Microsoft Entra ID Reviews

I am an operational engineer and consultant that assists organizations with their Azure Active Directory implementation. I primarily deal with administrative functions in my day-to-day tasks. I am responsible for creating and configuring Azure AD users and groups, as well as assigning the dynamic membership required by the organization to their users. Another common task is that I set up guest user access for organizations that want to grant access to users on a temporary basis.

For customers that want to use a cloud-based deployment, I can assist them with that. In cases where the customer wants an on-premises deployment then we will provide them with help using AD Connect, which is used for synchronization between cloud-based and on-premises data.

This solution helps to improve security for our clients using a specific directory structure and by using a variety of options. There is a default directory, which is owned by Microsoft, and in there you can create custom directories for your use. 

There is a panel available for the administration of users, groups, and external identities. 

Options are included for uploading your on-premises applications to the cloud, and they can be registered with Azure. This means that you can also create your own applications.

Identity governance is available for paid users.

Using Azure Active Directory has benefitted several of my clients, with an example being a startup organization. Startups have three or four things that they need to do in order to begin work. First, they need a domain, and after that, they need a DNS record to be created for their domain. For instance, these services are provided by godaddy.com or similar vendors. Once these steps are complete, they connect to Azure AD with the help of the DNS record that was created. At this point, Azure AD performs the role of a Platform as a Service. Once Active Directory is connected and verified, you can create the users and groups, and begin managing your processes. 

These are the only steps that are required for a startup. For an enterprise that wants to migrate its on-premises data to the cloud, there are several additional steps. For instance, you need to create a virtual machine and install your server. Alternatively, if you already have a server, it can be connected with the help of AD Connect.

This is a good solution for end-users because the vendor provides good documentation and if the users experience errors or issues, they get a popup alert to explain the problem. Furthermore, it can provide a solution to resolve the issue.

The most valuable feature is Identity and Access Management. As an IT administrator, this feature allows me to manage access for users and groups.

This product is easy to use and easy to manage.

The application policies, licensing, and AD Connect options are valuable.

Multifactor authentication provides more security. Having a user ID and password is compulsory but after that, you can add different security features. For example, it can work with biometrics such as fingerprints, retinal scans, and facial recognition. There are many more options that may suit you better, as per your requirements.

When you log in to the Azure portal, there is an option available called Resource Groups. Here, you can add multiple things including printers and different servers. There are Windows servers available, as well as servers hosting many different flavors of Linux. Once a server is created, you can add in a database, for instance.

There are four levels of subscription and the security features are not available for free. At the free or basic level of service, Azure should provide identity protection features including single sign-on and multifactor authentication. These are the most important features for organizations and everybody should be able to utilize them for working remotely.

I have been working with Azure Active Directory for approximately three years.

Worldwide, Azure has many servers available and in fact, they are the largest cloud organization in the world. As long as you are paying for the service, you don't have to worry about availability. There is a Microsoft backend team available that can provide you with what you need.

The availability is the best in the cloud industry.

You don't need to create or manage your own infrastructure, as it is handled by the Azure team. Also, through the Azure portal, you can add databases.

This is a scalable product. You can scale it to any number of users and any number of servers, and there is no issue. As your organization grows day by day, you can increase your users, your databases, and compute services including RAM, CPU, and networking capabilities. This will ensure availability on the platform.

If you are part of a very large organization, with between 50,000 and one million users, then you might generate between 500 and 1,000 terabytes of data each day. You have two options for uploading this data to the cloud, including an online option and an offline option. In the online option, you use a gateway. The offline option includes Data Box, which is a device used to transfer your data. These hold 800 terabytes and above.

I have not used technical support from Microsoft myself. However, it is available and they can provide proper resolution to problems that people are having.

The support documentation that is supplied on the web page is very good. If anything changes then there is a section for notes in the documentation that explains it.

Using technical support is a more cost-effective solution than hiring somebody to maintain the product full-time.

The initial setup is not a complex process. It is simplest in a cloud-based deployment and it will not take much time. If your current server is on-premises then you only need two things. One is your enterprise domain users, which have full access permissions. The other is a global administrator on the cloud side. Both sides need to be integrated and this is done with the help of Azure AD connect. Once this is complete, you can have interaction between your on-premises data and cloud data.

It is helpful to have a basic level of understanding of the product prior to implementing it.

We provide support to our customers, depending on the error or issues that they are having.

There are four different levels of subscription including the free level, one that includes the Office 365 applications, the Premium 1 (P1) level, and the Premium 2 (P2) level. There are different options available for each of the different levels.

Everybody can get a one-month free trial.

This product is cheaper than Amazon AWS and Google GCP.

I do not use the other Active Directory solutions, although I do check on them from time to time. One thing I have noted is that the Google platform charges you on an hourly basis. In the case where you need a virtual machine for only one or two hours, this is a good option. However, if you forget to log out of your machine, then the cost will be large.

AWS provides you with a one-month free trial so that you can test using the resources.

At this time, Azure AD is the biggest cloud Platform as a Service that is available. They have 60+ cloud data centers available worldwide, which is more than any other organization. It is a service that I recommend.

My advice for anybody interested in this product is to utilize the free trial. Microsoft will not charge you anything for the first month. They will also give you a $200 credit so that you can use the services.

I would rate this solution an eight out of ten.

The use cases typically include external customer authentication, which we do, and by customers, I mean our hotel partners. There is basic user authentication and the ability to isolate those users based on a particular security environment, whether they are coming from a PCI environment, lab environment, corp environment, etcetera. Each of those has to pass through specific security, so everything that your Active Directory or Windows AD is solving on-premise is essentially the use case, except for the external customer situation which was the one thing that made me look at Entra ID. Unfortunately, the way Entra ID works created a major security issue that I cannot go into regarding guest users for our tenant. We are now trying to fix that.

We tried to stand it up as a PoC, and we went back and forth with Microsoft on it for a few months. We never got to a resolution because there is an architectural design issue with the service itself, and Microsoft is not going to change their service for us. We tried to use it, and then we gave up, killed it, and went back to the original plan, which was to use Okta. Our goal is to eventually completely get out of the Microsoft Identity ecosystem and move over to Okta.

We do not use Entra ID anymore. We have moved away from Entra ID. We could not justify it from a business standpoint. That is the crux of the situation. We now have a solution that can meet all of our business needs.

Microsoft Entra does not provide a single pane of glass for managing user access. It is not fully featured yet. There are some things within that Entra ID administrator portal, but it is not as robust as simply going to Entra ID service and then going to different features that it has to maintain identities. It is not even a single pane of glass if you look at how Microsoft does identity between Entra ID, Azure Resource Manager, and M365 itself. I know that they are trying to fix the situation between Entra ID and M365, but the subscription-level identity access controls need to be moved out of the subscription level and need to be globally managed from the identity provider. I am sure there was a design choice for that, but it just does not work when you are a company of our scale because we just cannot keep managing individual resources, so we would like to centralize the identity system.

I used Microsoft Entra Permission Management in a very specific scenario but because we are a hybrid environment, we often found ourselves fighting with cloud groups. We moved a lot of security groups into Entra from our Windows AD environment. We have a lot of stuff that has been built upon that for the past 20 years. Not being able to have Windows Active Directory security groups that are synced to Entra ID to control access to resources was a big pain for us. We would have had to create a cloud group and then add all the members of those on-prem security groups to it, so we did not even bother with it. When you have a company of our age and our size and you have nested security groups, there is a lot of linkage there, and it is not attainable. 

It is great for mom-and-pop shops or small businesses that are truly coming into the enterprise ecosystem and that have not come from a legacy environment. Current statistics show that 99% of the world that was in an Active Directory authentication environment is still in the Active Directory or Windows AD authentication environment and just supplementing Okta, so we are not doing anything new. A previous Microsoft employee that I talked to said that in the last decade, there has literally been only one customer to get fully off their hybrid environment and go fully into Entra, and it took them over ten years. Therefore, Microsoft needs to focus more on Entra and fix not only the design flaws but also address a lot of the customers' needs. It has a lot of potential specifically around taking business from IIQ for some of those UAR workflows, identity workflows, etcetera. Their biggest competitor is Okta, and Okta is currently the better solution.

We have been trying not to use the solution. It is used for a specific use case, which is around authenticating M365, and we are trying to see if we can get out of using it, but that is only because our environment is extremely complicated. Entra ID is not battle-tested or stable enough to support a business of our size. There are some design issues specifically around support for legacy services. We used to be part of Microsoft, so we have about 15-year-old services sitting in our data center that still need to use legacy LDAP authentication. The way we currently have the environment set up is for one very specific domain. I am using a domain for specific context here to keep it simple. We have 36 Active Directory domains, and that does not include the child. We follow the least privileged access model. Our environment currently consists of using AD Connect to synchronize objects from our corporate tenant into Entra ID, and then from Entra ID, we wanted to stand up Azure domain services as a possibility for retiring legacy LDAP services. The issue with Entra ID specifically is that the way it replicates objects out of its database into the Azure domain services Active Directory tenant or Active Directory service is that it uses the display name. This is a bad practice, and it has been known as a bad practice even by Microsoft over the past decade, so the design is not good. The issue with replicating based on the display name is that when you are coming from an environment that uses a least privilege access model, where you want to obfuscate the type of security account being used by hiding it behind a generic display name, instead of myusername_da, myusername_ao, etcetera, to have an idea of what accounts are being used when they are logging in, it is unable to reconcile that object when it creates a new domain. If they all have the same DM, you end up with quadruplicates of each user identity that was replicated to it from the directory. Those quadruplicates or their same account names, as well as the display names within the cloud domain services directory, have a unique identifier with the original account name attached. What that does is that it not only breaks that LDAP legacy authentication, but it also drives up the cost for your customers because you are paying for each additional seat, additional user objects that are created, or additional users. You also cannot tell any of those accounts apart unless you dive deep into the user object to peel back what type of account that is to map it back to what came from on-prem itself, so the service is completely useless. What we have done in our case is that we do not really need Entra ID. We have Okta, so we use an Okta LDAP endpoint. That does exactly what we need in using SCIM, which is the technology that is able to take identities from multiple dynamic providers and merge them together into a single record. It is able to act as an official LDAP endpoint for the business, so legacy apps work. We do not have a problem. Microsoft could learn from that.

Entra should allow for external MFA providers rather than forcing you into a walled garden and the Microsoft ecosystem. Flexibility is a big thing, especially for companies of our size. A big issue for us is that we want the identity to be in Entra for sure, but we want it to come from Okta. We want the authentication and stuff to work, but we want Okta to control the PIM rules. We want it to do the MFA and all those things, but Entra does not play nice with others. Okta has engineered some ways to get it done, but it is not as full-featured as we would like it to be. Microsoft should do what they do with some other partners such as Nerdio and Jamf where they have their own version of a service, but they are still partnering with those other companies to at least add options on the market.

Fully customizable UARs and Azure Secure Identity Workflows would be great. Currently, you can do it if you cobble together a bunch of Azure functions and use Sentinel. If you are sending logs to Sentinel and are able to match patterns and run automation based on that, it would be great. They can help with a solution that abstracts away a lot of that complexity across multiple services into exactly what IIQ does. I could definitely foresee Entra being the choice for identity for pretty much all cloud providers if they can focus on the areas that SailPoint's IIQ does. A big pain point for a business of our size by being in Okta is that we do not have the same workflows that we have between IIQ and AD. With the amount of data that our company generates, we wanted Sentinel. I had their security department onboard, and it was going to be millions a month just to use Sentinel, but we could not use it, so we decided to leverage Splunk and a few other SIEM providers. 

They should also stop changing the name of the product.

We used it for a few months.

Microsoft's support has been so bad when we have had issues in Azure that we recently poured 24 million dollars out of our spend for Azure, cut our unified support agreement with them, and sent it to somebody else. I would rate their support a zero out of ten. It is so bad. We probably never had a support engineer solve our problem. Usually, I or somebody else in the company has to reverse engineer service to try and find the solution. The things that we find are not even documented on the Microsoft site. The second way is to pull the information from the blog of some old guy who found the same issue and ended up solving it. 

People on the support side at Microsoft just read from a runbook and then send us to another part of the world where they ask us the same question, read from a runbook, and then we repeat ourselves, so we sent all that support to Insight. They were happy, and they were way cheaper. It only cost us less than four million. It was significantly cheaper. Our leadership is like, "Wow! IT actually saved us money this year."

Negative

We were using Active Directory, and we will never get off AD. There is too much legacy stuff for us to even bother getting off AD. It is a very mature product. It would be crazy for us to leave Windows Active Directory for something else, even Okta. There are core things that we need to function a certain way, so Entra ID just does not make sense. Entra sometimes even has access issues and replication delays with identity and adding objects to a new access control list within its platform or service.

We are not a typical company. We used to be part of Microsoft, so a lot of things that we inherited were very complex, and we also do things differently. For the old NT systems and SMB shares, we are still using Active Directory groups, and they work just fine. We have automation built around membership. We control the membership of those groups, the auditing of those groups, and everything else, so it does not make sense. It would be too much work to move us over to Entra ID.

I was involved in its deployment. It was complex, but that was not Microsoft's fault. That was our fault because we have a very complicated environment.

We have a hybrid environment. We were in IBM, but we pulled back. We have Oracle's cloud platform, and we have AWS as well as Azure, but 99% of our cloud workloads are all in AWS.

When we initially started, Microsoft was not there. The initial implementation strategy was to synchronize the Windows Active Directory corporate domain to Entra ID. That way, we had the identities and we could use the same AD connector to synchronize the AD distribution lists. The other side was the mailbox. 

We did not take the help of any integrator. It does not require much. You stand up your servers. You have a staging host with its own database, and then a sync host with its own database. You then hook them up and make sure you have all the permissions in your previous tenant.

Microsoft puts MSOL accounts in some default directory. You should be able to tell the agent to put the MSOL accounts in a more secure OU. For instance, the original recommendation, which has changed recently, when we set up the service was to use an enterprise admin to set up the agent, which generates a bunch of MSOL accounts. Those MSOL accounts ended up in our all users' organizations. When you have a company of our size, that is not the only MSOL account that exists in the directory, and it is really hard to tell those apart, so we have to look through the logs, see which MSOL account it is using, and move it into the proper OU for the on-prem domain. It would be nice if you could determine where that goes at the time of creation.

We were able to reclaim the money that we did not spend with Microsoft and spend it elsewhere. It is technically an ROI, an investment of our time in negotiating other deals.

Microsoft is so expensive. You know it is expensive when a Fortune 100 company like ours is complaining about the cost. That has been a big thing for me. When I really want to use an Azure service, it is very hard for me to justify the cost, especially with Microsoft support. 

To those evaluating Entra ID, I would say that if you are on Windows Active Directory, just stay on it.

I would rate it a five out of ten. It is not ready yet. It needs focus by Microsoft.

We sync up our on-premise Active Directory with Azure AD and use it for app registration. All of our cloud-based DevOps activities use Azure Active Directory.

Azure Active Directory has many automation capabilities, and you can apply policies on top. You can do a lot of things with these combinations and integrate other tools like PingFederate. We've likely saved some money, but I don't know how much. 

The solution has made our environment more controlled and robust. At the same time, functions become more challenging for users when you add more controls and multi-factor authentication. However, these measures are essential when you're dealing with a complex environment that crosses multiple regions and cloud platforms. 

I like Azure Active Directory's integration with GT Nexus, and it improves our overall security. Azure AD enables us to manage user access from a single pane of glass. We use single sign-on and multifactor authentication. Teams are required to have Authenticator downloaded on their devices. 

We use Azure AD's conditional access feature to fine-tune access controls and implement a zero-trust policy using authentication tokens. The calling application needs to verify those tokens. The tokens contain information that the application needs to verify. Every application or user needs to be registered in the system to access it.

In Azure AD, applications either use the managed identity or ARBAC for permission control, and we use SaaS on top of that. Policies can be used if there is anything else infrastructure or access-related. 

Permission management works the same way across all cloud platforms. You can have granular or course-grade permissions. It depends on what you want to use and how you want to use it. I'm on Azure, so I know how they use it. 

Azure AD could be more robust and adopt a saturated model, where they can offer unlimited support for a multi-cloud environment.

I have used Azure AD for two years. 

I rate Microsoft's support a nine out of ten. We are preferred partners, so we get high-priority support. 

Positive

I rate Azure Active Directory an eight out of ten.

The primary use case is for the authentication of the users. We actually onboarded around 3000 to 4000 users at our go live, which are various application users from across the US and the other regions.

The best feature is the single sign-on provision for the various type of users. That is our sole purpose for working on that and utilizing that service as creating a custom solution for a single sign-on would be difficult when we have around 50 applications within our company that has been used by users across the globe. That includes North America plus Europe, Russia, and the Middle East. It is very difficult and complicated to do things on our own. Instead of doing that, we just acquired the service from Microsoft for single sign-on, and for that purpose, we are using the Microsoft Azure Active Directory authentication.

From our utilization perspective, they are providing almost everything. That said, the customization, like the data sharing between the application, is something that needs to be improved from their side. For example, we are sharing certain types of data. We have a container application structure, so we have a single sign-on application where we are using the Active Directory authentication, and when the user clicks on that application, the information of that user is passed to the child application, and the child application does not authenticate the user again. That is a single sign-on concept, which is available across 50 applications within that container. We pass a lot of various types of data, therefore, there's a limited capability of doing that in Microsoft Azure as, on the Azure Active Directory, we may be able to create some additional attributes, however, there are certain limitations.

Technical support could be better.

I haven't explored all aspects of the solution just yet. There's still more to look at.

We've been using the solution for as far as our last project, in which is currently being used. We have been using it for the last four years.

This is a stable solution. Since our product went live in 2017, we never got an issue with respect to authentication.

The product is scalable. It is not even region-specific. You can change the region. For example, if you want to target European users, you can simply purchase a plan for a European server or something like that. Currently, I know that our application is running in the United States region, and our targeted users are from the United States, so our application is working in the North American region, the east area.

Technical support is a thing they need to improve a lot from their side.

The engineers from the Microsoft side are professional, however, the thing is they're working on the shifts. For example, if you encountered an issue which is affecting our production application, and we talk to a guy from Microsoft in Central Standard Time. While he will be available then if the issue is ongoing for more than eight hours, which exceeds their standard working hours, he will just put a hold on the call and will say that my next representative will get back to you on this issue, and when the next representative arrives you kind of need to start over.

Neutral

The Active Directory just plays a role in authenticating the user, and it doesn't do anything else, just authentication. The services where the deployment is being done, that is a different thing. It is an application service in itself. We have an Azure Active Directory service. Besides that, we have application deployments or application services on Azure as well. That is a separate service, which is used for the deployment of the application, so when a user is accessing the application, he is redirected to the Microsoft Azure authentication application where the authentication is being performed. So far, the authentication has been performed, and that user is being redirected to our actual application, which has been deployed on the Azure service. Therefore, there isn't really a direct deployment per se for this product.

I'm not familiar with the pricing aspect of the solution. The client deals with that end of things. My general understanding is that it is quite expensive.

I'd rate the solution an eight out of ten. They do have an outstanding service compared to the competition. 

The main reason for implementing this solution was to help our customers to access internal or external resources seamlessly while allowing them to have full control over access and permissions. 

This enterprise identity service provided our customers with many security features such as single sign-on, multifactor authentication, and conditional access to guard against multiple cybersecurity attacks. 

Most of the clients have either Office 365 with hybrid solutions, a multi-cloud environment and they want to leverage Azure AD to manage access to those clouds or they have hybrid deployments with legacy apps on-premises and on the cloud as well. 

We have applied this solution to multiple organizations and it has helped them manage their environments efficiently. Moreover, it provided a high level of security and security features that are appreciated by most of our clients.

In hybrid scenarios, this is one of the best products you could have. It helped many of our customers to manage resources on-premises and in the cloud from a single dashboard. 

It helped our client to control permissions and review permissions for employees who have left the organization which kept them on-control over access and permissions granted to their employees.

The solution has many valuable aspects, including:

• Password policy enforcement
• Conditional access policies
• Self-service password reset for could users and on-premises
• Azure Active Directory Identity Protection
• Privileged Identity Management
• Multi-factor authentication 
• Passwordless authentication and sign-in
• Business to business and client to business support
• Support for SAML and OAuth

There are many more features that are very useful and can be used as part of the P2 package. There is no need to install any agent or tool to utilize those features except when extending advanced features to the on-premises active directory.

I believe the product is perfect, however, it could be improved if it could integrate with other clouds with fewer efforts and provide the same functionality it provides to Microsoft products.

Most of the features come with a P1 or P2 license. With the free version, you do not get much.

The objects in Azure AD are not managed in organizational units similar to what you get in the windows server active directory, which makes it more difficult to delegate administrative tasks

Azure AD does not support legacy authentication protocols, such as NTLM or Kerberos.

Azure AD is unaware of group policies. If you would like to use the same on-premises group policies, then you need to use the passthrough authentication method with your existing on-premises AD servers. This would compromise the high availability of the cloud and create a single point of failure.

I have been using this tool for more than five years.

A Very stable solution, I never saw the service down, unavailable, or anything like that.

The solution is highly scalable. There are no worries at all about the bandwidth or any other concerns. 

We've had a very positive experience and our clients are adopting it more as their sole identity and access management solution. 

Positive

We did use the SailPoint Identity Platform. There was no cloud solution at that time which is why we switched.

The ease of setup depends on the scenario and the use cases of your organization. 

We are a vendor team and most of the implementation for enterprise clients is done via us or similar vendors. 

The solution has a high ROI when adopted properly in your organization.

Make sure to check which features your organization requires. Find out if they are applicable to all users or just a bunch of them before deciding on buying a license.

We looked at many products, however, I do not want to mention the products' names. 

I use this solution as an identity platform for Microsoft Applications including Office 365. We have found that users have third-party applications for authentication using an integrated identity infrastructure.

The most valuable features of this solution are security, the conditional access feature, and multifactor authentication.

The conditional access policies allow us to restrict logins based on security parameters. It helps us to reduce attacks for a more secure environment.

Multifactor authentication is for a more secure way of authenticating our use.

All our on-premises identities are synchronized to Azure Active Directory. We have an advanced license that enables conditional access based on logins, and suspicious behaviors. 

Active Directory is able to determine if a particular user signing in from a trusted IP or if there are two different sign-ins from two different locations. It will flag this latter incident as a potential compromise of a user's account. 

In terms of security, it provides us with the features to alert us if there are any fraudulent attempts from a user identity perspective.

It provides access to our Azure infrastructure and allows us to assign roles and specific aspects to different subscriptions. It has several built-in roles that you can assign to individual users based on their job scope. It allows for granular provisioning.

With onboarding applications, you are able to register applications in Azure Active Directory, which allows you to use it as a portal for access as well.

Azure Active Directory enhances the user experience because they do not have various IDs for different applications. They are using one single on-premises ID to synchronize and they are able to access various different applications that are presented to them.

If you have a new application, you will export the application within Azure AD and we add access to those who need that application and you are able to use the corporate ID and password to access it.

Azure Active Directory is a good platform for us. We rely heavily on providing our users a good system and interface that we seldom have issues with.

The management interface has some areas that need improvement. It doesn't give you an overview similar to a dashboard view for Azure Active Directory. The view can be complicated. There are many different tabs and you have to drill down into each individual area to find additional information.

There are too many features available, more than we can use.

I have been using Azure Active Directory for three years.

It's quite stable. There are no issues with the stability.

The identity platform is quite robust.

It is very scalable. We have deployed it globally for approximately 10,000 users and experienced not many issues. In fact, we have not encountered any issues so far.

Generally, we don't have issues that require technical support. We have multiple domains within the Azure AD and we had an issue where SharePoint users were not able to access the domain.

We had a prompt response and were able to identify what the issue was. We were given specific tasks which led to resolving the issue.

I would rate the technical support a nine out of ten.

Previously, we did not use another solution. Primarily it was an on-premises Active Directory that we synchronized to the cloud.

The initial setup was completed by a separate team.

We have five global administrators who are primarily responsible for providing access and assigning roles for all the various different groups and teams that have different subscriptions, and they will manage their subscriptions based on the roles that they are assigned.

In terms of deployment, Active Directory ensures that there is express route connectivity from an on-premises data center to Azure and ensures that there are sufficient redundancies in Azure Active Directory Connect Servers and Domain Controllers. 

We have seen a return on our investment. I would say that it is one of the key components of our identity solution

The pricing is very flexible. There are a few tiers of licensing, and it is a part of an enterprise contract.

It is bundled with other services and the pricing is quite reasonable.

We did not evaluate other solutions.

I would strongly recommend implementing Azure Active Directory.

For new organizations, it would be best to start implementing directly on the cloud, and for our existing organizations who have on-premises solutions, it would be seamless to synchronize the on-premises user with the cloud and use that. 

I would rate Azure Active Directory a nine out of ten.

Azure Active Directory is similar to an on-premises access control system, but the service and data are hosted in the Azure cloud. Previously, everyone used to have Windows servers built as domain controllers for Active Directory to store their employee data. This assumed the role of a database for their employees.

With Azure Active Directory, which is in the cloud, you have the same functionality and there isn't much of a difference. The defining point is that you have access to online, cloud-based resources, such as Office 365.

In my company, as well as others, we had already implemented the on-premises Active Directory for our infrastructure. We leverage Azure Active Directory to synchronize the existing on-premises details to the cloud so that it creates an identity in Azure, which allows it to be used for other SaaS-based solutions.

This is the kind of solution that I feel you cannot run an organization without using.

Going forward, I expect that this solution will help to eliminate our on-premises infrastructure. Perhaps in the next few years, many companies will question their need for on-premises infrastructure and implement a purely cloud-based position. It will be a pay-as-you-go service.

Using this solution has affected our end-user experience because it enables and supports the Office 365 products that Azure provides. It is indirectly linked to all of the Office 365 solutions.

This is a feature-rich solution.

It offers features that improve our security posture such as multifactor authentication, which is the second layer of protection that is used when we log into the cloud.

The documentation, and the way that people are notified of updates, are things that can be improved. I'm a big fan of Microsoft products but the way they document is not that great.

I have been using Azure Active Directory for the past four years.

This solution was implemented approximately five years ago, before I joined the company.

We use this product on a daily basis. In fact, it is constantly being used and we don't have any problems with stability.

The scalability is good, and it is one of the reasons that we opted for a cloud solution.

We have more than 60,000 employees in the company and it scales very nicely. If more employees join the company then our usage will increase.

There are a variety of roles including administrators and different users. We have between 200 and 300 administrators.

Technical support from Microsoft is excellent.

We have had multiple issues where technical support has been needed. For example, the other day, we had a problem with synchronization. One of the user licenses was not synchronized properly and when we identified the root cause, it showed that the profile was not linked to the Active Directory Account. That was the main problem.

For us, it's constant improvement. Once a problem has been resolved, we document it accordingly so that it doesn't reoccur. Essentially, we don't want to have the same story again.

We also have Active Directory implemented on-premises, and it synchronizes with our cloud solution. The traditional Active Directory is what we used before this.

I was not responsible for the initial setup but my feeling is that it is not very straightforward. From a technical perspective, I expect that it is somewhat complex.

The deployment took approximately six weeks. We are a large company with more than 60,000 employees and I expect that for a smaller company, with perhaps 100 or 200 employees, it might take a day or two to complete.

One of the senior engineers in my organization was responsible for deployment. We also had assistance from Microsoft consultants. Between five and ten people were required for the deployment because it's a larger company.

There is no maintenance that needs to be done on our part. However, we have between 10 and 15 people who closely work on Azure Active Directory. 

Everyone uses a cloud solution to reduce the on-premises infrastructure cost and maintenance. In the coming years, there will be a lot of returns or a lot of cost-cutting that will happen.

The licensing is good and it is really easy to manage. We make sure that we only enable the licenses that are needed for the users, rather than enabling licenses in a blanket fashion. Basically, we only enable the features that are required for each of the users.

There are no costs in addition to the standard licensing fees.

Microsoft is a vendor that is always one step ahead.

The biggest lesson that I have learned is to read the documentation properly and thoroughly. Microsoft is great, but the documentation is sometimes updated and we aren't notified. This means that anytime you apply any solution, just make sure that you follow the proper guidance and always test before deployment.

I would rate this solution a nine out of ten.

We run in a hybrid model. We have our Active Directory on-premise directory services that we provide. We basically went to Azure so we could provide additional capabilities, like single sign-on and multi-factor authentication.

We are running in a hybrid environment. It is not completely cloud-native. We sync our on-premise directory to the cloud.

It definitely has improved our security posture, certainly from providing that second factor of authentication. It provides more visibility. We can see all facets of the business, e.g., when people are logging into our resources. This solution makes it highly visible to us.

It enhanced our end user experience quite a bit. Instead of the days of having to contact the service desk with challenges for choosing their password, users can go in and do it themselves locally, regardless of where they are in the world. This has certainly made it a better experience accessing their applications. Previously, a lot of times, they had to remember multiple usernames and passwords for different systems. This solution brings it all together, using a single sign-on experience. 

Is this specific to Azure? No. We have had other IdPs that gave us that same experience, but we have more apps that are integrated into Azure today from single sign-on than we had previously. Having that one handy "my apps" page for folks to go to as their one source for being able to gain access to all their apps is a much better experience from my point of view.

• Azure Application Proxy
• Single sign-on capabilities for SAML
• OAuth integrated applications
• The multi-factor authentication piece was desirable.
• Defender for Identity, as of recently.
• Some of the services, like Microsoft MCAS solution. 

These features offer additional layers of security, which is kind of what we were looking for. 

Some of the self-service password utilities certainly helped, given the scenario of the world today with COVID-19 and lockdowns. We certainly benefited from being able to say, "Have our users changed their password remotely." When they connect to the VPN, then sync them back up with the domain. So, that was very beneficial for us as well.

The thing that is a bit annoying is the inability to nest groups. Because we run an Azure hybrid model, we have nested groups on-premise which does not translate well. So, we have written some scripts to kind of work around that. This is a feature request that we have put in previously to be able to use a group that is nested in Active Directory on-premise and have it handled the same way in Azure. That is something that is actively being worked on. 

One of the other things that we felt could be improved upon is from an Application Proxy perspective. We have applications native to SSH, and we want to be able to do app proxy to TCP/IP. It sounds like that is actively on the roadmap now, which was amazing. It makes us very excited that it is coming, because we do have use cases with that as well.

I have been using it for a few years now.

The stability has been pretty rock solid. For the first time, we have seen some instability over the last month. I know there were some issues with Microsoft in terms of one of their stacks. That was something that they addressed pretty quickly though. We were appraised of the issues by our technical account manager, so we were in the know. We weren't left in the dark when something happened, and it was remediated pretty quickly.

We have about five to six folks whose main role is to manage identity, and that is my team at the company. However, we also have administrators all over the globe, handling service desk tickets, e.g., resetting passwords. There are about 30 or 40 people, if you include that level of things. However, from a global admin perspective, we probably have a total of eight people.

It is certainly scalable. Whether you are connecting to a local on-premise directory services organization, or if you are using B2B and B2C. This is part of the vision: At some point, leverage some of the B2B features that we have appointed to us in Azure, which we don't do today. This is certainly something that we are looking at internally as a potential for moving forward. 

We are managing 7,000 to 8,000 users within Azure AD.

This is room for growth.  

We are part of the DPP program. So, we talk to the identity folks at Microsoft on a weekly basis, who are amazing. It has been such a great experience with those folks.

The technical support that we get through the GTP program is amazing. Microsoft Premier Support is pretty good as well. We have called them, but typically we don't have the type of issues that we are calling all the time for. We have a pretty savvy team, and just being plugged into the GTP team has helped us understand new features which are coming out, whether we are part of an active preview or attending an evening where they are doing a webinar to introduce new features to us. The cool thing about that is you do have that line of sight if you need to ask questions or get technical answers. Between our technical account manager and our GTP partner, we do relatively well without having to open too many cases.

We had a different identity provider at one point in time. At the time that we were looking at identity providers, Microsoft really wasn't there from a technical perspective. They are there now, far surpassing some of the things that we have done in the past. So, it was a no-brainer for us. We are very much a Microsoft organization. Primarily, it is the operating system of choice, not only for endpoint service, but it was a pretty good deal to move over and leverage some of the licensing and whatnot for our end users.

From an IdP perspective, we had Okta for quite some time. We had some limitations with Okta that we were looking at Azure to handle. I got pulled in kind of mid-project. I am not really sure when the decision was made, or how it was made, but certainly cost was a factor. We were already licensed for a lot of what was needed to go with Azure, where we were paying Okta separate licensing fees. So, we saved money by switching from Okta to Azure.

The initial setup would have been complex if it had not been for being part of the GTP program. We have gotten a lot of value out of that program in terms of cross-training our team members, catching up on any new features that come out as well as any of the gotchas that the Microsoft team has seen. So, those have benefited us quite a bit.

The deployment probably took six to eight months. Standing up Azure and sinking your directory services, like creating a connector, takes minutes. We could stand that up in the day. What took time was taking all of the applications that we have throughout the environment, migrating them across and doing integrations with single sign-on. You need to have conversations with different application owners as well as potentially pulling in some vendors to do some of the configuration. There may be some apps which are not as straightforward as others, but we thought that the experience was pretty straightforward (to a point) where we can handle a lot of the work ourselves.

When we needed Microsoft, we were able to reach out, talk to them, and get the assistance that we needed. That was super beneficial to us.

There are a lot less calls to our service desk. For some of the traditional, "Hey, I need to reset my password," or "Hey, I'm locked out." So, we're seeing a lot of that self-service, gaining access to the different apps, and having it all be integrated with Azure will take away some of the headache. For example, "I don't know what my password is for GitHub," or, "I don't know what password is for Slack." We are like, "Well, it's the same password that you use every day." So, that has dropped call volume.

If you have a different IdP today, I would take a close look at what your licensing looks like, then reevaluate the licensing that you have with Microsoft 365, and see if you're covered for some of this other stuff. Folks sometimes don't realize that, "Oh, I'm licensed for that service in Azure." This becomes one of those situations where you have the "aha" moment, "Oh, I didn't know we can do that. Alright, let's go down this road." Then, they start to have conversations with Microsoft to see what they can gain. I would recommend that they work closely with their TAM, just to make sure that they are getting the right level of service. They may just not be aware of what is available to them.

We look to gain new features when updating licensing. Every time we go to negotiate an enterprise agreement, we are looking at:

• What are the benefits?
• What are we getting back from Microsoft?
  
  They are very good at working with us to get what we are looking for in terms of working on packaging for pricing.

We did not evaluate other options. The decision was pretty easy. When we initially looked at Okta years ago, Microsoft was also one of the folks that we looked at. Okta was a little more advanced than some of the gallery apps. Then, Microsoft made a huge play and added more gallery-type apps. That helped us quite a bit to move things along.

For others using Azure ID, take cookie online training. They are widely available, free, and give you a very good idea of what path you need to go to. So, if you want to take some professional training to become a guru, then you know what classes to go take and the fundamentals that you need to take before you get into that class. So, I highly recommend taking the video term.

I come from an Active Directory background for more than 20 years. Coming into Azure was actually great. We had somebody leave the company who was managing it, and they said, "Hey David, I know you are working for this other pocket of the business. How would you like to come back to the identity platform?" I said, "Absolutely." So, it was easier for me to come up to speed in several of the advanced areas of Azure, e.g., conditional access policies. We are starting down a zero trust methodology, which has been very exciting for me.

I would give it a solid eight (out of 10). It has a lot of the features that we are looking at. I don't think there are any tools out there that will give you that one magical wand with everything that you are looking for, but certainly this comes close. Microsoft has been working with us to help us through some of the new features and additions that are coming.