Item: Microsoft Entra ID
Rating: 8
Author: Jane Updegraff

Use Cases and Deployment Scope

My company uses Active Directory across the entire enterprise, which is probably the most common way that it's used. It's used to maintain a directory of users, groups, computers, service accounts and other resources, it is also used to authenticate those users and machines to the network, and to permit them access to network resources based on the individual user's or computer's permissions and group memberships. Active Directory acts as our primary resource management tool. It's where we store the identities of people and things that allow us to quickly create things like access control lists for data and network segments.

Pros and Cons

Azure Active Directory is very at maintaining user and computer data in a fully-replicated database.
Azure Active Directory is very good at notifying administrators whenever there is a problem with the AD database content or replication.

In my opinion, Azure Active Directory's dashboard pages are way too busy and difficult to navigate.
Azure Active Directory doesn't handle duplicate attributes in user accounts very well.
Azure Active Directory pesters the admin to buy additional features by cluttering up the GUI with "suggestions" that you can't remove from the dashboard.

Return on Investment

AAD has made it possible for us to deploy cloud resources faster and with fewer human errors, saving time and therefore money
AAD has underpinned our move to cloud resources, including Office 365, and it's what enabled us to move to regularly using desktop-as-a-service. This has enabled us to spend less on endpoint hardware and all of the time spend handling physical endpoints.

Alternatives Considered

We are getting ready to enable multi-factor authentication using Azure AD to further secure our network and we also plan to use it to expand out presence in the cloud in conjunction with many other available Azure resources. All of the other Microsoft Azure products integrate seamlessly with Azure AD, making it possible to launch new resources in minutes rather than hours or days.

Support Rating

I've only had to open a few support cases with Microsoft for Azure AD. In each time it was because there was a sync error between our on-premise database (the local copy of the AD) and Azure's copy. The AAD copy of the AD has some user and computer attributes that admins can't change using the AAD console. But that's so that we, as humans, don't accidentally break the database. Whenever there has been a sync conflict that i could not resolve following there (usually excellent) instructions for doing so, I have opened a support case. I can count those cases on one hand after nearly three years of lice production use of AAD. Each of those cases was resolved within a few days and in no circumstance was the affected user or computer unable to authenticate, although they may have been unable to access their email for a brief period during the troubleshooting. It's quite a bit better than other Microsoft support, in my opinion.

Key Insights

Do you think Microsoft Entra ID delivers good value for the price?

Yes

Are you happy with Microsoft Entra ID's feature set?

Yes

Did Microsoft Entra ID live up to sales and marketing promises?

Yes

Did implementation of Microsoft Entra ID go as expected?

Yes

Would you buy Microsoft Entra ID again?

Yes

Other Software Used

Zebra Desktop Printers, HPE 3PAR StoreServ Storage, Cisco UCS C-Series

Likelihood to Recommend

Azure AD is actually required for Office 365 to work, so obviously you won't have a choice about whether or not it is well-suited unless you want to skip Office 365 completely. But it's actually a good standalone AD solution for when you don't want to own any infrastructure at all. That's because AAD is hosted by Microsoft in their commercial cloud, Azure. You could hypothetically build all a full corporate directory against which to authenticate without having to own a single server.

I would not advise using AAD as your network directory as a standalone solution, however. You would need to have at least one on-premise AD domain controller with a full copy of the directory, at all times. This is required because Azure Active Directory operates in the cloud, meaning it is reached by way of the internet. If any site were to become disconnected from the internet for any reason, and if there is NOT a local copy of the directory on a domain controller that the users and computers can reach from their devices, no one would be able to authenticate to any resources until connectivity is restored.

Azure Active Directory works well to securely move into the cloud

Overall Satisfaction with Microsoft Azure Active Directory