Microsoft Entra ID Reviews

We use the Azure portal to create users, assign rights, build policies, etc. I'm not an administrator for that part of our system but that is basically what we use Azure AD for.

Conditional access has helped us to better provide more security for our users and MFA has helped us to provide more security for users who are working from home. They use their own personal devices.

Azure AD has helped us to provide security for applications that I didn't have access to.

This product has improved our overall security posture. Everybody is working from home using a VPN. We recently migrated everybody to MFA, which is required to connect using the VPN. People are now more aware of their passwords and overall, gives them better security.

Using the Self Service Password Reset functionality has helped to improve our end-user experience because they no longer have to deal with the service desk to do so. It also helps the service desk because it relieves them of the need to help users when it comes to password changes, allowing them to focus on other things.

We use all of the services that are offered by Azure AD. We use Azure AD Connect, SSPR, app registration, application proxy, and more. We use everything for different services that include conditional access, authentication methods, etc.

Conditional Access is a helpful feature because it allows us to provide better security for our users.

I would like to see improvements made when it comes to viewing audit logs, sign-in logs, and resource tags.

We have been using Azure Active Directory for approximately six years.

In my opinion, the on-premises deployment is still king with respect to stability.

We are able to control what's happening there, unlike the cloud instances when the service is down. If Azure AD is down then it will affect the ability of our users to log in.

Both Azure AD and the on-premises Active Directory solutions are scalable.

We have approximately 30,000 objects hosted in Azure AD. Usage will be increased as need be, as we have more users and we have more objects to add.

I would rate Microsoft support and eight out of ten.

Support provides access to good resources and good backend tools that we can use to resolve issues.

We migrated to Azure Active Directory from Windows Active Directory.

In my previous organization, I was involved in the implementation and it was very straightforward. It was straightforward in the sense that we didn't encounter any major issues because we were already using Windows Active Directory. The only issue we had was that we had to move people in batches, and not at the same time.

Our deployment took approximately one month.

As part of the implementation strategy, we first moved our Exchange to Office 365. This was the initial migration of users from on-premises to Azure AD. The primary phase was to start using Office 365 for our email instead of Exchange.

We migrated from our on-premises Exchange solution to Azure AD with our in-house team. There are some of us in the infrastructure team, plus my manager.

In terms of our overall Azure experience, I can see that this solution yields a return on our investment. However, it is difficult to quantify.

The cost is billed on a per-user licensing basis.

We did not evaluate any other options.

I think that overall, using Azure AD is very straightforward.

My advice for anybody who is considering Azure AD is to look at the products, understand the role of AD, and see how it works in their environment. Then, before they roll out, test it well.

The biggest lesson that I have learned from using this product is that it helps with better organization and allocation of rights and security.

I would rate this solution a ten out of ten.

The solution is our main identity provider and federation platform. We use it for authentication and for federations, for some provisioning, and a little bit of governance.

It's a quite comprehensive solution and it scales quite well within our required scale as well, which is very useful.

The product has helped to improve our security posture. The Azure stack has built out a lot of analytics features. Now, we can more effectively investigate issues. 

The solution has positively affected our end-user experience by improving our usability and reducing friction.

The solution has certain limitations. For example, it has very little governance functionality. This is, of course, a choice made by Microsoft to see which areas they want to have deep functionality, and which areas they believe are more profitable for them. 

We've been using the solution probably since the mid-'90s when it was invented.

The solution has generally been quite stable. They've had some problems with the MFA and other things, however, they are a lot better at keeping the system stable than we are.

What we have seen is that we are running into some of the limitations of scalability. That said, we are more than half a million or 700,000 internal users at the moment. There are relatively few organizations globally that are as big as we are.

We're seeing, for example, that the parcel reset, to sync parcel reset from on-premise into the system is challenging. It's more than the 30 seconds that you typically want. It's even sometimes more than the two minutes that Microsoft promises in their SLAs.

We see that our syncing is slow. We have to run it every three hours, which causes problems with being able to service our business efficiently.

Those are the main problems I've seen. On top of that, there are certain features that have run into challenges, for example, the AEDS is not fast enough.

Technical support is actually quite good. It's rather rare that we have problems with support.

They have been very good at informing us about when they have outages. That's something we really appreciate as it saves us a lot of time. If something on their side is broken, they tell us so that we don't have to look to find any problems in our systems. That's one reason I really like the way they've been handling things.

The system we used before was IBM ISAM.

The ISAM setup was on-premise and it's very expensive to run and maintain. The support for Microsoft is much better, which is an additional advantage for us.

The initial setup was complex.

We have half a million users from 20 different offices. They've all got different ways of wanting to do things, including the way we have to build the federation infrastructure, for example.

This has been a four-year project, and we're probably going to continue with it for the next year or as long as we'll be using the product.

The initial build we did was a six-month build.

Our implementation strategy was to delegate sections, including delegating identity and federation setup.

We have five full-time personnel that handle the maintenance aspect of the solution. We have outsourced the actual hands-on maintenance. This firm has a couple of engineers, an architect, and an engagement lead. We have three solution delivery managers on hand, however, they do other tasks as well and are not necessarily dedicated to AD.

We used a systems integrator to assist with the initial setup. 

The product is priced quite well. The way that Microsoft prices per user and month is quite attractive to us. The level of the license cost is quite good as well.

We did not evaluate other options. Choosing Active Directory was a management choice. 

We are just a customer and an end-user.

I'd advise those considering the solution to find a good partner to work with. You do need to have an experienced system integrator with you when you do the implementation. The integrator we brought on did a good job on our side.

I'd rate the solution at a nine out of ten.

We provide single sign-on, app syncing, and API seamless access to more than 2,000 users with the syncs into Azure. We provide access to email, SharePoint Online, Skype, and other services on the cloud to half of those users. We have services in the cloud, such as app registration and documents for SharePoint Online.

The single sign-on is the most valuable aspect of the solution. It allows for storing passwords in secure vaults. For developers, we use a vault for SSH. Mainly, we have replication from all services on-prem to the cloud.

With a single sign-on, in the case something happens on-premises, users can still use a single sign-on to a PC to access the cloud.

We can deploy policies, which improves our security posture. It's mainly very similar to on-premises, however, some new features can be used on the cloud as well, such as labs and password rotation. Some features have improved, which has been great.

The solution improves the way our organization functions. I can deploy a policy that will search for unused accounts, for example, and delete or just move them to a different organization unit that handles unused accounts. We can change unsecured passwords. We can detect intrusion and inform a security group on how to disable that account immediately. We can also perform security checks on services.

We can easily migrate services and improve the quality and improvement of bandwidth of the service. It's easy to scale.

There are some searches, such as a global search, which have powerful query capabilities if you configure it in a certain way.

It's easy to use. The portal experience provides a dashboard of what's happening. With the dashboard, you can see what's happening with the service faster. Of course, I’m talking about the cloud. On-prem you don't have that dashboard.

Active Directory has affected our end-user experience. It has improved it as we have centralized management now and we have centralized administration, and things can be automated easily. You can have most tasks automated. It's good.

The security needs to be improved. For example, in terms of changing from one version to the latest, meaning going from 2008 to 2012, or 2016 to 2019, you need to get rid of all the operating systems and they need to ensure the security is upgraded and improved.

They need to bring BitLocker into the VMs and the servers.

LAPS could also be improved. LAPS are used to rotate passwords on a server. That can be improved upon to increase security levels.

Protocols SSL 2.0 and SSL 3.0 need to be removed and they should change my TLS 1.2 for every application.

I've been using Azure for about 13 years. However, I've used Active Directory for 25 years. It's been a long time.

We have found some servers do not have enough CPU or memory which meant there was not enough stability. I scaled up the service to ESX, to a virtual host, and I installed multiple DCs, virtualized. As the solution has physical machines, CPU and memory were not enough. However, the scaling provided much more stability.

The scalability is good now, and I find it to be more stable and faster since scaling up to ESX.

We tend to increase usage every month. We have five countries with multiple forests. Currently, we have 200 users or so on the solution.

The technical support is not so bad, however, it's lacking in faster response times sometimes.

We did not previously use a different product.

The initial setup was complex. It has several forests connected to multiple domains in several countries, and it's going through multiple data centers. Typically, we have a solution for the VPN. It's different in every country sometimes. On top of that, centralized services are not so easy to manage in different forests.

The initial deployment was set initially for six months, and then we’ve been doing improvements for the last six months as well. It’s been a year in total.

Our initial implementation strategy was to sync a forest with multiple domains.

We have ten to 15 people who are capable to handle maintenance on the product. These include a cloud architect to Active Directory architect engineers, help desk engineers to deploy and manage solutions, and engineers to manage the servers.

We did not use an integrator, reseller, or consultant for the deployment. We handled it in-house. That is my understanding.

We have seen a bit of an ROI.

The solution is not the cheapest in the market. It could be improved and possibly lowered slightly.

We moved right into Active Directory, however, as a cloud architect, I am familiar with other solutions. I advised the client to go right to Active Directory based on my past experience. Due to the complexity of services they offered, I knew integration would be easy.

We are a Microsoft partner.

We use several versions of the product, including 2016 and 2019. For one customer, they're running 2008, which is the old version, and I just upgraded them to 2012. The domain controller is 2012 R2 and has the latest patches.

I'd advise new users to do an original design with an architect, and think about scaling up while considering services you will be adding in the future. It's important to plan the security tightly and do a neat design and consider services such as BitLocker and other resources that will be needed.

I'd rate the solution at an eight out of ten.

I use a Microsoft 365 cloud deployment and I have an organization where users are created. All of these users are hosted in Azure AD. I send emails in Exchange Online. 

For collaboration, we use Teams and SharePoint. Basically, all of these Microsoft products are on Azure AD. This is due to the fact that for you to use any of these products, users have to be created and these users are being hosted in Azure Active Directory. Without the users in the first place, the products are not used. 

The most valuable aspect of the solution is the ability to create users and host them in Azure AD. That is the bedrock - whatever it is you are doing, you're building on the fact that you have users created. We have Microsoft Teams to manage users and also to manage groups which allow us to manage collaborations and do all sorts of things.

Azure AD has features that have helped improve our security posture. It contains the Azure audit logs that allow you to also audit activities in the organization including those that have happened over a period of time. There is Azure sign-in that allows you to check for sign-in over a period of time for users.

From Azure Active Directory you can actually identify the IP address and run checks or maybe block the IP to improve the security posture of the organization.

The Azure sign-on and audit logs are very handy for a regular admin. They offer the most basic admin solutions to carry out activities on Azure security settings to identify potential threats and carry out some corrective actions on it.

We can use Azure Active Directory to deploy enterprise applications to incorporate third-party applications into the organization and make them available to users. You can put in place multilingual authentications and you can specify the kind of authentication you want to be available for your organization.

Most recently, you can use password-based authentication and multi-factor authentication, which allows for the ability to bring on third-party applications and to incorporate them and deploy them for users.

With Azure Conditional Access you can specify network locations where you want some of the services in the organization to be available to users, and where you don't want users to have access. You can customize and define conditional access to whatever suits the organization and based on what you want, including information protection. You can get conditional access depending on the license you have.

From my personal experience, I'd say that the features need to be more visible to make the product easier to explore for new users. They need to make it possible for someone with very little knowledge to come in and find things. The product needs to be more user-friendly. 

The solution needs to update documentation much more regularly. They need to just come out and update the documentation to reflect new features and make sure the updates are included in the already existing documentation so that someone like me can just pick up the documentation, read it, and know that it is very up-to-date listed and has all the new features contained within it.

I have been using Azure Active Directory Office 365 for over two years.

The solution is exceptionally stable. It's just a way to go on another solution, however, that said, I've noticed a 99.9% stability.

It's my understanding that the solution is very scalable. 

In my experience, I've managed hundreds of users on this product.

We can contact and support directly from the Azure Active Directory if we get stuck. As long as you are actually on the most basic billing subscription, you will be able to access assistance. That said, depending on the Azure license you have, you can get access to technical support for Microsoft Azure Active Directory.

My personal experience with using Microsoft support has been positive. I want to be fair, to be very honest, and the Microsoft support has to be one of the most agreeable out there as all you need to do is just submit the ticket and you get someone to contact you very quickly. They are always available. From the perspective of Azure Active Directory, as long as you have the required license you can contact the corresponding level of support. You can be sure of getting corporate support when you need it.

Previously, the organization had an environment where we managed everything locally. Azure Active Directory actually was our first entry into cloud solutions. We have not used other cloud solutions apart from Azure Active Directory.

The difficulty or ease of the initial implementation depends on the company and the level of experience as well as the level of knowledge of the IT team. The experience needed for cloud solutions is relative. I can say it's straightforward and even with a little experience or knowledge it is straightforward. The documentation is available and you can read and follow the documentation to handle the process. Of course, for new users, it could be a bit more straightforward.

For me, provisioning takes a few minutes - maybe between ten to 20 minutes. Normally it should take less than 30 minutes.

For this particular instance, we needed to add multiple users individually and sometimes as a bulk upload in the case of inboxes. Some needed third-party services. The documentation made the process pretty easy, however, when we did have issues, we could reach out to technical support to finish anything up. 

We have seen an ROI. It's actually cut some costs. Initially, we were using a local environment. Now, we've almost rid ourselves of one of our local environments. Moving to the cloud has saved us a lot of costs and actually, it's a very good experience. It's cost-effective compared to what we used before. It's better in terms of lowering our overall expenditure.

The prices are not too out of place. We're just gradually getting out of COVID and Microsoft is actually putting some renewals, licenses, and some products out just to cushion the effect of license costs as companies recover. With Microsoft, some products also offer free trials. 

We'd like to see more of a discount on existing licenses. They also need to consider having some free licenses, some free subscriptions.

I'm actually a customer. I have an environment in my home meaning I have a subscription that I've paid for. However, I also do consultancy based on the knowledge I currently have. I offer my knowledge to other organizations.

I would advise new users to allow open demos of cloud solutions and figure out what is on offer, what is available, or what can be made better. By doing a POC, you'll get to see resources used and what it's like to handle an environment entirely in the cloud. Organizations can consider gradually moving over or they can actually move completely to the cloud depending on what they want to do. 

I'd rate the solution at an eight out of ten. It's a good solution, especially for companies following the trend of moving onto the cloud. There's always room for improvement, however, currently, they are doing very well.

We're using Azure AD as a centralized identity management tool, to keep all identities in one place. For example, if we have an application that needs authentication, we use Azure AD. It is not only for user authentication and authorization.

We also use Azure AD as a synchronization tool from on-premises instances to the cloud, and we are using Azure ID Join to join machines directly to the cloud. We use it for access policies, as well as the registration of services.

With MFA, if there has been a password leak and someone tries to access the system, Azure AD will send a notification to the real user's cell phone and ask, "Are you trying to login? Please approve or decline this login." If the user declines the login, he can send a report to IT and the IT guys can automatically block the account, change the password, and review everything else. That helps us prevent unauthorized access to the system, and that's just through the use of MFA.

Through access policies, if my account was stolen and the guy got his hands on the MFA information for some reason, if the real user is in one country and the thief is in another country, the account will be blocked by our geolocation policy, even when the password is right and the MFA has been approved. We can lock it down using geolocation.

If we're talking about applications, one of the most valuable features is the administration of enterprise applications. It helps us to keep them working. We don't always need to authenticate a user to make an application work, but we do need some kind of authorization. We use service principal names for that. Managed identities for applications are very useful because we can control, using roles, what each resource can do. We can use a single identity and specify what an application can do with different resources. For example, we can use the same managed identity to say, "Hey, you can read this storage account." We can control access, across resources, using a single managed identity.

When it comes to users who have a single account, the most valuable feature is the authorization across applications. In addition, access policies help us to keep things safe. If we have a suspicious login or sign-on, we can block the account and keep the environment safe. It's also important, regarding users, to have a centralized place to put everything.

The user functionality enables us to provide different levels of access, across many applications, for each user. We can customize the access level and set a security level in connection with that access. For instance, we can require MFA. That is a feature that helps enhance our security posture a lot. And through access policies we can say, "If you just logged in here in Brazil, and you try to log in from Europe five or 10 minutes later, your login will be blocked."

One thing that bothers me about Azure AD is that I can't specify login hours. I have to use an on-premises instance of Active Directory if I want to specify the hours during which a user can log in. For example, if I want to restrict login to only be possible during working hours, to prevent overtime payments or to prevent lawsuits, I can't do this using only Azure AD.

I have been using Azure AD for the last five or six years. I have been using the on-premises solution, Active Directory, since 2005 or 2006.

We have never faced an outage situation with Azure AD. The stability is great, very reliable.

The scalability is okay for us. While there are limitations on the number of users, it's a very huge limitation. We have not hit that limitation so far. No matter how many users or groups or SPNs (service principal names) we have, it works fast. The response takes two to three seconds if we use the API.

Currently, we have more than 5,000 users. We are at 100 percent adoption. All our users from on-premises are synced to the cloud and they are fully using the features available.

The technical support is not going in the right direction. Sometimes the first-level support agents don't have the proper knowledge. Some of them take a lot of time to discover simple things because of that lack of knowledge. Sometimes a guy takes three or four days to give up and to ask for help from a higher level of support. The technical support can be improved in that area.

Neutral

Before Azure AD, we either used Active Directory for on-premises or a Linux solution, but it was almost a miracle finding Linux solutions for identities. In our location, the majority of enterprises and companies are using Active Directory. The free Linux solution is basic. You can choose a user, a password, and a level of access, but it does not go as deep as Active Directory.

The initial setup of Azure AD is very straightforward. There is even a wizard for it, making it very simple. The wizard guided us and pointed us to articles in the Microsoft Knowledge Base, in case we had any doubts about what was going on. It was a matter of "next, next, and finish."

Deployment took less than 60 minutes. It was very fast.

There are almost always issues when it comes to synching on-premises instances because they almost never follow best practices. When migrating to the cloud, there is a tool that Microsoft provides to run in your environment that tells you, "Hey, you need to fix this and this about these users, before you initiate the migration." It's complicated because on-premises solutions are like that. But if you want to have identities in Azure AD, you must have a proper set of User Principal Names, because these will be the anchor for the synchronization. If my on-premises instance has a bad UPN, it will not be able to properly sync to the cloud. But once we finished fixing the irregularities in the on-premises accounts, the migration was easy. We just installed the synchronization server and it did the job.

We have seen ROI using Azure Active Directory in the fact that we don't need to have four or five local servers. We can have just one local server and the heavy jobs can be run over the cloud. There is some money saved on that.

The pricing for companies and businesses is okay, it's fair. 

But if you are trying to teach someone about Azure AD, there is no licensing option for that. There is a trial for one month to learn about it, but there is a need for some kind of individual licensing. For instance, I personally have an Azure tenant with Azure AD and I use this tenant to study things. It's a place where I can make a mess. But sometimes I want to do things that are blocked behind the licensing. If I were to buy that license it would be very expensive for me as an individual. It would be nice to have a "learning" license, one that is cheaper for a single person.

Plan what you want. Think about whether you want native authentication and authorization in Azure AD. And if you want to have servers on-prem, you have to plan the kind of synchronization you want. Do you want passwords synced to the cloud or not? Instead of going headlong into using Azure AD and running into issues, the kind that require a change in access which could be problematic, plan before doing the deployment.

We are a small consultant company, and we help customers to build hybrid environments. We synchronize on-premises AD to Azure AD and help our customers decide which one they want to use.

In our own company, we use Office 365, so we use Activity Directory directly for authentication and authorization.

The most valuable feature is Conditional Access. As there are more and more people working from home, security is a challenge for a lot of companies. To build a general trust solution, we need Conditional Access to make sure the right people use the right device and access the right content.

In our company, we use Conditional Access with Trend to make sure that our employees can use the device from the company. We can make sure that there is higher security. We can also use Trend to set up a group policy and to set up Windows Defender as well.

Microsoft Azure AD is easy to install and is a stable solution.

There is no documentation about how Microsoft will scale Azure AD for customers. It only mentions that it will scale out if you have a lot of requests but does not mention how in detail.

More documentation on some complete scenarios, such as best practices to integrate forests into Azure AD when a customer has several on-premises forests, would be helpful.

I've been using it for four years.

In my experience, it has been working fine.

Scalability is a pain point. There is no documentation about how Microsoft will scale Azure AD for customers. We do, however, plan to increase usage.

We used on-premises Active Directory before using Azure Active Directory.

The initial setup is pretty simple. Microsoft Azure AD can be deployed in one or two minutes.

If you have an Office 365 subscription, Microsoft will build Azure AD for you.

Microsoft Azure AD has P1 or P2 licensing options, and it depends on the customer's needs. To use Conditional Access, you need to have the P1 license, and to use the PIN features, you need the P2 license. We use the P1 license as we use Conditional Access.

It will be a very good solution if your company is already using on-premises Windows Active Directory. Microsoft has provided a useful tool called Azure AD Connect. So, you can easily sync your on-premises Active Directory to Azure Active Directory, and you can easily implement the SSO.

Overall, we are satisfied with the solution and the features provided, and on a scale from one to ten, I would rate this solution at nine.

We have users, groups, and applications, and the purpose of this product is authentication, authorization, and attestation. We use it for the services connected to those three "A"s. The use cases in all organizations are more or less the same, even if some side services differ. Azure AD is used for authentication and authorization. It's about managing identities and granting access to applications.

It has features that have definitely helped to improve our security posture. The identity and access management, at the end of the day, are about security. It also offers features like multi-factor authentication, Privileged Identity Management, and access review and attestation, and all of these are connected to security and typically help improve security posture.

Many of its features are valuable, including: 

• facilitating application authentication 
• privileged access management 
• processes for attestation
• access reviews.

The multi-factor authentication, similar to when you use your mobile banking application when you want to do a transaction, doesn't rely only on your username and password. It triggers a second factor, like an SMS to your mobile. It requires another factor for authentication. This is one of the standard services Microsoft offers with Azure AD Directory.

Privileged identity management is also a standard feature of Azure AD for privileged accounts. We make sure we do privileged role activation when it's needed so that we do not have sensitive roles active every day.

A lot of aspects can be improved and Microsoft is constantly improving it. If I compare Azure AD today with what it was like five years ago, or even three years ago, a lot of areas have been improved, and from different angles. There have been improvements that offer more security and there have been some improvements in the efficiency domain. Azure AD is not a small product. It's not, say, Acrobat Reader, where I could say, "Okay, if these two features are added, it will be a perfect product." Azure is a vast platform.

But if we look at multi-factor authentication, can it be improved? Yes. Perhaps it could cope with the newest authentication protocols or offer new methods for second or third factors.

I'm also willing to go towards passwordless authentication. I don't want anyone to have passwords. I want them to authenticate using other methods, like maybe biometrics via your fingerprint or your face or a gesture. These things, together with the smart card you have, could mean no more passwords. The trends are moving in that direction.

When it comes to identity governance, the governance features in Azure AD are very focused on Microsoft products. I would like to see those governance and life cycle management features offered for non-Microsoft products connected to Azure AD. Currently, those aspects are not covered. Microsoft has started to introduce Identity Governance tools in Azure AD, and I know they are improving on them. For me, this is one of the interesting areas to explore further—and I'm looking to see what more Microsoft offers. Once they improve these areas, organizations will start to utilize Microsoft more because, in that domain, Microsoft is a bit behind. Right now, we need third-party tools to complete the circle.

In addition, sometimes meeting the principle of least privilege is not easy because the roles are not very granular. That means that if you are an administrator you need to do small things connected to resetting passwords and updating certain attributes. Sometimes I have to grant access for the purposes of user management, but it includes more access than they need. Role granularity is something that can be improved, and they are improving it.

Again, if I compare Azure AD today to what it was like three years ago, there have been a lot of improvements in all these domains. But we could also pick any of these specific feature domains in Azure AD and have in-depth discussions about what could be improved, and how.

We have been using Azure Active Directory for more than five years.`

Azure AD is very scalable. The only concern is around role-based access control limitations at the subscription level. That is something Microsoft is improving on. Currently, per subscription, you can have a maximum 2,000 role assignments. Sometimes big organizations hit the limit and need to implement workarounds to resolve that limitation. But that is something Microsoft has already confirmed it is improving. That is a limitation of the Azure platform, it's not specific to my organization. A smaller organization may never hit the limit, but bigger organizations do.

Apart from that, their application integrations, the service, MFA, and everything else, are quite scalable. It is moving in the right direction.

Setting up Azure AD, is about moving toward the cloud journey. I cannot say setting up Azure AD is easy, but on the other hand, organizations are not moving to the cloud in one go. It's not all or nothing, that you have it or you don't have it. It depends on which services you are receiving from Azure AD. Some organizations, like ours, start with a limited number of services.

You usually start with syncing your identities to the cloud so that you can offer your employees certain cloud services. You want to enable them to use certain SaaS applications, where they are relying on a cloud identity, and that's why you need to have your accounts in the cloud. Without that, you cannot grant them access.

Later, you may offer the ability for business partners to use and benefit from certain cloud applications, and gradually the use cases increase. For example, someone may become a privileged user to take responsibility for an application and manage it. When that happens you start to think about what other features in the Azure platform you can offer to do administration in a more secure way. Or, once you have thousands of users benefiting from cloud applications, how can you make sure that you protect their assets and their data? That leads you to start implementing other security features, such as multi-factor authentication. Over time, you may have users benefiting from Office 365 and they need to collaborate by using Teams and SharePoint. Again, you start to build something else around that.

Whether large or small, organizations are on a journey, where they start from on-premises with servers and all these server rooms and applications in the organization. They then shift workloads to the cloud. That process is still ongoing in my organization and in many organizations. Ten years ago, workloads were all on-premises. Five years ago, maybe 90 percent were on-premises. Today it might be 50 percent cloud and 50 percent on-premises. There is value from the cloud: elasticity and flexibility, even for big organizations. A server on-premises is a different story compared to having it on the cloud. If I need to upgrade a server on the cloud, it takes five minutes. If it's on-premises, I need to order hardware and then change the hardware. The usage of Azure Active Directory is due to the evolution of the cloud.

The bottom line is that the implementation is gradual. It's not difficult or easy, although we started with things that were easy to adopt, and then we continued the journey.

The staff required for maintenance of Azure AD depends on how you organize your support. Some organizations outsource their end-user support to other companies, while other organizations staff that completely internally. It can also depend on the users. Is your organization a global organization or a small, local organization? For us, to make sure we maintain the support and availability and all the services we need, including change management, we need at least 15 to 20 resources for a global application with more than 20,000 users, to maintain the platform.

We worked with a lot of consultants for Azure AD. There are many features and no one expert or professional can help with all aspects. Organizations, during their journeys, have to work with different partners and integrators. It may be that there is a specific application you need to integrate with Azure AD and you need some skills there. It may be that you want to better manage Azure resources, so you would talk to a different type of resource. You may want to increase your identity security scores, depending on how you configure Azure AD, and for that, you would need to talk to an Azure security expert. I think this applies to all big enterprises. We need different skills to better utilize Azure, including Azure AD, and to do processes in a more secure way.

We have Microsoft Professional Services. That's the primary source for many organizations that are utilizing Microsoft services. If you have an enterprise agreement or a unified agreement with Microsoft, they offer you consulting services. Of course, you have to pay for Professional Services, but we get value there. The number-one consulting and integration support provider is Microsoft.

They also work with certified partners like Accenture or Avanade. These organizations are connected with Microsoft and they offer consultancy services to enterprises like ours. Depending on the subject, we may use services from any of these providers. We usually go with Microsoft-certified partners.

Multi-factor authentication means you need to do an extra step, but that is normal because the attack surface is wider. We want to make sure you are who you say you are. That extra step impacts the end-user experience, but it's needed. The way authentication happens today is far different from 10 years ago. It may result in some added difficulty, but it is there to protect employees, organizations, customers, business partners, IT assets, data, et cetera.

There are a number of use cases. You can use it as a central point of authentication for giving access to most of your cloud and on-prem resources. For example, you can use Azure AD to give access to a Microsoft 365 application, such as Outlook or Microsoft Teams.

It is quite stable. Being a Microsoft product, it easily integrates with most of the Microsoft solutions. It is very easy to integrate with most of the Microsoft solutions, such as Windows, Microsoft Office, etc. If you have your own internal web applications or you want to integrate with other solutions from other providers, such as AWS or Google, you can link those to Azure AD. If you want to integrate with on-prem resources, you can use your Azure AD on the cloud as the authentication point to give people access to the resources and so on.

It can be used to grant access at a granular level. It provides secure access and many ways to offer security to your user resources. It provides a good level of security for any access on Azure. It gives you options like multi-factor authentication where apart from your password, you can use other factors for authentication, such as a code is sent to your phone or the authenticator app that you can use login. 

It even offers the next level of access management, which gives a password for authentication, and you just use the authenticator app to log in. It enables you to configure things like identity risk awareness to detect if someone logs in from a suspicious location from where they don't normally log in. So, it provides a good level of security features for controlling access to your resources.

Its integration with open-source applications can be improved. I know that they are working on open-source authentication methods for integration with open-source applications, but they can make it more open.

It can be a bit expensive for an organization. There should be a better pricing plan for the license.

I have been using this solution for about four years.

It is quite stable.

It is scalable. In my current organization, we have about 6,000 users on Azure Active Directory.

We are satisfied with their support. They provide different levels of support. They have Level 1, Level 2, and Level 3 engineers, and the response time depends on the kind of agreement you have. Some agreements will guarantee you a faster response time 24/7, such as within four hours, so it all depends on your license.

Considering that it runs on the cloud, the setup is quite easy unless you're doing integration with your on-prem Active Directory. For integration with your on-prem Active Directory, you need someone who is technically competent, and then it would be rather straightforward. They do provide engineers who can assist in that deployment, and they also do knowledge transfer to enable you to proceed with the deployment.

The initial deployment of the product usually takes about three months because you have to ensure all the prerequisites have been met. So, if it is a project for a big organization, we can do it in probably three months. If it is something simple, then it doesn't take much time because the only thing that you're doing is to plug into it. It is already running because it is a cloud service. So, the deployment comes in only if you're integrating it with your on-prem resources and, of course, with other applications. Otherwise, it is very straightforward. It is a cloud service, so it is just plug-and-play.

For deployment, we work with Microsoft. We work with them directly, but for enhancements, we use Microsoft partners.

For maintenance, we have a team of about five engineers who run it. Internally, we have about two engineers and a manager in charge, and then we have two engineers in our infrastructure team. It is not that intensive in terms of day-to-day management because it is a cloud service, so everything is running from Microsoft Azure servers. Therefore, the day-to-day administration is not that much.  

It can be a bit expensive for organizations, but they do have different pricing models. Their free tier can be used on a personal level, but for an organization, the licenses might be a bit expensive. In general, the licenses can become cheaper, which will make it accessible for more people.

Currently, where I am working, we use an enterprise agreement. The license is renewed after every two or three years. So, we make an agreement with Microsoft to give us a license for a number of products, including Azure Active Directory, for two or three years.

I would highly recommend this solution. We plan to keep using it for the long term.

It is among the best in the industry, but there is room for improvement. I would rate it an eight out of 10.