What is our primary use case?
The primary use case is actually one interesting one because this customer we're deploying, They don't have Active Directory on-premise, and they need to use some applications that are on-prem, so in order to get authentication to work with those applications we had to come up with a workaround. So it was challenging to come up with that workaround and solution, but it worked quite well.
Azure Ad provides great flexibility even when nothing on-prem can provide user authentication. For cases like this, Microsoft and Citrix worked together to develop a solution that not only work with Azure AD but with other Directory tools to provide authentication via SAML or OAuth.
How has it helped my organization?
When logging on to Azure AD it's pretty quick. This is because it is managed by Microsoft and there isn't too much administrative overhead for our System Administrators in setting up a bunch of complicated policies to allow the users to log on. Basically we lock down the machine with policies but, the user authentication is much faster and simpler. This is something that the users have noticed.
What is most valuable?
Apart from MFA and the SSO capabilities, I would say one of the amazing
things is that you don't have a limit in the objects that you can create
in Active Directory in Azure. Azure AD Premium doesn't have a limit in
terms of User/Computer objects you can create,
meaning that you can have a massive AD domain and it won't matter
because Azure AD can handle that. You can have 100.000 users in your
domain and keep growing if you want to. Azure AD can grow as required
and since it is PaaS you don't need to worry about provision
more hardware to keep performance up.
What needs improvement?
The natural evolution of things because obviously Azure Active Directory has a way to authenticate against on-prem normally you would need to have a Domain Controller on-premise and have either SSO or or Federation Services to be able to engage those two components and be able to allow authentication. But, having everything on the cloud as this customer didn't want anything on-prem only their network devices and some security devices and the limited applications, apart from that, they don't have anything to authenticate users on-prem. Having everything in the cloud and Active Directory, Azure AD is not able to provide Kerberos or Kerberos authentication if you're running only Azure AD it is a limitation. I think it's the next evolution of things. That's what the future is going to look like. There will barely be a be a need for any stuff on-prem. Everything will be on the cloud.
For how long have I used the solution?
What do I think about the stability of the solution?
We find it stable. It definitely has less issues than when you have Acive Directory on-prem. In terms of your connection from Azure Active Directory to your on-prem network is, you're using say, ExpressRoute or a point to point VPN, you don't notice any authentication problems or the computer lost the relationship with the domain, stuff like that. It's something that I haven't seen since I started working with Azure AD, so in terms of the stability and being reliable and not cause too many errors when you're working with it its something that I notice, if I compare with Active Directory on-premise and Azure AD.
What do I think about the scalability of the solution?
We have a medium organization of about 4,000 users. There have been no issues with scalability. We're located here in Asia-Pacific we're using one of the data centers in Sydney, and in terms of scaling up the solution, the initial deployment and the initial design that we did has been enough. We also foresee in three or four years how the growth expectation in terms of users in, especially for one customer in particular. We don't predict too much growth in terms of users. They're not going to grow from one year to the other in 10,000, 15,000 users but, the design can cope with that amount of users in terms of Active Directory.
How are customer service and technical support?
Most of the time that I have dealt with tech support, it's very good. They're very knowledgeable. The specialists are spot-on they definitely understand the problem from the beginning even though they don't know anything about the environment, but when you explain it to them and what the problem is they can give you pointers on what to do, and how to fix it and articles to read on how to fix it so they're very good. I would give it five out of five stars. However, I've seen times when we had to wait a long time to get answers if the call is not a high priority one, but most of the time when you're having an urgent incident they understand the critical of the issue and act accordingly.
How was the initial setup?
Configuring the domain and setting it up in the Azure portal is just three clicks to be honest. You just need to configure your domain name, you need to configure your subscription to Azure and after that you can just start creating users or different groups that you want users on and depending on your security criteria or how many users. But, the process of actually setting up the tenancy is it's not that hard. I would say it's the work that comes after that requires time and some planning, you know. One must determine how many users you will have and how many domain controllers you need overall. I would say it's not very complicated but it's the planning and fine-tuning that comes afterwards that needs time.
What's my experience with pricing, setup cost, and licensing?
I am not familiar with the pricing of the solution.
What other advice do I have?
I don't know if it's something that's going to be addressed in the future, or not, but having Azure AD the boundary of action for Active Directory as a region when you define the domain so you can't extend the domain to another region because it's a limitation that Azure AD has that doesn't allow you to extend the domain to another region for say geolocation purposes or disaster recovery. If you have your Azure AD on the Sydney data center, you're not going to be able to extend that to say, Singapore. But, it is not highly unlikely, but it's a very rare occasion that you lose a region or a whole data center. It can happen, obviously, but it's very unusual. So the chances of that happens are very low. When we did the design for this customer that was one of the limitations that we mentioned, and they were happy with it because you know Microsoft is a respectable company and obviously they would do the best to keep their data centers running all the time. And, to keep the cloud infrastructure for their customers online all the time. So they accepted the limitation or the risk and we went ahead and did it. But that's definitely something that I notice as a limitation to me.
In my opinion, you have a good look at your current infrastructure and make a decision on what is fit for the cloud, and what is not, because there are certain applications, or certain systems, that it will take longer time to migrate to the cloud. Normally, this is a good approach and is actually the Microsoft approach, as they recommend you to go hybrid first. First, you do a very good assessment and then you migrate your on-prem AD to Azure AD and the systems that support your operation will follow in time, if remediations are required, but it is a journey to work better and more efficiently.
Disclosure: I am a real user, and this review is based on my own experience and opinions.