Let’s talk about Azure Active Directory Premium

I often get asked about the difference between Azure Active Directory (AAD) Free/Office 365 versus the Premium version of AAD. Let’s talk about the differences at a high level.

The following video provides a high level overview of Azure Active Directory Premium

The following page, Azure Active Directory Pricing will list out in detail what is included in Azure Active Directory Premium. Note there are two versions of Premium: P1 and P2.

In short here’s how I think about Azure Active Directory Premium (not an extensive list):

  • Unlimited Single Sign-On w/ apps (SaaS or On-Premises) – instead of purchasing 3rd party SSO IdP
  • AAD Security Reports have more detail (see this document for more info) – gives you more detailed reporting for security events
  • Cloud App Discovery (discovery Shadow IT, see this document for more information and see my vlog here for a full demo) – instead of purchasing 3rd party discovery software.
  • Conditional Access (see this document for more information) – instead of purchasing 3rd party software to do these capabilities.
  • Identity Protection (see this document for more information) provides the ability to assess user risk (i.e. credentials up for sale on the dark web, impossible travel, logon from known malicious IPs, etc)
  • Terms of Use (similar to CTRL-ALT-DEL disclaimer) for all SaaS apps integrated with AAD. See this document for more info.
  • And more!

Let’s start with Conditional Access, an “If/Then” statement for users signing into Office 365 and frankly any SaaS app integrated w/ SSO to AAD. The following diagram helps to visualize the capabilities of AAD Conditional Access (CA):

Azure Active Directory Conditional Access

Turns out there’s quite a few scenarios where CA can be beneficial, but it all starts with mapping out business requirements and understanding what challenges exist in the environment. Some example scenarios where CA could be valuable:

  • Only prompt for Multi-Factor Authentication (MFA) when it matters
    • Instead of prompting upon every logon, the system will assess the risk of each user’s logon (i.e. the likely hood their credentials or account has been compromised) and only prompt for MFA when it truly matters (i.e. if the identity has been compromised, or if the user is logging in from a non-managed endpoint).
  • Require devices connecting to be managed (AD, AAD, Intune) and compliant (i.e. require BitLocker, Firewall, Local Security Policy, etc)
  • Require devices to be free of malware and suspicious behavior upon logon (using Microsoft Defender ATP integration)
  • Block logons from outside the US, or only from specific countries (minimize an attacker’s success with email phishing)
  • Limit access to Office 365 or a SaaS app (i.e. prevent downloads but allow online editing).

To make AAD CA real, consider the following scenario: I am at home and pick up my personal computer from the coffee table. This device is non-managed and my company’s IT department has zero control of it. When I open up G-Suite to work on a file in Google Slides, all activity is monitored and audited, I’m able to edit successfully online, but downloading the file is blocked.

Example: Signing in to G-Suite, user is notified
Attempting to download the file is blocked

Next let’s take a look at Cloud App Discovery. This enables you to discover SaaS application usage in your environment – without an agent, and seamless to the end user. I’ve written extensively about this in previous blogs and even recorded a few videos on it.

This uses a copy of your firewall log, feed from a syslog server, or Microsoft Defender ATP to retrieve the data.

Cloud App Discovery in action

For Terms of Use, this is the equivalent of what CTRL-ALT-DEL disclaimer used to be years ago – but now for SaaS apps.

Terms of Use Agreement presented to the end-user upon logon to a SaaS app

What’s interesting is the capability to require the user to expand the terms of use, or require whenever they logon from a new device, or expire after a time period:

For limiting access to SharePoint Online or OneDrive for Business – here’s an example of allowing access to work with a document in Word Online (stored in SharePoint) but notice the banner at the top and there’s no option to open in the desktop app nor is there an option to download!

Configuring this capability in the SharePoint Admin Center:

One of my favorite features of AADP is Identity Protection (IDP). Upon every sign-in the system will evaluate against the following criteria:

Here’s an example of the interactive dashboard to investigate suspicious sign-in activity:

Example of a user’s identity stolen and blocking sign-in

As you can see there is quite a bit of value in Azure Active Directory Premium, and we haven’t even covered the cool stuff yet! Kick the tires on AADP today by starting a trial!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s