question

BijuThankappan-5910 avatar image
BijuThankappan-5910 asked ·

Use cases for AAD

What are the use cases for Azure AD, specifically in the scenario where ADFS is already fault tolerant and available on-premises?
Note: I'm not referring to AADDS. Because I know AADDS can at least provide BCDR.
Thanks!

azure-active-directory
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
amanpreetsingh-msft answered ·

Azure AD cannot be used to recover on-prem environment in case of a disaster. If you have configured PHS, you can convert federated domains to managed to facilitate authentication only for cloud apps.

Azure AD cannot be used as a full fledged DR solution for your on-premises environment.

2 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks, Aman!
There is an ongoing debate going on here in my org and I was on Q with this one. Just wanted to clear from a MSFT so can win the debate.

0 Votes 0 · ·

Glad that you have the answer to your questions. Please "mark as answer" or "vote as helpful" to help others in the community.

0 Votes 0 · ·
amanpreetsingh-msft avatar image
amanpreetsingh-msft answered ·

@BijuThankappan-5910 Use cases for AAD from features perspective would be in scenarios where you need:

  • B2B Collaboration

  • B2C capabilities

  • Privileged Identity Management feature

  • Identity protection and risk reporting

  • Managed Identities for Azure Resources such as Web Apps, VMs etc.

  • Conditional Access (providing better control than Access Control Policies in ADFS)

BCDR for AAD is taken care by Microsoft and the end consumers are not required to implement any BCDR solution for AAD.


Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.



3 comments Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft , my question was specific to ADFS, do I need to buy Azure when ADFS and ADDS is up and working fine in the env? Because, in my case, the points you have mentioned do not matter other than in-house tight security, reason for not adding PHS to the equation.
Also, what is the use of AAD BCDR when authentication and authorization is finally carried out on premises? If I use PHS, then AAD BCDR makes sense afaik and MS will be SLA bound.

0 Votes 0 · ·

@BijuThankappan-5910 If you are just concerned about Authentication and basic Authorization features, you are good with ADFS. However, if you would want to use the features that I mentioned in my previous reply, you should consider going with Azure AD.

Below is the scenario, where AAD BCDR would fit in for a federated scenario.

For Example, if you have contoso.com added as a federated domain to Azure AD and you have an application federated to Azure AD, if a user with upn user@contoso.com would try to login, he will be first redirected to AAD Authentication endpoint and then will be redirected to ADFS. If AAD is not available, user will not be redirected to ADFS. This is where AAD BCDR will come into picture.

However, if you are federating the applications directly with ADFS, AAD would not be there in the authentication flow.

Hope this has answer to your questions.

2 Votes 2 · ·

So, I understood from this that unless you have apps on Azure, AAD is useless; unless of course you need those addtl. new features. And even then, AAD will only help with Fault Tolerance not actual DR (complete blackout of on premises)
How does AAD help in DR? This is still not clear. Is there any official doc?

0 Votes 0 · ·