What is our primary use case?
We have deployed an Active Directory model with Active Directory on-premises, and that is providing services to the entire organization. In 2018, we wanted to implement single sign-on with some of our cloud solution partners. That was the main reason that drove us to implement Azure Active Directory. As far as I know, that's the only thing that we use Azure Active Directory for at this moment.
We can call it a hybrid system. All our internal operations are using Active Directory on-premises, but when we need to identify some of our users with applications on the cloud, that's when we use Azure Active Directory.
We are a mid-size company with around 550 users end-users, with the same number of end-user machines. We also run somewhere between 120 and 150 servers.
How has it helped my organization?
The reason we implemented it is that we can use it for authentication with some of our service applications, and that makes users' lives easier. They do not need to learn a lot of different passwords and different usernames. The other benefit is that, on the management side, it's very easy because you can have tight control over who is using the application and who is not; who has permissions.
For some applications, it's not only working for authentication but it's also being used to apply roles for users. From the management perspective, it's much better to have this because in the past we constantly needed to go into the console of the different solutions and create or delete users or modify their roles and permissions. Now, with Azure Active Directory, we can do that from a single point. That makes our management model much easier.
As a result, the solution has helped to improve our security, because user management control is very important. In the past, there were times when, for some reason, we forgot about deleting or even creating users for certain applications. Now, because we have only a single point for those processes, there is better control of that and it reduces the risk of information security incidents. That's especially true when you consider the case where we had forgotten to delete some users due to the increasing number of applications in the cloud. We now have five or six applications using single sign-on and that capability is one of our requirements when we introduce a new solution. It has to be compliant with single sign-on and it should have a way to be implemented with Azure Active Directory. It makes our infrastructure more secure.
Among the applications we have that are using single sign-on are Office 365, Concur for expense control, we have an integration with LinkedIn, as well as two other applications. When a user decides to leave the organization, we check that their access to all our internal applications has been closed. That can be done now with a single script. It makes it very easy for us to delete the user from the organizational unit, or from where the group linked to the application.
It makes things a lot more comfortable in terms of security as we don't need to log in to every single application to delete users. We would see, in the past, when we would run a review on an application in the cloud, that suddenly there were, say, 10 users who shouldn't be there. They could still be using the service because we didn't delete them. For some applications it's not that bad, but for others it could be an open security risk because those users would still have access to assets of the organization. We have reduced, almost to zero, the occurrences of forgetting a user.
Azure AD has affected the end-user experience in a positive way because, as I mentioned, they do not need to learn different usernames and different passwords. In addition, when users request access to some of the applications, we just need to assign the user to the different groups we have. These groups have been integrated with the different cloud applications and that means they can have almost immediate access to the applications. It makes it easier for us to assign roles and access. From the user perspective that's good because once they request something they have access to the service in less than 15 minutes.
What is most valuable?
Implementation of single sign-on with other vendors is quite easy. It might take a couple of hours and everything is running.
For how long have I used the solution?
We've been using Azure Active Directory for over two years.
What do I think about the stability of the solution?
The availability of Azure AD is good. I don't have any complaints about it. Regarding the stability, we haven't had any issues with it. We haven't experienced any service interruption.
Part of our strategy in the short-term is to move most of our Microsoft environment, when it's feasible, to the cloud, because we have seen that the cloud environment offered by Microsoft is really stable. We have proved that with tools like Azure Active Directory. In almost three years we haven't had a single issue with it.
From time to time it takes a little bit of time to replicate, with some of the applications—something like five to 10 minutes. I know that the design is not supposed to enable real-time replication with some of the applications. But, as an administrator, I would like to run a specific change or modification in Azure Active Directory and see it replicated almost immediately. It really only takes a few minutes. Although it doesn't seem to cause any problems for our organization, I would like to see more efficiency when it comes to the different connectors with cloud services.
What do I think about the scalability of the solution?
We haven't had a situation where we need to scale this solution.
How are customer service and technical support?
We haven't had any major issue with the solution so we haven't called Microsoft technical support for Azure AD so far.
Which solution did I use previously and why did I switch?
We have always used Active Directory as our dedicated services solution. Three years ago we increased the scope of it and synchronized it with Azure Active Directory. Our on-premises Active Directory is our primary solution. Azure Active Directory is an extension of that.
How was the initial setup?
The initial setup was quite straightforward. It didn't take too long just to get our Azure Active Directory environment set up and running. I think it took less than a day. It was really fast.
We already had Active Directory on-premises, so what we created was the instance of Azure Active Directory. All the different groups, users, and services were already set up. We then replicated with what we currently have in the Azure Active Directory instance. It was not really difficult.
Our company is quite small and that is reflected in our IT department. Azure Active Directory is handled by our infrastructure coordination team, which has only two members. One is the senior engineer who performs all the major changes and the main configurations. We also have a junior engineer who runs all the operations in the company. From time to time, one person from our help desk, usually me, does some small operations when we don't have the infrastructure team available.
What about the implementation team?
We use a reseller to buy the product and they also provide some consulting services. Our relationship with Microsoft is not a direct relationship.
Our reseller is SoftwareONE. They're a global company and our experience with them has been good. We have been with them since 2010 or 2011. We have two or three different services from them related to Microsoft and other brands. They are not exclusively reselling Microsoft licenses.
What was our ROI?
From a very subjective point of view, as I haven't drawn any kind of numbers to calculate the return on investment, what I can see so far is that the investment is running smoothly and it's easier for us to run our environment with it.
What's my experience with pricing, setup cost, and licensing?
If you have all your infrastructure built using Microsoft tools, it is straightforward to go with Azure Active Directory. Under these circumstances, I don't see any reason to find another solution.
We have an E3 contract, and I believe Azure AD is included in it.
Which other solutions did I evaluate?
We didn't evaluate other vendors because our entire environment is based on Microsoft solutions.
What other advice do I have?
As with any implementation, design is key. That would be applicable to Active Directory as well, but when it comes to Azure AD, do not start the installation unless you have an accepted design for it. You shouldn't just start creating objects on it. You need to have a clear strategy behind what you're going to do. That will save you a lot of headaches. If you start without any kind of design, at the end of the road, you can end up saying, "Okay, I think it would have been better to create this organizational unit," or, "We should have enabled this feature." It's probably not very straightforward to implement the changes. So have a team design the Azure Active Directory structure for you. You need to have the map before starting the implementation.