As part of our series looking at the many different aspects of Azure, this article will look at Azure Active Directory and a related application called Cloud App Discovery, which allows you to detect the apps your organization is running in Azure.

Many sysadmin/IT pro job skills are under threat from the shift to the cloud. But if there’s one area where IT chops and expertise are sorely needed in this cloudy new world, it’s identity management. For most businesses, the mere idea of moving Active Directory to the cloud and handing over the keys to the kingdom to a service provider is heresy. It’s not hard to envisage many businesses moving most of their servers/services to the cloud but still maintaining their AD infrastructure on premises.

Nevertheless, the rise of thousands of business cloud services, all requiring authentication in some form, has led to a new type of service: IDaaS (Identity as a Service). And, not coincidentally, Microsoft offers this service as part of Azure Active Directory (Azure AD).

Azure Active Directory flavors

There are three versions of Azure AD: Free, Basic, and Premium. The free version comes with every Azure or Office 365 subscription. It lets you manage user and group accounts, register devices, and synchronize from on-premises Active Directory. It provides an end user access panel with up to 10 SaaS apps per user (more details below). It has a limit of 500,000 objects (with a default quota of 150,000 objects).

Basic removes the size limitation, lets you customize the logon and access panel, offers group (rather than individual user accounts) access-based management, and provides self-service user password reset and remote access/single sign-on (SSO) for on-premises web applications with a 99.9% service-level agreement (SLA). Basic is only offered as part of an Enterprise Agreement; you can’t sign in to Office 365 or Azure and buy it.

Premium adds write-back to your on-premises AD for password changes through the self-service password portal, self-service group management for users, Multi-Factor Authentication (cloud and on-premises apps), advanced reports, and Microsoft Forefront Identity Manager (FIM) licenses for $6 per user per month. (Don’t forget to check out Sander’s excellent series on setting up Azure Active Directory for multi-factor authentication.)

For a detailed breakdown of what’s included in each flavor, see here.

Few businesses will purchase Premium separately. It’s a much better deal to look at the Enterprise Mobility Suite (EMS) at $7.60 per user per month. This includes Azure AD Premium, Intune (for mobile device management), and Azure Rights Management Services (for data “in flight” protection).

At Ignite 2015 in the US, Microsoft added previews of Advanced Threat Analytics (ATA) to EMS, along with conditional on-premises Exchange access, Azure RMS Document Tracking, and Privileged Identity Management (PIM).

That last service is of particular interest to enterprises that are concerned about the permanent nature of administrative access offered by members of the Azure AD roles Global-, Billing-, Service-, User-, and Password-administrator.

PIM monitors membership in these roles for tracking and auditing and also lets you automatically restrict the time that a user has the administrative access. A new security administrator role manages access for all the other roles.

In future versions, better workflow—including requesting MFA for privilege escalation, API access, and management of other roles (Office 365, Intune as third-party SaaS apps)—is coming.

All flavors of Azure AD allow you to set up directory synchronization (through Dirsync [deprecated], Azure AD Sync [current], or Azure AD Connect [currently in preview]) where parts or all of your on-premises AD accounts and groups are synchronized to Azure AD. Optionally, you can also synchronize passwords (technically the hash of the hash of the password) for easier “same sign-on.”

Cloud App Discovery

A big shift is happening in many businesses around the world. IT was once the domain of a tightly controlled infrastructure, had strict processes and policies, and was ruled by an all-powerful IT department that owned and controlled all IT equipment. But a younger, much tech-savvier generation, along with BYOD and public cloud services, is crumbling this model.

Add to this the fact that larger proportions of IT budgets are shifting to marketing department heads instead of the CIO, and you have a situation where a slow-moving IT department loses touch with what’s actually going on with its networks. Several (non-scientific) studies have shown examples where the IT department thinks 30 SaaS apps are in use in the business, whereas the true figure is more than 300; this unsanctioned IT use is commonly called shadow IT.

Microsoft’s answer to this situation is Cloud App Discovery (part of Azure AD Premium), which combines a small agent that you need to install on all endpoints with a cloud service that collates the data.

Configuring Cloud App Discovery

Configuring Cloud App Discovery

The agent can be deployed to Windows 7, 8, and 8.1 clients using Group Policy–based software distribution or Configuration Manager or any other method for distributing a simple executable. The agent also needs access to a certificate that can be placed in a shared folder that all clients can access.

Note that the agent only captures data flowing over HTTP or HTTPS; if a cloud app uses proprietary protocols to communicate, it won’t be discovered. Today, 2,110 different apps across 26 categories are identified.

As the data flows into Azure, you can look at the number of users, data volumes, web requests, and usage per SaaS app. The coolest thing is that Cloud App Discovery will tell you if the discovered SaaS applications are managed through Azure AD. If they’re not, you can click a single button to take you to the console to set it up as a managed service.

Cloud App Discovery Report

Cloud App Discovery report

Be aware that you can only create Azure AD directories in the current Azure management console. However, after you’ve created a directory and updated it to a Premium trial, you’ll need to sign in to the new portal and follow these steps to activate Cloud App Discovery.

SaaS application control

Once you’ve discovered what third-party SaaS apps are actually in use in your business, the next step is to manage them efficiently. This is where Azure AD really shines with the ability to provision a user account in a third-party service automatically.

You simply put the new hire “Jane” in the “Salesforce SaaS” group in AD on premises. This new account is synchronized to Azure AD, and a corresponding account is provisioned in Salesforce’s service. Jane doesn’t need to know the password; she’s signed in to the service through SSO (when she accesses it through the Access panel).

Most importantly, when you disable her account because she’s left the company, not only does she lose access to all on-premises resources but her account is also de-provisioned in all third-party SaaS services.

Adding a SaaS application

Adding a SaaS application

This magic is all due to federation, which is set up between Azure AD and the 2,477 supported SaaS services.

Single sign-on to a third-party SaaS service can be configured in three different ways: through Azure AD SSO, password-based SSO (where the username and password for each user are stored in Azure AD), or existing SSO (if you’re using AD Federation Services or the service itself provides a SSO mechanism).

Password-based SSO, with credentials that the administrator manages, is an excellent way of managing corporate Twitter and other social media accounts that are often shared between multiple people—particularly to be able to quickly disable access if someone leaves the company. (Former employees won’t be able to access the service because they don’t actually know the password to it.)


Managing identity across Android, iOS, and Windows devices and controlling business data access and where it’s stored in different SaaS repositories are crucial skills for IT pros. I also recommend running Cloud App Discovery (even though it only supports Windows devices) in your network; you’ll probably be surprised by what you find. Azure AD (especially Premium) has a comprehensive toolset to help with all aspects of this and will be a required skill in the future.


Leave a reply

Your email address will not be published. Required fields are marked *


© 4sysops 2006 - 2023


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account