Azure AD Premium vs. Azure AD with Office 365
If you have an Office 365 subscription, then you already rely on Azure Active Directory. If you have DirSync or Azure AD Connect enabled, then that means your on-premises user identities and passwords are being synchronized to your Azure Active Directory tenancy in the cloud. I recommend this configuration, especially if you are considering an Azure Active Directory Premium subscription.
Yes, the “Premium” licensing does incur extra cost–at the time of this writing you can get premium on it’s own for USD $6/user/month (only through an EA agreement–hopefully that will change), or move into an Enterprise Mobility Suite subscription (EMS) for $8.75/user/month–to light up even more extra bells and whistles (like advanced MDM features and supercharged Rights Management).
The key question: is it worth it? I tend to think that it is–but let’s take a look at the feature comparison and you can decide for yourself. Keep in mind there are new features being released into this service all the time, so this will likely fall out of date quickly.
With the standard Office 365-included features, you will be able to:
- Manage users & group memberships in the cloud, and assign licensing
- Optionally sync your on-premises directory using Azure AD Connect
- Enable basic Multi-factor authentication (MFA)
- You can enable up to 10 third-party SaaS apps per user from the gallery
- Users can reset their own passwords online UNLESS you are using Directory Synchronization–then passwords must be managed traditionally / on-premises
- Basic canned usage & access reports
- Company branding for the SSO access panel, etc.
- 99.9% uptime SLA
The premium features include the following upgrades, some of which are still in preview, highlighted with an asterisk:
- Monitor AD synchronization health in the cloud
- More advanced MFA features
- SSO for unlimited SaaS apps (and the ability to connect additional apps not present in the gallery)
- Users can change their own passwords online EVEN with Directory Synchronization enabled (password write-back)
- Advanced security & usage reports
- Azure AD join (join computers and devices to Azure AD)
- Self-service group & app management (dynamic groups)
- Run Cloud App Discovery to uncover unmanaged cloud applications running in your environment
- Azure Identity Protection* (uses machine learning to protect identities based on advanced reporting, monitoring, rules and access policies)
- Enterprise State Roaming* (user profile settings are stored in the cloud and roam with the user to new devices)
- B2B collaboration*
- HR Application integration*
- And more*
In my opinion, Azure AD Premium is one of the most exciting Microsoft cloud offerings for the SMB today, next to Office 365. My favorite features include the advanced security & usage reports, password write-back for enabling self-service password reset, cloud app discovery, and the soon-to-be generally available Enterprise State Roaming and Azure Identity Protection (both are currently still in preview).
With this product, I feel like we are finally coming out of the “Wild, Wild West” days of the cloud. We are actually starting to gain some traction: more visibility and control over cloud-based applications through advanced user identity & access tools like this one. Previously, security and compliance in the cloud were shaky concepts, at best, and we struggled to provide confident answers to hard auditor questions. The SMB now has better options available in the cloud, and I con provide them quicker and more cost-effectively than I ever could on-premises. This tool is indispensable for organizations with strict compliance requirements, and a need for strong control over their cloud-based users & data across numerous platforms and devices.
The rest of the EMS suite fills out the profile and builds on these objectives even more, but if I had to highlight just one aspect of that product set, it would be this one: Azure AD Premium.
The main source I used for this article is found here.