum number of devices allowed to register on Azure AD. This can be a good thing to do to if you don’t want to be supporting every PC and tablet a user might want to try and register with Azure AD.
Finally, I want to talk about reporting. With Office 365, you have a base set of reports mostly around Exchange/SFB usage. If you want more reporting Azure AD will be your friend. Azure AD, gives you a bunch of awesome reports that will help you manage the Office 365 experience. Say for example you have a bunch of users that don’t know what their external IP address is and you’ve tried and tried to get them to throw up a web request to IPChicken.com to get their external IP Address. There’s a report for that. If you want to keep tabs on which users changed their passwords there’s a report for that too.
Azure Active Directory module is an awesome extension to Office 365, and it really gives system administrators the tools they will need to full manage and improve the Office 365 experience.