In our previous post titled What is EMS (Enterprise Mobility Suite) and should you get it? We discussed the EMS (Enterprise Mobility Suite) and touched upon Azure Active Directory Premium that is part of EMS briefly, but in this post we will dig a little deeper in the different parts of Azure AD
Let’s start with an overview of the different Azure Active Directory Editions that are available
Note that the Free version is the one you automatically get when you sign up for Office 365 or another Microsoft Online service and Premium is part of EMS.
Also the following Azure Active Directory Premium features are currently in public preview and will be added soon:
- Password reset with write-back to on-premises directories
- Azure AD Sync bi-directional synchronization
- Azure AD Application Proxy
The most important feature here in our opinion is the self service management and combined with Azure AD Sync
bi-directional synchronization its exactly what many of our customers have been asking for.
Let me point out an example, in Exchange 2010 on-premises users might have managed their own groups via Outlook, well with dirsync that’s not possible anymore since the On-prem AD is the master source and Exchange Online is just a “reader”.
With this new functionality combined with the new Office 365 Groups, enterprises are finally getting a great tool for end user self-service with synchronization back to the on premises AD. Meaning that a user can create a group and add members to it via the Office 365 portal and the group will then sync back down to your local AD so that you can use it on-premises.
Remember that you can always contact us if you have any questions regarding Azure, Office 365 or Enterprise Mobility Suite on phone: +468239600 or email: cs@altitude365.com
Comparing Free, Basic, and Premium editions
The following table describes common admin benefits and how the different editions of Azure Active Directory help simplify them
Admin Benefits | Features | Free edition | Basic edition | Premium edition |
Manage your cloud directory and how your accounts are synchronized | Directory as a service | ![]() Up to 500K objects 1 | ![]() No object limit | ![]() No object limit |
Directory synchronization tool – For syncing between on-premises Active Directory and Azure AD | ![]() | ![]() | ![]() | |
Forefront Identity Manager (FIM) server licenses – For syncing between on-premises databases and/or directories and Azure AD | ![]() | |||
High availability SLA uptime (99.9%) | ![]() | ![]() | ||
Centrally administer accounts and control access to your applications | User and group management using UI or Windows PowerShell cmdlets | ![]() | ![]() | ![]() |
User-based application access management and provisioning | ![]() | ![]() | ![]() | |
Access Panel portal for SSO-based user access to SaaS and custom applications | ![]() Up to 10 apps per user 2 | ![]() Up to 10 apps per user 2 | ![]() No app limit | |
Group-based application access management and provisioning | ![]() | ![]() | ||
Customization of company logo and colors to the Sign In and Access Panel pages | ![]() | ![]() | ||
Empower your users & reduce support costs | Self-service password change for cloud users | ![]() | ![]() | ![]() |
Self-service group management for cloud users | ![]() | |||
Self-service password reset for cloud users | ![]() | ![]() | ||
Monitor security and enforce additional verification methods to mitigate risks | Standard security reports | ![]() | ![]() | ![]() |
Advanced anomaly security reports (machine learning-based) | ![]() | |||
Advanced application usage reporting | ![]() | |||
Multi-Factor Authentication service for cloud users | ![]() | |||
Multi-Factor Authentication server for on-premises users | ![]() |
1 The 500 000 object limit does not apply for Office 365 or any other Microsoft online service that relies on Azure AD for directory services.
2 With Azure AD Free and Azure AD Basic, end users who have been assigned access can see up to 10 apps in their Access Panel and get SSO access to 10 apps even though an admin can configure more.
Note that the free version of Azure Active Directory does NOT include a SLA, so if you have signed up an Office 365 tenant that has a 99.9% SLA it will not cover the Azure AD part.
The following reports are used for monitoring tenant-wide user sign ins to Azure AD.
Now let’s dig in to the reports with an explanation of what they do and what ones you get with the free VS premium versions.
The following reports are available in our tenant as of today.
Report | Description | Report Location | Available for free | Available with Premium | ||
Category: Anomaly Reports | ||||||
Sign ins from unknown sources | This report indicates users who have successfully signed in to your tenant while assigned a client IP address that has been recognized by Microsoft as an anonymous proxy IP address. These proxies are often used by users that want to hide their computer’s IP address, and may be used for malicious intent – sometimes hackers use these proxies. Results from this report will show the number of times a user successfully signed in to your tenant from that address and the proxy’s IP address. | Found under the Directory > Reports tab | ![]() | ![]() | ||
Sign ins after multiple failures | This report indicates users who have successfully signed in after multiple consecutive failed sign in attempts. Possible causes include:
Results from this report will show you the number of consecutive failed sign in attempts made prior to the successful sign in and a timestamp associated with the first successful sign in. Report Settings: You can configure the minimum number of consecutive failed sign in attempts that must occur before it can be displayed in the report. When you make changes to this setting it is important to note that these changes will not be applied to any existing failed sign ins that currently show up in your existing report. However, they will be applied to all future sign ins. Changes to this report can only be made by licensed admins. | Found under the Directory > Reports tab | ![]() | ![]() | ||
Sign ins from multiple geographies | This report includes successful sign in activities from a user where two sign ins appeared to originate from different countries and the time between the sign ins makes it impossible for the user to have travelled between those countries. Possible causes include:
Results from this report will show you the successful sign in events, together with the time between the sign ins, the countries where the sign ins appeared to originate from and the estimated travel time between those countries.
| Found under the Directory > Reports tab | ![]() | ![]() | ||
Sign ins from IP addresses with suspicious activity | This report includes sign in attempts that have been executed from IP addresses where suspicious activity has been noted. Suspicious activity includes many failed sign in attempts from the same IP address over a short period of time, and other activity that was deemed suspicious. This may indicate that a hacker has been trying to sign in from this IP address. Results from this report will show you sign in attempts that were originated from an IP address where suspicious activity was noted, together with the timestamp associated with the sign in. | Found under the Directory > Reports tab | ![]() | |||
Irregular sign in activity | This report includes sign ins that have been identified as “irregular” by our machine learning algorithms. Reasons for marking a sign in attempt as irregular include unexpected sign in locations, time of day and locations or a combination of these. This may indicate that a hacker has been trying to sign in using this account. The machine learning algorithm classifies events as “irregular” or “suspicious”, where “suspicious” indicates a higher likelihood of a security breach. Results from this report will show you these sign ins, together with the classification, location and a timestamp associated with each sign in.
| Found under the Directory > Reports tab | ![]() | |||
Sign ins from possibly infected devices | Use this report when you want to see sign ins from devices on which some malware (malicious software) may be running. We correlate IP addresses of sign ins against IP addresses from which an attempt was made to contact a malware server. Recommendation: Since this report assumes an IP address was associated with the same device in both cases, we recommend that you contact the user and scan the user’s device to be certain. For more information about how to address malware infections, see the Malware Protection Center. | Found under the Directory > Reports tab | ![]() | |||
Users with anomalous sign in activity | Use this report when you want to view all user accounts for which anomalous sign in activity has been identified. This report includes data from all other anomalous activity reports. Results from this report will show you details about the user, the reason why the sign in event was identified as anomalous, the date and time, and other relevant information about the event. | Found under the Directory > Reports tab | ![]() | |||
Category: Integrated Application Reports | ||||||
Application usage: summary | Use this report when you want to see usage for all the SaaS applications in your directory. This report is based on the number of times users have clicked on the application in the Access Panel. | Found under the Directory > Reports tab | ![]() | |||
Application usage: detailed | Use this report when you want to see how much a specific SaaS application is being used. This report is based on the number of times users have clicked on the application in the Access Panel. | Found under the Directory > Reports tab | ![]() | |||
Application dashboard | This report indicates cumulative sign ins to the application by users in your organization, over a selected time interval. The chart on the dashboard page will help you identify trends for all usage of that application. | Found under the Directory > Application > Dashboard tab | ![]() | ![]() | ||
Category: Error Reports | ||||||
Account provisioning errors | Use this to monitor errors that occur during the synchronization of accounts from SaaS applications to Azure AD. | Found under the Directory > Reports tab | ![]() | ![]() | ||
Category: User-specific Reports | ||||||
Devices | Use this report when you want to see the IP address and geographical location of devices that a specific user has used to access Azure AD. | Found under the Directory > User > Devices tab | ![]() | |||
Activity | Use this report when you want to see the sign in activity for a user. The report includes information like the application signed into, device used, IP address, and location. We do not collect the history for users that sign in with a Microsoft account. | Found under the Directory > User > Activity tab | ![]() | ![]() | ||
Category: Activity logs | ||||||
Audit report | Use this report when you want to see a record of all audited events within the last 24 hours, last 7 days, or last 30 days. The report includes events in the following categories:
| Found under the Directory > Reports tab |
If we now take a look at one of the premium reports, the irregular sign in activity report, we will find that Christoffer account might have done something suspicious.
If you click on the Download button you will download a CSV file with the following information
display name | user name | reason | date and time (UTC) | ip address | location | event classification | device |
Christoffer Back | Christoffer.Back@altitude365.com | Signed in from an atypical location distant from the previous location within a short time | 11/10/2014 16:27 | 46.31.125.30 | Stockholm, Stockholms Lan, SE | Suspicious | Windows 8.1;IE 11.0 |
I hope you now have a better understanding of what Azure AD Premium is,
And please feel free to contact us if you have any questions regarding Azure, Office 365 or Enterprise Mobility Suite on Phone: +468239600 or email: cs@altitude365.com