Get in touch with us!

An overview of the different Azure Active Directory Editions

In our previous post titled What is EMS (Enterprise Mobility Suite) and should you get it? We discussed the EMS (Enterprise Mobility Suite) and touched upon Azure Active Directory Premium that is part of EMS briefly, but in this post we will dig a little deeper in the different parts of Azure AD

 

Let’s start with an overview of the different Azure Active Directory Editions that are available

Note that the Free version is the one you automatically get when you sign up for Office 365 or another Microsoft Online service and Premium is part of EMS.

 

Also the following Azure Active Directory Premium features are currently in public preview and will be added soon:

 

The most important feature here in our opinion is the self service management and combined with Azure AD Sync
bi-directional synchronization its exactly what many of our customers have been asking for.

Let me point out an example, in Exchange 2010 on-premises users might have managed their own groups via Outlook, well with dirsync that’s not possible anymore since the On-prem AD is the master source and Exchange Online is just a “reader”.

With this new functionality combined with the new Office 365 Groups, enterprises are finally getting a great tool for end user self-service with synchronization back to the on premises AD. Meaning that a user can create a group and add members to it via the Office 365 portal and the group will then sync back down to your local AD so that you can use it on-premises.

 

Remember that you can always contact us if you have any questions regarding Azure, Office 365 or Enterprise Mobility Suite on phone: +468239600 or email: cs@altitude365.com

 

 

Comparing Free, Basic, and Premium editions

The following table describes common admin benefits and how the different editions of Azure Active Directory help simplify them

 

Admin Benefits

Features

Free edition

Basic edition

Premium edition

Manage your cloud directory and how your accounts are synchronizedDirectory as a service       
Up to 500K objects 1
        
No object limit
        
No object limit
Directory synchronization tool – For syncing between on-premises Active Directory and Azure AD                       
Forefront Identity Manager (FIM) server licenses – For syncing between on-premises databases and/or directories and Azure AD        
High availability SLA uptime (99.9%)                
Centrally administer accounts and control access to your applicationsUser and group management using UI or Windows PowerShell cmdlets                       
User-based application access management and provisioning                       
Access Panel portal for SSO-based user access to SaaS and custom applications       
Up to 10 apps per user 2
       
Up to 10 apps per user 2
        
No app limit
Group-based application access management and provisioning                
Customization of company logo and colors to the Sign In and Access Panel pages                
Empower your users & reduce support costsSelf-service password change for cloud users                       
Self-service group management for cloud users        
Self-service password reset for cloud users                
Monitor security and enforce additional verification methods to mitigate risksStandard security reports                       
Advanced anomaly security reports (machine learning-based)        
Advanced application usage reporting        
Multi-Factor Authentication service for cloud users        
Multi-Factor Authentication server for on-premises users        

 

1 The 500 000 object limit does not apply for Office 365 or any other Microsoft online service that relies on Azure AD for directory services.

2 With Azure AD Free and Azure AD Basic, end users who have been assigned access can see up to 10 apps in their Access Panel and get SSO access to 10 apps even though an admin can configure more.

 

Note that the free version of Azure Active Directory does NOT include a SLA, so if you have signed up an Office 365 tenant that has a 99.9% SLA it will not cover the Azure AD part.

 

The following reports are used for monitoring tenant-wide user sign ins to Azure AD.

Now let’s dig in to the reports with an explanation of what they do and what ones you get with the free VS premium versions.

The following reports are available in our tenant as of today.

 

Report

Description

Report Location

Available for free

Available with Premium

                                                                     Category: Anomaly Reports
Sign ins from unknown sourcesThis report indicates users who have successfully signed in to your tenant while assigned a client IP address that has been recognized by Microsoft as an anonymous proxy IP address. These proxies are often used by users that want to hide their computer’s IP address, and may be used for malicious intent – sometimes hackers use these proxies.
Results from this report will show the number of times a user successfully signed in to your tenant from that address and the proxy’s IP address.
Found under the Directory > Reports tab

Sign ins after multiple failuresThis report indicates users who have successfully signed in after multiple consecutive failed sign in attempts. Possible causes include:

  • User had forgotten their password
  • User is the victim of a successful password guessing brute force attack

Results from this report will show you the number of consecutive failed sign in attempts made prior to the successful sign in and a timestamp associated with the first successful sign in.

Report Settings: You can configure the minimum number of consecutive failed sign in attempts that must occur before it can be displayed in the report. When you make changes to this setting it is important to note that these changes will not be applied to any existing failed sign ins that currently show up in your existing report. However, they will be applied to all future sign ins. Changes to this report can only be made by licensed admins.

Found under the Directory > Reports tab

Sign ins from multiple geographiesThis report includes successful sign in activities from a user where two sign ins appeared to originate from different countries and the time between the sign ins makes it impossible for the user to have travelled between those countries. Possible causes include:

  • User is sharing their password
  • User is using a remote desktop to launch a web browser for sign in
  • A hacker has signed in to the account of a user from a different country.

Results from this report will show you the successful sign in events, together with the time between the sign ins, the countries where the sign ins appeared to originate from and the estimated travel time between those countries.

Note
The travel time shown is only an estimate and may be different from the actual travel time between the locations. Also, no events are generated for sign ins between neighboring countries.
Found under the Directory > Reports tab

Sign ins from IP addresses with suspicious activityThis report includes sign in attempts that have been executed from IP addresses where suspicious activity has been noted. Suspicious activity includes many failed sign in attempts from the same IP address over a short period of time, and other activity that was deemed suspicious. This may indicate that a hacker has been trying to sign in from this IP address.
Results from this report will show you sign in attempts that were originated from an IP address where suspicious activity was noted, together with the timestamp associated with the sign in.
Found under the Directory > Reports tab
Irregular sign in activityThis report includes sign ins that have been identified as “irregular” by our machine learning algorithms. Reasons for marking a sign in attempt as irregular include unexpected sign in locations, time of day and locations or a combination of these. This may indicate that a hacker has been trying to sign in using this account. The machine learning algorithm classifies events as “irregular” or “suspicious”, where “suspicious” indicates a higher likelihood of a security breach.
Results from this report will show you these sign ins, together with the classification, location and a timestamp associated with each sign in.

Note
We will send an email notification to the global admins if we encounter 10 or more irregular sign in events within a span of 30 days or less. Please be sure to include aad-alerts-noreply@mail.windowsazure.com in your safe senders list.
Found under the Directory > Reports tab
Sign ins from possibly infected devicesUse this report when you want to see sign ins from devices on which some malware (malicious software) may be running. We correlate IP addresses of sign ins against IP addresses from which an attempt was made to contact a malware server.
Recommendation: Since this report assumes an IP address was associated with the same device in both cases, we recommend that you contact the user and scan the user’s device to be certain.

For more information about how to address malware infections, see the Malware Protection Center.

Found under the Directory > Reports tab
Users with anomalous sign in activityUse this report when you want to view all user accounts for which anomalous sign in activity has been identified. This report includes data from all other anomalous activity reports. Results from this report will show you details about the user, the reason why the sign in event was identified as anomalous, the date and time, and other relevant information about the event.Found under the Directory > Reports tab
                                                                     Category: Integrated Application Reports
Application usage: summaryUse this report when you want to see usage for all the SaaS applications in your directory. This report is based on the number of times users have clicked on the application in the Access Panel. Found under the Directory > Reports tab
Application usage: detailedUse this report when you want to see how much a specific SaaS application is being used. This report is based on the number of times users have clicked on the application in the Access Panel.Found under the Directory > Reports tab
Application dashboardThis report indicates cumulative sign ins to the application by users in your organization, over a selected time interval. The chart on the dashboard page will help you identify trends for all usage of that application.Found under the Directory > Application > Dashboard tab

                                                                     Category: Error Reports
Account provisioning errorsUse this to monitor errors that occur during the synchronization of accounts from SaaS applications to Azure AD. Found under the Directory > Reports tab

                                                                     Category: User-specific Reports
DevicesUse this report when you want to see the IP address and geographical location of devices that a specific user has used to access Azure AD.Found under the Directory > User > Devices tab
ActivityUse this report when you want to see the sign in activity for a user. The report includes information like the application signed into, device used, IP address, and location. We do not collect the history for users that sign in with a Microsoft account.Found under the Directory > User > Activity tab

                                                                     Category: Activity logs
Audit reportUse this report when you want to see a record of all audited events within the last 24 hours, last 7 days, or last 30 days. The report includes events in the following categories:

  • Credential updates
  • Device management
  • Directory synchronization
  • Domain management
  • Group management
  • Partner administration
  • Policy management (MFA)
  • Role changes
  • User account changes
  • User licensing
  • User, group, and contact management
Found under the Directory > Reports tab

 

If we now take a look at one of the premium reports, the irregular sign in activity report, we will find that Christoffer account might have done something suspicious.

 

 

If you click on the Download button you will download a CSV file with the following information

display nameuser namereasondate and time (UTC)ip addresslocationevent classificationdevice
Christoffer BackChristoffer.Back@altitude365.comSigned in from an atypical location distant from the previous location within a short time11/10/2014 16:2746.31.125.30Stockholm, Stockholms Lan, SESuspiciousWindows 8.1;IE 11.0

 

 

 

I hope you now have a better understanding of what Azure AD Premium is,

And please feel free to contact us if you have any questions regarding Azure, Office 365 or Enterprise Mobility Suite on Phone: +468239600 or email: cs@altitude365.com

Submit a Comment

Your email address will not be published. Required fields are marked *