What is Microsofts intention regarding centralized access control, flattening Active Directory in Azure?

Question

SF: You should only ask practical, answerable questions based on actual problems that you face. Forwarding: This question may be debatable regarding the answerable-part. However, for me this is an actual problem regarding best-practices and I think it is definitely answerable in terms of “Is there an alternative?” vs. “You're answering the wrong question and should move in a totally different direction.”

I'm evaluating Azure out of the DevOp scope for the first time right now. While setting up an server/cloud infrastructure with several services, I came to the point where I wanted to centralize access control.

Back in the good old days I managed Windows Domain Controllers in rather big environments for years, so it felt just natural to dive into Azure. Starting from zero, I created a tenant with the intention of a pure Azure service - not hybrid (i.e. no Sync with a Windows Server instance).

Update 1: Thanks to a comment below I realized that the Microsoft link below is about hosted ADDS - i.e. not Azure AD, more like abstracted hosted AD. I let it sit there, as this just proves my question on how to do this purely cloud-based After reading through some articles, including MS own one on Create Organizational Units in Azure AD I also realized that this is not due to a lack of implementation but by design.

I guess my precise question now is pretty simple but I really would like to get some unbiased input and notes from user-experiences regarding this: What is todays state-of-the-art basis for establishing a simple, centralized, secure access control unit like traditional AD with ldaps? I know the hype about OAuth2 and SSO services, but most of them seemed like much overhead with little organization capabilities when dealing with a lot of users/groups (but I have to note that I only took a deeper look into SAML and OAuth2 in general, because Azure implements it).

How do you do this today? Any azure-only domain administrators here?

Answer 1

Managing identity in Azure AD is totally different than a traditional domain, there are a lot of new technologies that you need to be aware of to really succeed in managing a cloud only environment.

The current "state of the art" would be to learn what Azure has to offer in compared to a traditional domain environment, there's a lot of new concepts and technologies to digest and it will be very hard to advice on where to start with or what you really need to use, this will entirely be a design and strategic decision that only you and your company can dictate.

In the spirit of sharing and helping, I will share some essential documentation to get you started:

1. For a starter, check the "Fundamental Documentation"for each technology you want to use: https://docs.microsoft.com/en-us/azure/security/fundamentals/

2. And for Azure AD, I'd highly recommend that you dig your way through everything "Identity Management" has to offer, as a I said there's a ton of new concepts and technologies to learn that does not translate directly from the prospective of an on-prem environment: https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-overview

3. If you're only interested in reading about the difference between Azure AD and a normal domain (not to be confused with Azure AD Domain Services, which is a PaaS offering of a normal domain hosted on the cloud), I would highly recommend to check this documentation as well: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/compare-identity-solutions

Good luck reading and learning.