Entra ID and Domain Services

Natasha Ong
This is some text inside of a div block.
4 min read

Heads up:

Microsoft Entra ID used to be called Azure AD until 2023!
Same with Microsoft Entra Domain Services - it used to be called Azure AD Domain Services.
So if you ever come across older Azure resources, they might say "Azure AD"/"Azure AD Domain Services" instead of their new names.

Imagine being able to use the same account to access all of the apps and tools you use at work - not just the ones hosted by Microsoft, like Azure and Microsoft 365, but even other cloud apps and service providers (think Google, Salesforce and AWS and more).

Microsoft Entra ID is an identity and access management solution that consolidates all identity services (i.e. every app that makes you create an account) into a single place. It's also called a directory service, meaning it stores information about all the users, devices and resources in a company network.

This makes Microsoft Entra ID crucial for tasks like authentication (users proving who they say they are) and authorisation (IT administrators deciding what users are allowed access with their company account).

Why do people use Entra ID?

1. It's a challenge to remember different logins for different apps and services. With Microsoft Entra ID, you only need one account to access all your work-related tools. Entra ID also collates all of those services into a central dashboard, so you can see all of your business apps in one place instead of having to manage bookmarks and favourites in your browser.

  • Here's an example Entra ID dashboard that pulls together a user's developer, marketing and HR apps into one place.

2. Access management: Microsoft Entra ID is a one-stop-shop for companies to handle account creation, permission settings, identity changes, password resets, and more. As employees change jobs or leave a company, it's a relief if their access is tied to just one single identity. This takes away the effort of changing or disabling different accounts.

3. Better security: It's so common for people to use the same password across all their accounts (no judgement, we all do it). But here's the truth: it's not the safest move. If any one of your account credentials get compromised, attackers can use them to access other services. This is a big headache for companies too, because all of their employees' accounts are potential entry points for attackers to access internal data. Microsoft Entra ID gives you additional layers of security like two-factor authentication to make it much harder for attackers to access your account. It can also assess risk in real time, blocking anyone it thinks is trying to sign in with stolen credentials.

What does Microsoft Entra ID do?

Microsoft Entra ID lets access administrators (i.e. the people responsible for everyone's access to company resources) set up:

  • Authentication: Make employees prove they are who they say they are. You can set up different authentication methods like passwords, text messages and authentication apps. Additional features include self-service password reset (i.e. "forgot your password?" buttons on a login page), multifactor authentication and a custom list of banned passwords.
  • Single sign-on (SSO): Connect external apps to Entra ID, so employees only need their company account to access multiple applications. SSO is a really popular trend even outside of Entra ID. For example, if you have a Google account, you only need to log in once (e.g. to Gmail) to access Google's full suite of apps (e.g. YouTube, Calendar, Docs). Imagine if you had to create different usernames and passwords for each one!
  • Conditional access: Create login rules based on a user's location and other factors. We'll dive deep into this in the next topic!
  • External access: Extend access to people outside your organisation. We'll also dive deep into this in the next topic!

Connecting an on-premises environment with Entra ID

In a traditional on-premises environment, companies use an older system called Active Directory to manage their employees' accounts and access to services running on their physical servers.

So if a company has both an on-premises environment and a cloud environment, their users are going to have two sets of logins - one for Active Directory, and the other for Entra ID.

But, you can connect the two by using Microsoft Entra Connect! Entra Connect synchronises user identities, so users that have an Active Directory account can just use that set of credentials to access Entra ID. The synchronisation doesn't go the other way, meaning users with an Entra ID account don't automatically get access to Active Directory.

There's also an extension of Microsoft Entra ID that we're going to learn about... introducing Microsoft Entra Domain Services (what a mouthful)!

Microsoft Entra Domain Services

Applications living in an on-premises environment often rely on legacy (i.e. outdated) authentication methods. This means that when companies decide to lift and shift their applications onto the cloud, these applications need to be compatible with Entra ID's modern authentication methods like SSO and multifactor authentication. Updating old application code to work with modern technology can be really challenging and costly - and this is where Microsoft Entra Domain Services comes in.

What is Microsoft Entra Domain Services?

Microsoft Entra Domain Services is an extension of Entra ID, designed to bring legacy authentication methods into the cloud.

It does this by creating a managed domain in the cloud.

  • A domain is a group of computers, users and devices that share a common set of security policies.
  • An email like "name@gmail.com" is a domain in action! Here, "name@gmail.com" is a user account within the gmail.com domain. Gmail's security policies would include requiring strong passwords, enabling two-factor authentication, and blocking potentially harmful emails from being sent.
  • What's the tool that's enforcing these security policies? If you're thinking Entra ID - you're on the right track! Entra ID and Active Directory are how we set up and configure authentication and permission settings.
  • But let's dig a layer deeper. In an on-premises domain using Active Directory, the physical server that processes authentication and authorisation tasks is called the domain controller. So when users try to log in, it is the domain controller that actually verifies their information and gives them the access to the right resources based on their permission settings. Domain controllers are traditional tools, so they use legacy authentication methods that your on-premises applications are designed to work with.

So when Entra Domain Services creates a Windows domain to the cloud, it's bringing in a traditional domain controller and its legacy authentication methods too. Now, you have a cloud domain controller to authenticate and authorise users wanting to access the apps that you've just migrated onto the cloud.

These virtual domains are entirely hosted and managed in Azure, so you won't need to manage, configure or update the domain controllers yourself. Easy peasy!