Microsoft Entra ID Reviews

The use cases depend on my clients' specifications. If they have the on-premises Active Directory and it is a hybrid environment, then objects are synchronized with the cloud in Azure Active Directory. Services that are on-premises or in the cloud are synchronized with each other, to create a centralized management solution. 

If we're talking about Azure Active Directory only, the cloud-based, centralized management solution, we don't need to use a VPN to access the resources; everything is cloud. We just need to be connected with Azure Active Directory and we can use the resources anywhere in the world and resource security will be intact.

I use both the cloud and on-premises versions.

Everybody is moving from on-premises to Azure Active Directory because it's cost-effective. They don't need to spend a lot of money on the on-premises resources, such as an on-premises server and maintenance. Now, given that Microsoft has started Windows 365, which is a PC in the cloud, you don't need to have a PC. You can work on an Android tablet from anywhere in the world, using cloud technology.

In terms of the user experience, because the solution is in a cloud environment, people are not bound to work in a specific network. In the old-school way, if you worked from home and you had on-premises Active Directory, you needed to use a VPN. VPNs can be highly unstable because they depend on your home network. If your home network is not good, you won't get the same bandwidth as you would get when using the resources inside the office network. With Active Directory in the cloud, you can use your own network to access the resources. It's faster, reliable, and it's cheaper compared to Active Directory on-premises.

• Conditional Access
• Geofencing
• Azure Multi-Factor Authentication

are the major security features to secure resources.

For example, if I don't want users using the company resources outside of India, I will add managed countries within Conditional Access. Only the people from the managed country will be able to access things. If an employee goes out of India and tries to access the resources that have been restricted, they will not be able to open the portal to access the resources.

We have a lot of freedom in using the Group Policy Objects and, although Group Policy Objects are part of Azure Active Directory, there are still a lot of things that can be improved, such as providing local admin rights to a user. There are various, easy ways that I can do that in the on-premises version, but in the cloud version, it is a bit difficult. You have to create a bunch of policies to make it work.

I have been using Azure Active Directory for six years.

Microsoft works with suppliers and vendors. Certain vendors are very good at providing support and certain vendors are not very good at providing support. It depends on the time zone in which we are opening a ticket and which vendor the ticket is going to.

It's pretty straightforward in general, although it depends on what kind of requirements a client has.

If I'm deploying with Microsoft Autopilot, it usually takes at least 40 to 50 minutes to deploy one machine. If I'm deploying 1,000 machines in one go, you can multiply that 40 minutes for each of those 1,000 machines. Everything is configured in the cloud, in Azure Active Directory. You just need to purchase the machine, configure things, and ship the machine to the user. When they turn it on they will be able to work on it. Everything will be installed in the backend. If it's not on Autopilot, it's just in a matter of a few clicks to connect the machine to Azure Active Directory.

The deployment plan also depends on the client. If the client is not providing machines to their employees, they want the machine to be BYOD, we will work on the existing computer. In that case, we just set up the policies and ask the user to connect to Azure Active Directory. But if a client is concerned about complete security, and they want the machine to be used in a certain way, and they are providing the machine, then I prefer that it should be Autopilot. It becomes an enterprise-managed machine, and we have more control over it.

Clients only invest their money when they know that they are getting a really helpful platform. They want to see that I, as a consultant, am confident in the product I'm asking them to use. I have to be very confident that I am providing them a solution that will definitely work for them.

People have a tendency to keep their information in-house, but the cost of keeping information on-premises in SharePoint servers is very expensive. There is a good chance that, if something happens, they will lose the database. There is no backup. And to keep a backup, you have to pay more for a cloud backup solution to keep your data on another server. You are compromising with your data in a two-sided scenario, where one is on-premises and the other is on a data server as a backup. If you go for the cloud version of Active Directory, everything is secure and everything is in the Microsoft data center, which is reliable and secure. They have disaster management and recovery. That's a win-win situation.

My work is generally on device management, which is on Intune, Endpoint Manager, and Cloud App Security. These all work hand-in-hand. Azure Active Directory is just an assembler of management resources, but Intune makes the device secure. The policies create restrictions. These things work together. If you need Active Directory, you will definitely need Intune.

The largest deployment I worked on with one of my clients was about 2,500 computers. As far as managing them goes, it varies, between 200 to 300 computers at one time in one environment. If I'm working on providing a day-to-day solution, it is different because the queries are different. People usually have problems related to smaller queries, like their printer is not connecting, or they are not able to access SharePoint, or they do not have permissions for a given file. But as far as deployment and designing the architecture of Azure Active Directory goes, I work with midsize companies.

To summarize, the big advantages of this platform are the reliability, cost-effectiveness, and security. These are the features that make it one of the best solutions in the IT industry. Azure AD is the future. Everyone is adopting the cloud environment. I, myself, use Azure Active Directory for my own devices and resources. I encourage other people to accept the future. It gives you more security than the on-premises Active Directory. To me, it is the best solution.

We are a system implementer and this is one of the products that we provide to our clients.

We primarily use this product for identity and access management. Any of our customers using Office 365, which includes Exchange Online and SharePoint Online, are using it for authentication. Worldwide, there are a lot of use cases.

The identity check includes whether the username and password are correct, and it also supports multifactor authentication.

This solution is in the cloud and as soon as users log in to the Office 365 portal, or whatever application you assign to them, it will take care of the identity aspect.

The most valuable features are authentication, authorization, and identity access.

Conditional access is a very important feature where a specific user can be restricted such that they cannot connect to the application if they travel outside of the US.

Multifactor authentication is very important.

They have a velocity check, powered by artificial intelligence and machine learning, where if you have been logging in at a location in the US but suddenly you try to log in from a different country, it flags it as an unusual amount of travel in a short time and it will ask you to prove your identity. This is a security feature that assumes it is a phishing attack and is one of the important protections in the product.

The problem with this product is that we have limited control, and can't even see where it is running.  If Microsoft can give us a way to see where this product is running, from a backend perspective, then it would be great.

I would like to see Microsoft continue to add new features gradually, over time, so that we can introduce them to our customers.

We have been using Azure Active Directory for more than six years.

The stability of this product is 100%, and we plan to continue using it.

As this is a cloud-based product, you don't need to worry about scalability. Regardless of the number of users, it handles identity management.

90% of our customers are using it. From what I see, we have up to 50,000 end-users. In reality, we can have up to 400,000.

We can handle most of the issues by ourselves but if not, Microsoft support is available and we just have to create a ticket.

This is the first cloud-based identity management solution that we have used. In an on-premises deployment, we use the traditional Active Directory.

The deployment process involves using the Azure AD Connect tool, which is very important. The only choice that needs to be made beyond this is whether you want to have single sign-on (SSO) enabled or not.

The deployment will require some basic planning. The length of time required will be a maximum of four weeks. Three staff should be sufficient, although this depends on the number of users.

The maintenance of this solution is almost zero. The only time that something needs to be done is in the on-premises portion of a hybrid solution. The cloud aspect is maintained by Microsoft.

As this is a cloud-based solution, less maintenance is required, so the return on investment is better.

The P1 version costs $6 per user per month. If you need the P2 version then it is an extra $3 per month.

There are two different Premium versions of this product available, being P1 and P2. For 99% of our customers, P1 is enough. The P2 version has some advanced features required by a small number of customers.

Overall, my experience with Active Directory has been very good. When we work in the cloud, this product provides us with almost everything.

I would rate this solution a nine out of ten.

The primary use case is as an authentication mechanism or platform for the ISV solution that we offer our customers. When they are authenticating to our application, Azure AD is the solution on the backend the customers are actually using.

I'm a software developer so I write a bunch of integrations between applications and one of them is Azure AD. Our organization itself uses Azure AD for our external solution, which we provide as the authentication mechanism.

The most valuable feature is the authentication platform. Whether that's for users authenticating to applications or for actual applications that we write, authenticating to Microsoft or other applications. We can do app registrations where we're doing client-side or client credential flow authentication from an external app to a hosted Microsoft app or whatever other app within the Microsoft catalog we want to connect to. The focus area has been around being able to integrate and connect to different Microsoft resources using Azure AD to actually provide the authentication piece.

There are a lot of areas where the data from a reporting standpoint is extremely granular. It is great that you're able to get to that data at the same time unless you actually are hands-on with the tool, as it can sometimes be overwhelming to actually be able to decipher what that means. So if you're looking at audit reports or another sort of logging, the amount of information is never the problem within Azure AD, it's trying to distill it down to the information that you want. I think the solution can improve by making the consumption of that data easier for the customers.

I've been working with the solution for five or six years at least. Probably longer. 

The stability is very good. I think it's gone down only a couple of times and when it goes down, there are bigger problems than just us. From my perspective, it is fairly stable.

I think the ease at which you can create new resources and the like from an overarching Azure perspective is phenomenal. I believe Azure AD is scalable. There are some pieces of it that are difficult to use. When assigning layered groups or layered roles to users, trying to figure out the access that a user has can sometimes be a little tricky. But overall I think it follows the Azure model, so it's easy to deploy new pieces as needed.

We have a little over a hundred total users. Azure AD is only accessed by a couple of people within our organization, and they're all based out of our home office in the US. The authentication mechanism is used around the world. We have offices around the US and in Europe that all sign in using Azure AD as the authentication piece. We have 250-ish groups and just over a hundred users.

Previously we used on-prem ADFS. At our organization, we integrate with a whole host of different identity providers; Ping, Okta, and those types, but we've always used a Microsoft product internally for our user setup and access. We switched to Azure AD because our product is also hosted within Azure. As part of that, we actually also switched to a hybrid cloud where we run both on-prem AD and Azure AD online.

There were a couple of hiccups along the way, but the initial setup was fairly straightforward.

The biggest issue for us was getting the sync working from on-prem to the cloud. That was the hardest part. As far as the deployment itself, we went and created an Azure tenant and then created the Azure AD or a portion of it. After that, setting up the sync was really the biggest part.

The implementation was completed in-house, and we integrate it from our product perspective.

Azure AD makes our work a lot easier, but I don't have an actual number to show an ROI.

We're a Microsoft shop, so it basically was the only option that we really had if we wanted to use Azure. Our services host Azure so it made sense for us to use Azure AD.

I give the solution a nine out of ten.

We actually integrate with Microsoft Entra and are able to add additional functionality to it. Entra does everything down to the entitlement level within applications, whereas our organization would go a little bit further and go to the object level. But from an overall user access perspective within our cloud environment, Microsoft Entra does give us visibility into what that user's assigned, based on their roles and group access.

We don't use Microsoft Entra in the way that most other companies are going to use it. We're looking at it from a strategic perspective for the security reporting application that we provide our customers. When a customer of ours would be using Microsoft Entra and they want to extend it to provide additional reporting or to actually go down and assign functions at the object level within their applications, they would use our organization to do that. I don't technically use Microsoft Entra to actually view what our users are looking at from a user access perspective.

I don't know if we use it internally at our organization, but in the majority of cases, the clients want to be able to have a place where they can do enterprise-wide identity management. And so that's what they are trying to get to with Entra. That's a question that a lot of our customers have across the board. The functionality that Entra provides is the ability to span across different either business applications or other third-party applications. The customer then has to be able to do identity-based access control from a single-pane-of-glass within our Azure AD instance.

I don't do the actual assignment within our organization from an Azure AD perspective. We extend what Microsoft Entra provides, from a feature functionality perspective. We have a separate IT team that would actually do the user creation and access assignment within Azure AD and I don't know if they use Microsoft Entra to manage all identity and access tasks within the organization.

We're a Microsoft ISV and we connect with a number of different ERP, CRM, and HDM-type systems, but we do security on compliance reporting and functionality.

We integrate with the solution. Customers that are using Entra, would or could use our organization when they need that extra level of detail. We use it for development purposes to actually create a working solution. We support that as far as when we do our reporting from our organizational perspective. I don't use Entra internally at our organization, so we integrate with it from a coding perspective. As far as features and functionality go, we integrate with it and we support it. 

We run the solution on-prem and then we sync that to Azure AD in the cloud, but it's on a normal public cloud, overall.

I think Azure AD is a no-brainer if you're a Microsoft shop and if you have other Microsoft products already. It boils down to what sort of office you're looking for. Being a development shop, it absolutely made sense to us to use Azure AD because we were already using Azure, so it could be included with that offering. If you're not a technical shop then I think you should have to look to see if it's something that you are going to manage, and how many other applications you manage within your organization from an access perspective. If you're doing that across 25, 50, or 100 different applications, then Azure AD is a great choice. If you don't really sign into too many things, then there may be more cost-effective ways out there. It depends on what your use case is.

We use the Azure portal to create users, assign rights, build policies, etc. I'm not an administrator for that part of our system but that is basically what we use Azure AD for.

Conditional access has helped us to better provide more security for our users and MFA has helped us to provide more security for users who are working from home. They use their own personal devices.

Azure AD has helped us to provide security for applications that I didn't have access to.

This product has improved our overall security posture. Everybody is working from home using a VPN. We recently migrated everybody to MFA, which is required to connect using the VPN. People are now more aware of their passwords and overall, gives them better security.

Using the Self Service Password Reset functionality has helped to improve our end-user experience because they no longer have to deal with the service desk to do so. It also helps the service desk because it relieves them of the need to help users when it comes to password changes, allowing them to focus on other things.

We use all of the services that are offered by Azure AD. We use Azure AD Connect, SSPR, app registration, application proxy, and more. We use everything for different services that include conditional access, authentication methods, etc.

Conditional Access is a helpful feature because it allows us to provide better security for our users.

I would like to see improvements made when it comes to viewing audit logs, sign-in logs, and resource tags.

We have been using Azure Active Directory for approximately six years.

In my opinion, the on-premises deployment is still king with respect to stability.

We are able to control what's happening there, unlike the cloud instances when the service is down. If Azure AD is down then it will affect the ability of our users to log in.

Both Azure AD and the on-premises Active Directory solutions are scalable.

We have approximately 30,000 objects hosted in Azure AD. Usage will be increased as need be, as we have more users and we have more objects to add.

I would rate Microsoft support and eight out of ten.

Support provides access to good resources and good backend tools that we can use to resolve issues.

We migrated to Azure Active Directory from Windows Active Directory.

In my previous organization, I was involved in the implementation and it was very straightforward. It was straightforward in the sense that we didn't encounter any major issues because we were already using Windows Active Directory. The only issue we had was that we had to move people in batches, and not at the same time.

Our deployment took approximately one month.

As part of the implementation strategy, we first moved our Exchange to Office 365. This was the initial migration of users from on-premises to Azure AD. The primary phase was to start using Office 365 for our email instead of Exchange.

We migrated from our on-premises Exchange solution to Azure AD with our in-house team. There are some of us in the infrastructure team, plus my manager.

In terms of our overall Azure experience, I can see that this solution yields a return on our investment. However, it is difficult to quantify.

The cost is billed on a per-user licensing basis.

We did not evaluate any other options.

I think that overall, using Azure AD is very straightforward.

My advice for anybody who is considering Azure AD is to look at the products, understand the role of AD, and see how it works in their environment. Then, before they roll out, test it well.

The biggest lesson that I have learned from using this product is that it helps with better organization and allocation of rights and security.

I would rate this solution a ten out of ten.

We have users, groups, and applications, and the purpose of this product is authentication, authorization, and attestation. We use it for the services connected to those three "A"s. The use cases in all organizations are more or less the same, even if some side services differ. Azure AD is used for authentication and authorization. It's about managing identities and granting access to applications.

It has features that have definitely helped to improve our security posture. The identity and access management, at the end of the day, are about security. It also offers features like multi-factor authentication, Privileged Identity Management, and access review and attestation, and all of these are connected to security and typically help improve security posture.

Many of its features are valuable, including: 

• facilitating application authentication 
• privileged access management 
• processes for attestation
• access reviews.

The multi-factor authentication, similar to when you use your mobile banking application when you want to do a transaction, doesn't rely only on your username and password. It triggers a second factor, like an SMS to your mobile. It requires another factor for authentication. This is one of the standard services Microsoft offers with Azure AD Directory.

Privileged identity management is also a standard feature of Azure AD for privileged accounts. We make sure we do privileged role activation when it's needed so that we do not have sensitive roles active every day.

A lot of aspects can be improved and Microsoft is constantly improving it. If I compare Azure AD today with what it was like five years ago, or even three years ago, a lot of areas have been improved, and from different angles. There have been improvements that offer more security and there have been some improvements in the efficiency domain. Azure AD is not a small product. It's not, say, Acrobat Reader, where I could say, "Okay, if these two features are added, it will be a perfect product." Azure is a vast platform.

But if we look at multi-factor authentication, can it be improved? Yes. Perhaps it could cope with the newest authentication protocols or offer new methods for second or third factors.

I'm also willing to go towards passwordless authentication. I don't want anyone to have passwords. I want them to authenticate using other methods, like maybe biometrics via your fingerprint or your face or a gesture. These things, together with the smart card you have, could mean no more passwords. The trends are moving in that direction.

When it comes to identity governance, the governance features in Azure AD are very focused on Microsoft products. I would like to see those governance and life cycle management features offered for non-Microsoft products connected to Azure AD. Currently, those aspects are not covered. Microsoft has started to introduce Identity Governance tools in Azure AD, and I know they are improving on them. For me, this is one of the interesting areas to explore further—and I'm looking to see what more Microsoft offers. Once they improve these areas, organizations will start to utilize Microsoft more because, in that domain, Microsoft is a bit behind. Right now, we need third-party tools to complete the circle.

In addition, sometimes meeting the principle of least privilege is not easy because the roles are not very granular. That means that if you are an administrator you need to do small things connected to resetting passwords and updating certain attributes. Sometimes I have to grant access for the purposes of user management, but it includes more access than they need. Role granularity is something that can be improved, and they are improving it.

Again, if I compare Azure AD today to what it was like three years ago, there have been a lot of improvements in all these domains. But we could also pick any of these specific feature domains in Azure AD and have in-depth discussions about what could be improved, and how.

We have been using Azure Active Directory for more than five years.`

Azure AD is very scalable. The only concern is around role-based access control limitations at the subscription level. That is something Microsoft is improving on. Currently, per subscription, you can have a maximum 2,000 role assignments. Sometimes big organizations hit the limit and need to implement workarounds to resolve that limitation. But that is something Microsoft has already confirmed it is improving. That is a limitation of the Azure platform, it's not specific to my organization. A smaller organization may never hit the limit, but bigger organizations do.

Apart from that, their application integrations, the service, MFA, and everything else, are quite scalable. It is moving in the right direction.

Setting up Azure AD, is about moving toward the cloud journey. I cannot say setting up Azure AD is easy, but on the other hand, organizations are not moving to the cloud in one go. It's not all or nothing, that you have it or you don't have it. It depends on which services you are receiving from Azure AD. Some organizations, like ours, start with a limited number of services.

You usually start with syncing your identities to the cloud so that you can offer your employees certain cloud services. You want to enable them to use certain SaaS applications, where they are relying on a cloud identity, and that's why you need to have your accounts in the cloud. Without that, you cannot grant them access.

Later, you may offer the ability for business partners to use and benefit from certain cloud applications, and gradually the use cases increase. For example, someone may become a privileged user to take responsibility for an application and manage it. When that happens you start to think about what other features in the Azure platform you can offer to do administration in a more secure way. Or, once you have thousands of users benefiting from cloud applications, how can you make sure that you protect their assets and their data? That leads you to start implementing other security features, such as multi-factor authentication. Over time, you may have users benefiting from Office 365 and they need to collaborate by using Teams and SharePoint. Again, you start to build something else around that.

Whether large or small, organizations are on a journey, where they start from on-premises with servers and all these server rooms and applications in the organization. They then shift workloads to the cloud. That process is still ongoing in my organization and in many organizations. Ten years ago, workloads were all on-premises. Five years ago, maybe 90 percent were on-premises. Today it might be 50 percent cloud and 50 percent on-premises. There is value from the cloud: elasticity and flexibility, even for big organizations. A server on-premises is a different story compared to having it on the cloud. If I need to upgrade a server on the cloud, it takes five minutes. If it's on-premises, I need to order hardware and then change the hardware. The usage of Azure Active Directory is due to the evolution of the cloud.

The bottom line is that the implementation is gradual. It's not difficult or easy, although we started with things that were easy to adopt, and then we continued the journey.

The staff required for maintenance of Azure AD depends on how you organize your support. Some organizations outsource their end-user support to other companies, while other organizations staff that completely internally. It can also depend on the users. Is your organization a global organization or a small, local organization? For us, to make sure we maintain the support and availability and all the services we need, including change management, we need at least 15 to 20 resources for a global application with more than 20,000 users, to maintain the platform.

We worked with a lot of consultants for Azure AD. There are many features and no one expert or professional can help with all aspects. Organizations, during their journeys, have to work with different partners and integrators. It may be that there is a specific application you need to integrate with Azure AD and you need some skills there. It may be that you want to better manage Azure resources, so you would talk to a different type of resource. You may want to increase your identity security scores, depending on how you configure Azure AD, and for that, you would need to talk to an Azure security expert. I think this applies to all big enterprises. We need different skills to better utilize Azure, including Azure AD, and to do processes in a more secure way.

We have Microsoft Professional Services. That's the primary source for many organizations that are utilizing Microsoft services. If you have an enterprise agreement or a unified agreement with Microsoft, they offer you consulting services. Of course, you have to pay for Professional Services, but we get value there. The number-one consulting and integration support provider is Microsoft.

They also work with certified partners like Accenture or Avanade. These organizations are connected with Microsoft and they offer consultancy services to enterprises like ours. Depending on the subject, we may use services from any of these providers. We usually go with Microsoft-certified partners.

Multi-factor authentication means you need to do an extra step, but that is normal because the attack surface is wider. We want to make sure you are who you say you are. That extra step impacts the end-user experience, but it's needed. The way authentication happens today is far different from 10 years ago. It may result in some added difficulty, but it is there to protect employees, organizations, customers, business partners, IT assets, data, et cetera.

There are a number of use cases. You can use it as a central point of authentication for giving access to most of your cloud and on-prem resources. For example, you can use Azure AD to give access to a Microsoft 365 application, such as Outlook or Microsoft Teams.

It is quite stable. Being a Microsoft product, it easily integrates with most of the Microsoft solutions. It is very easy to integrate with most of the Microsoft solutions, such as Windows, Microsoft Office, etc. If you have your own internal web applications or you want to integrate with other solutions from other providers, such as AWS or Google, you can link those to Azure AD. If you want to integrate with on-prem resources, you can use your Azure AD on the cloud as the authentication point to give people access to the resources and so on.

It can be used to grant access at a granular level. It provides secure access and many ways to offer security to your user resources. It provides a good level of security for any access on Azure. It gives you options like multi-factor authentication where apart from your password, you can use other factors for authentication, such as a code is sent to your phone or the authenticator app that you can use login. 

It even offers the next level of access management, which gives a password for authentication, and you just use the authenticator app to log in. It enables you to configure things like identity risk awareness to detect if someone logs in from a suspicious location from where they don't normally log in. So, it provides a good level of security features for controlling access to your resources.

Its integration with open-source applications can be improved. I know that they are working on open-source authentication methods for integration with open-source applications, but they can make it more open.

It can be a bit expensive for an organization. There should be a better pricing plan for the license.

I have been using this solution for about four years.

It is quite stable.

It is scalable. In my current organization, we have about 6,000 users on Azure Active Directory.

We are satisfied with their support. They provide different levels of support. They have Level 1, Level 2, and Level 3 engineers, and the response time depends on the kind of agreement you have. Some agreements will guarantee you a faster response time 24/7, such as within four hours, so it all depends on your license.

Considering that it runs on the cloud, the setup is quite easy unless you're doing integration with your on-prem Active Directory. For integration with your on-prem Active Directory, you need someone who is technically competent, and then it would be rather straightforward. They do provide engineers who can assist in that deployment, and they also do knowledge transfer to enable you to proceed with the deployment.

The initial deployment of the product usually takes about three months because you have to ensure all the prerequisites have been met. So, if it is a project for a big organization, we can do it in probably three months. If it is something simple, then it doesn't take much time because the only thing that you're doing is to plug into it. It is already running because it is a cloud service. So, the deployment comes in only if you're integrating it with your on-prem resources and, of course, with other applications. Otherwise, it is very straightforward. It is a cloud service, so it is just plug-and-play.

For deployment, we work with Microsoft. We work with them directly, but for enhancements, we use Microsoft partners.

For maintenance, we have a team of about five engineers who run it. Internally, we have about two engineers and a manager in charge, and then we have two engineers in our infrastructure team. It is not that intensive in terms of day-to-day management because it is a cloud service, so everything is running from Microsoft Azure servers. Therefore, the day-to-day administration is not that much.  

It can be a bit expensive for organizations, but they do have different pricing models. Their free tier can be used on a personal level, but for an organization, the licenses might be a bit expensive. In general, the licenses can become cheaper, which will make it accessible for more people.

Currently, where I am working, we use an enterprise agreement. The license is renewed after every two or three years. So, we make an agreement with Microsoft to give us a license for a number of products, including Azure Active Directory, for two or three years.

I would highly recommend this solution. We plan to keep using it for the long term.

It is among the best in the industry, but there is room for improvement. I would rate it an eight out of 10. 

We have deployed an Active Directory model with Active Directory on-premises, and that is providing services to the entire organization. In 2018, we wanted to implement single sign-on with some of our cloud solution partners. That was the main reason that drove us to implement Azure Active Directory. As far as I know, that's the only thing that we use Azure Active Directory for at this moment.

We can call it a hybrid system. All our internal operations are using Active Directory on-premises, but when we need to identify some of our users with applications on the cloud, that's when we use Azure Active Directory.

We are a mid-size company with around 550 users end-users, with the same number of end-user machines. We also run somewhere between 120 and 150 servers.

The reason we implemented it is that we can use it for authentication with some of our service applications, and that makes users' lives easier. They do not need to learn a lot of different passwords and different usernames. The other benefit is that, on the management side, it's very easy because you can have tight control over who is using the application and who is not; who has permissions.

For some applications, it's not only working for authentication but it's also being used to apply roles for users. From the management perspective, it's much better to have this because in the past we constantly needed to go into the console of the different solutions and create or delete users or modify their roles and permissions. Now, with Azure Active Directory, we can do that from a single point. That makes our management model much easier.

As a result, the solution has helped to improve our security, because user management control is very important. In the past, there were times when, for some reason, we forgot about deleting or even creating users for certain applications. Now, because we have only a single point for those processes, there is better control of that and it reduces the risk of information security incidents. That's especially true when you consider the case where we had forgotten to delete some users due to the increasing number of applications in the cloud. We now have five or six applications using single sign-on and that capability is one of our requirements when we introduce a new solution. It has to be compliant with single sign-on and it should have a way to be implemented with Azure Active Directory. It makes our infrastructure more secure.

Among the applications we have that are using single sign-on are Office 365, Concur for expense control, we have an integration with LinkedIn, as well as two other applications. When a user decides to leave the organization, we check that their access to all our internal applications has been closed. That can be done now with a single script. It makes it very easy for us to delete the user from the organizational unit, or from where the group linked to the application.

It makes things a lot more comfortable in terms of security as we don't need to log in to every single application to delete users. We would see, in the past, when we would run a review on an application in the cloud, that suddenly there were, say, 10 users who shouldn't be there. They could still be using the service because we didn't delete them. For some applications it's not that bad, but for others it could be an open security risk because those users would still have access to assets of the organization. We have reduced, almost to zero, the occurrences of forgetting a user.

Azure AD has affected the end-user experience in a positive way because, as I mentioned, they do not need to learn different usernames and different passwords. In addition, when users request access to some of the applications, we just need to assign the user to the different groups we have. These groups have been integrated with the different cloud applications and that means they can have almost immediate access to the applications. It makes it easier for us to assign roles and access. From the user perspective that's good because once they request something they have access to the service in less than 15 minutes.

Implementation of single sign-on with other vendors is quite easy. It might take a couple of hours and everything is running.

We've been using Azure Active Directory for over two years.

The availability of Azure AD is good. I don't have any complaints about it. Regarding the stability, we haven't had any issues with it. We haven't experienced any service interruption. 

Part of our strategy in the short-term is to move most of our Microsoft environment, when it's feasible, to the cloud, because we have seen that the cloud environment offered by Microsoft is really stable. We have proved that with tools like Azure Active Directory. In almost three years we haven't had a single issue with it.

From time to time it takes a little bit of time to replicate, with some of the applications—something like five to 10 minutes. I know that the design is not supposed to enable real-time replication with some of the applications. But, as an administrator, I would like to run a specific change or modification in Azure Active Directory and see it replicated almost immediately. It really only takes a few minutes. Although it doesn't seem to cause any problems for our organization, I would like to see more efficiency when it comes to the different connectors with cloud services.

We haven't had a situation where we need to scale this solution.

We haven't had any major issue with the solution so we haven't called Microsoft technical support for Azure AD so far.

We have always used Active Directory as our dedicated services solution. Three years ago we increased the scope of it and synchronized it with Azure Active Directory. Our on-premises Active Directory is our primary solution. Azure Active Directory is an extension of that.

The initial setup was quite straightforward. It didn't take too long just to get our Azure Active Directory environment set up and running. I think it took less than a day. It was really fast.

We already had Active Directory on-premises, so what we created was the instance of Azure Active Directory. All the different groups, users, and services were already set up. We then replicated with what we currently have in the Azure Active Directory instance. It was not really difficult.

Our company is quite small and that is reflected in our IT department. Azure Active Directory is handled by our infrastructure coordination team, which has only two members. One is the senior engineer who performs all the major changes and the main configurations. We also have a junior engineer who runs all the operations in the company. From time to time, one person from our help desk, usually me, does some small operations when we don't have the infrastructure team available.

We use a reseller to buy the product and they also provide some consulting services. Our relationship with Microsoft is not a direct relationship.

Our reseller is SoftwareONE. They're a global company and our experience with them has been good. We have been with them since 2010 or 2011. We have two or three different services from them related to Microsoft and other brands. They are not exclusively reselling Microsoft licenses. 

From a very subjective point of view, as I haven't drawn any kind of numbers to calculate the return on investment, what I can see so far is that the investment is running smoothly and it's easier for us to run our environment with it.

If you have all your infrastructure built using Microsoft tools, it is straightforward to go with Azure Active Directory. Under these circumstances, I don't see any reason to find another solution.

We have an E3 contract, and I believe Azure AD is included in it.

We didn't evaluate other vendors because our entire environment is based on Microsoft solutions.

As with any implementation, design is key. That would be applicable to Active Directory as well, but when it comes to Azure AD, do not start the installation unless you have an accepted design for it. You shouldn't just start creating objects on it. You need to have a clear strategy behind what you're going to do. That will save you a lot of headaches. If you start without any kind of design, at the end of the road, you can end up saying, "Okay, I think it would have been better to create this organizational unit," or, "We should have enabled this feature." It's probably not very straightforward to implement the changes. So have a team design the Azure Active Directory structure for you. You need to have the map before starting the implementation.

It's something that we use every day. We're migrating all of our customers over to it.

We use it for Office 365 and Azure services.

It's a cloud service. You do not depend on local identities. You can just synchronize the identities. It gives you the opportunity to use the security services that come with Office 365 and Azure. 

It does offer a single pane of glass for getting into all applications. However, we have some customers that have a hybrid environment and it depends on what applications and if the client wants them authenticated with Azure or not. In general, it's been positive for the final user experience.

We do have to manage identities on-premises in Azure and have one point of entry and the solution allows for that.

We use conditional access. That's a must for customers - to be able to verify users and devices. It helps with initiating a zero-trust policy. It's one of the main functionalities we really like. You can get granular with the policies in terms of access. 

We use conditional access in conjunction with Endpoint Manager. We also push Endpoint Manager as a solution to work with devices. That's also something that we try to push to the customers in any project. Most of the time, they go with it and like the idea of being merged with which are Endpoint Manager. Sometimes there are some customers, small customers, that maybe don't want to use that. Our position is to always use an endpoint manager.

It's helped out IT managers a lot in terms of the features on offer. I'm not sure of the exact amount of time that has been saved in general. I'm not involved in the day-to-day management from a customer's perspective. 

It's had a positive effect on the user experience. I'd rate the improvement nine out of ten. 

Support could be improved.

Okta has had more time in the business than Microsoft. I hope, in the roadmap, Microsoft eventually offers the same features as Okta. It will take some more time to mature. 

I've been using the solution for five years.

The solution is scalable. 

Customer support is good. However, it could be better sometimes. They do answer fast, however, the resolution itself is not fast. The first level of support will most likely have to move the issue to level two or three technicians and that process makes the resolution take longer.

Positive

I did not previously use a different solution. I deal strictly with Microsoft. I don't deal with any other companies. I'm dedicated to Microsoft. 

I was involved in the deployment process. It's easy for someone who's done it many times. 

In my department, we have ten to 15 colleagues that can handle these migrations or synchronizations. 

It's an easy product to maintain. 

We do have a customer that has Okta, and while we don't deal with it directly, we know what it does. We don't use it. Okta has specific features that are different from this product, however, it's not something we sell. For example, Microsoft can synchronize users from local to Azure, and not vice versa. Okta can do that, however. Also, the management lifecycle feature in Microsoft isn't as robust as Okta. 

Okta does have a lot of models, as does Microsoft. In both cases, depending on what you need, there would be a different license. 

There are not too many companies that have Okta in Spain, however, those that have would have many environments across AWS, Google, et cetera - not just Microsoft.

We're integrators. We don't use the solution ourselves. 

We do not use Permissions Management. I'm not sure if it is one functionality or a combination of several. 

I'd rate the solution eight out of ten.