[HN Gopher] Does Company 'X' have an Azure Active Directory Tenant? ___________________________________________________________________ Does Company 'X' have an Azure Active Directory Tenant? Author : curiousmindz Score : 182 points Date : 2022-10-01 12:44 UTC (10 hours ago) (HTM) web link (www.shawntabrizi.com) (TXT) w3m dump (www.shawntabrizi.com) | parkingrift wrote: | Bundling is anticompetitive and illegal. The MS ecosystem | deserves close antitrust scrutiny. | scarface74 wrote: | So in that case are the following "illegal" | | - Apple One | | - Microsoft Office | | - Amazon Prime | | - Google GSuite | | - Adobe Creative Cloud | | - Salesforce bundling SFDC with Concur | azalemeth wrote: | Honestly, I think the regulators should look at basically all | of those things. Here in Europe scrutiny is building and a | lot of those organisations do party hard and play loose with | the rules. Microsoft is famously anticompetitive, but Adobe, | Google and Apple can't be far behind in their respective | areas. | scarface74 wrote: | Really? So you really think companies shouldn't be able to | sell software that works together bundled together? Why | stop there? Phones and computers shouldn't be "bundled" | with operating systems? Computers shouldn't be "bundled" | with sound hardware? Where does it stop? | cratermoon wrote: | Bundling is fine. Bundling by a company that is a | monopoly in the space is (or rather, used to be) a | violation of antitrust law. But see Amazon's Antitrust | Paradox, especially sections IIA and IIIB: | https://www.yalelawjournal.org/note/amazons-antitrust- | parado... | scarface74 wrote: | So in that case, every cable company is a local monopoly | and shouldn't be allowed to bundle channels. Doesn't | anyone see how silly this sounds in 2022? | | Disney is by far the largest entertainment conglomerate. | Should they not be allowed to bundle Hulu, Disney and | ESPN? | | Intel has over 80% of the PC market, how much hardware | should they be able to bundle on their motherboard? | | And HN has a habit of calling any big company a | "monopoly". Amazon only has 56% share of e-commerce and a | tiny share of all commerce in the US | | But getting back to MS Office, I have three "office | suites" right now on my phone - all three made by | companies worth 1 trillion dollars - Google, Microsoft, | and Apple. | | There is no "monopoly" in the IDP space. | sabujp wrote: | even apple's business manager is compatible with AD | parkerhiggins wrote: | Apple Business Manager added (beta) support for Google | Workspace a few months ago. | vinay_ys wrote: | The way Microsoft does enterprise price bundling, this is not | surprising at all. | SOLAR_FIELDS wrote: | They are insanely good at onboarding people onto it as well. I | have a small startup just me and a cofounder right now and we | pay $12 a month for 365 which includes all of Azure AD. Can | start doing full integrations right away to lock us in. | eastbound wrote: | This is awesome! I went 6 times to Microsoft AD's pricing | page and I could never figure out how much it would be! Then | I remembered it would be bundled with Azure, which, like any | cloud, has the "It's 0.0062$ per unit of consumption, so | sometimes it's 2EUR per month, sometimes it's 647EUR, we | never know ourselves, good luck!" effect. | | Has anyone else sometimes avoided a cloud service because the | pricing was opaque? | vinay_ys wrote: | They are much nicer in recent years and are quite | transparent with pricing - https://www.microsoft.com/en- | us/microsoft-365/compare-micros... See full pdf for all | plans: https://go.microsoft.com/fwlink/p/?linkid=2139145 | | Basically if you have a Microsoft Office 365 Enterprise | license (E3 or E5 license - which you need if have business | people in your company who can't live without Excel on | desktop), you get Azure AD Premium (P1 or P2) bundled for | free. | | As I was writing this comment I just went looking at their | AD page and found they have launched a new thing called | Entra which includes Decentralized ID. And there's a white | paper - interesting. | logifail wrote: | > you get Azure AD Premium (P1 or P2) bundled for free | | Last time I checked what was included with Azure AD the | activity logging data was where it looked like things | could get expensive. Exporting your authentication logs | and/or keeping them for more than a week was a premium | add-on. | pid-1 wrote: | M365 Business Premium includes P1 and costs 22 USD per | user. You also get MDM (Intune) and other security | related stuff. | sebazzz wrote: | > We assume the first result is the homepage of that company, and | the domain they would use for their tenant. | | That is a big assumption though. A very well known big-four with | two letters uses for instance [letters]gs.com ("Global Services") | for instance. | imron wrote: | > However, if we say that a company does not have a tenant, we | are not necessarily correct. It is possible that the google | result did not point to their actual domain name, or they are | using a different domain name for their AAD Tenant | idiocrat wrote: | So many eggs in a basket! | x86_64Ubuntu wrote: | They can still have On-Prem failover for domain controllers if | Azure has downtime. | mrweasel wrote: | That's kinda the point isn't it. Central management of access | to everything. | benrow wrote: | I initially had the same thought as the parent. From the | perspective of so many companies relying on the security of | one authentication provider (rather than any one company | using AD for all their authentication needs). | | So if AD were to be compromised, that would be significant | impact. | | There are of course advantages to such a "single point of | failure" such as concerted effort in one place. But one way | to mitigate the spof is transparency, and I'm reminded of | LastPass versus Bitwarden. | unreal37 wrote: | Assuming the #1 Google result on page 1 of search is the | companies public domain is a flaw. | | Some companies use a different domain for corporate use than | their public domain name. | | Like fb.com | homero wrote: | They said that | | One thing to note about these results is that when we get a | result that says the company has a tenant, we are nearly 100% | correct in that fact. However, if we say that a company does | not have a tenant, we are not necessarily correct. It is | possible that the google result did not point to their actual | domain name, or they are using a different domain name for | their AAD Tenant. | | If you wanted to do this really robustly, you would probably | want to get a better source for your domain names than | automated google search results. You might want to also look at | other combinations like "companyname.onmicrosoft.com", however | we are doing just rough estimates here. | Eleison23 wrote: | Well, you can also spot Facebook when their IPv6 addresses | contain :face:b00c: | ldjb wrote: | The script also seems to assume that the company's domain name | is of the form (foo.bar), which may be a reasonable assumption | for the US-based Fortune 500, but won't work so well if trying | to replicate this with international companies (which often | have domain names like example.co.uk or example.co.jp). | computerfriend wrote: | I genuinely don't know what AD is used for. If you need SSO, why | not just use a SSO/SAML IdP? | dmarlow wrote: | What's the source of data and truth for your SSO? | barbazoo wrote: | AAD can be used as a SAML IdP. | | https://learn.microsoft.com/en-us/azure/active-directory/fun... | mnd999 wrote: | OpenID Connect seems like the current popular flavour. SAML | seems to be increasingly considered legacy. | cratermoon wrote: | Indeed legacy, but you know how Fortune 500 companies are | about new technology not directly relevant to their line of | business. | | Also, SAML as a spec is really complex precisely because it | was created to satisfy a broad range of Enterprise-y | requirements. I don't know if OpenID Connect is there yet. It | certainly could be, the underlying spec (oauth2) could | support a lot of variant complexity, and OIDC supports mobile | and there are lot of extensions available or in progress. | https://openid.net/developers/specs/ | rootsudo wrote: | This is assuming the domain has it, but it's even easier actually | - you can just DIG DNS records and see if what they run as MX, | cnames, etc, if there is teams DNS records and the MX record | points to *.onmicrosoft.com or | $tenantname.mail.protection.outlook.com there you go, even easier | than "querying" google and seeing what's index. | | And much easier to script too. ;) | altdataseller wrote: | This shows you which domains uses Microsoft365 though not Azure | AD | technion wrote: | You can also enumerate that tenant and see which businesses | share infrastructure/accounts. | | https://github.com/technion/azure_enum | petercooper wrote: | I know next to nothing about AD, but my company appears to match | against this merely because we have an Office 365 account (from | which we do nothing except download Word and Excel every now and | then) so it doesn't necessarily mean you're using whatever it is | much. | flumpcakes wrote: | If you have Office 365 you have AAD. If you use pretty much any | cloud hosted Microsoft business services, (E# licenses) you are | using AAD. If you are using Azure, you are using AAD. | rejectfinite wrote: | You dont use it for email/exchange online? | | All 365 accounts get created in AAD. And your user has access | to the portal even. https://aad.portal.azure.com/ | simonw wrote: | I never thought about how the "I'm Feeling Lucky" button on | Google can double as an API to return the URL of the first search | result before. That's pretty neat. | altdataseller wrote: | So Okta (their main conpetitor) uses Azure AD | https://login.microsoftonline.com/okta.com/.well-known/openi... | simonw wrote: | Apparently so does Google: | https://login.microsoftonline.com/google.com/.well-known/ope... | insomniacity wrote: | Could easily be for testing/development/research. | OrvalWintermute wrote: | And still, in 2022, we don't have Azure AD replicating the full | functionality of an on-premise AD. | dmarlow wrote: | What about coupling AAD with AADDS? | rejectfinite wrote: | What are you missing? | mberning wrote: | They have it in some capacity. Most places still have a very | significant on-prem or self hosted instance of AD. | rejectfinite wrote: | This, a company/person just needs to sign up for Office 365 and | then an Azure AD tenant "exists" for them as the Office 365 are | in there. | cloudking wrote: | I wrote a similar script once that took company domain names and | then looked up their MX records to see if they were using Google | Workspace. | wsjeffro wrote: | What I can't understand is why Azure AD doesn't have a stronger | position in the consumer space. Authentication via Google, Apple, | and even still Facebook are nearly always supported on customer- | facing logins. I rarely see an option for Microsoft. | | They have a commanding position in the enterprise. What's keeping | them from crossing those enterprise boundaries? | andylynch wrote: | They were an early mover in this area twenty years ago with the | original Hailstorm / .Net Passport which was skeptically | received and wasn't helped by some spectacular outages. Google | and Facebook leveraged their apps and especially GMail - Apple | had the leverage from their App Store to force everyone that | mattered to at their service too. | Terretta wrote: | Incidentally, a Microsoft Passport login still works on any | site with today's "Login with Microsoft" ... and there are | starting to be more along side "Login with Google" or "Login | with Apple". | | These days, a consumer + biz page login page can look like | this: | | https://www.xsplit.com/user/auth | | There's almost no good reason to require emails/password | rather than let users use their preferred IdP. | | I think the reason it's less common is simply that indie devs | assume everyone uses free Google Workspaces. This year we're | seeing more Microsoft Logins. Perhaps one reason is that now | Google Workspaces is no longer free and startups are | realizing they can get actual Office with actual apps at the | same per $6 to $12 per user cost. Then in turn, supporting | that login. | candiddevmike wrote: | Microsoft's support for multiple accounts is atrocious. I can | easily have 5+ Google accounts that I switch between, moving | between MS accounts is awful. Additionally MS's free consumer | offerings are not competitive with Gmail/Drive IMO. | yellow_postit wrote: | I'm not a fan of Google's solution either. With a device with | multiple G accounts it's always a guessing game when opening | up a google doc which account it'll choose. | GordonS wrote: | It's even worse if you have personal and business accounts | tied to the same email address - you never know which one | you're using, or which you need. | logifail wrote: | > It's even worse if you have personal and business | accounts tied to the same email address - you never know | which one you're using, or which you need | | I have a friend who managed to do get into this mess, and | he's still not sure how he did it. | | firstname.lastname@companybizname.TLD is apparently linked | to two separate identities at Microsoft, one is a business | account, one is a "personal" account. | | Every time he experiences any kind of login issue, this | bites him :/ | magicalhippo wrote: | I read an explanation from some Microsoft page or rep. | that it had to do with making personal purchases in the | Windows Store when you're signed in using your business | account. IIRC the rationale was that the personal account | could persist beyond your employment, so you wouldn't | lose any purchases if you switched jobs. | | If I indeed recall correctly, then that doesn't really | make sense. Just force people to make a different, actual | personal account, and have them use that. | trevorishere wrote: | This is a legacy setup that can no longer be created. | Microsoft removed the option to use a custom domain for | Microsoft accounts many years ago, but hasn't forced | people to change. | | However, your friend can get out of this scenario by | following the instructions on this site: | | https://support.microsoft.com/en-us/account- | billing/change-t... | | They'll end up with <whatever_they_can_find>@outlook.com | for their Microsoft account. When using Org services via | a browser, you'll automatically use your Org account. | When using consumer services, you'll automatically use | your Microsoft account (assuming you've selected stay | sign-in for both). | nine_k wrote: | This is a terrible idea to begin with. | magicalhippo wrote: | Indeed. I've never understood this distinction. Either it's | a business account, or it's a personal account. It's bad | enough that people use their business mail to sign up for | personal stuff, we don't need Microsoft to make it even | worse. | trevorishere wrote: | > we don't need Microsoft to make it even worse. | | Microsoft made it better by preventing the scenario from | occurring beginning 3 - 5 years ago. | thakoppno wrote: | In the US at least it seems like we're at the stage where every | new account created is essentially tied back to a social | security number. | | One cannot get an e-mail address without a phone. One cannot | get a phone without a credit check. A credit check requires a | social security number. | DanAtC wrote: | Prepaid phones are readily available in the US, no ID or SSN | required. | Gh0stRAT wrote: | Prepaid phones all-too-often can't be used for SMS/phone | authentication. Banks in particular seem to dislike them. | | (when it doesn't work, you'll usually get an error message | about the number not being supported or words to that | effect) | rwalle wrote: | There is an obvious reason. | | Facebook and Google provide "Sign-in with Facebook/Google | account" not because they do it out of goodwill, to only make | it "easier" or "smoother" to login -- it obviously cost | resources on their end to enable such features -- it helps them | better identify users and then serve ads. And Google can be | really aggressive -- try reddit or Quora. | | Apple, on the other hand, tries to sell "login with Apple | account" with a different approach: they advertise the | "privacy" part of it and how you can hide your email address by | using it's sign-in service. And they have a term where login | with Apple must be enabled on an app _and_ website if a company | has an app on the app store and it supports any other third- | party login. In other words, if Reddit supports login with | Google on iPhone, it must also support login with Apple ID. | This helped the adoption a lot. | | For Microsoft, they are relatively late and small in the ad | business (for now) so I guess they don't really care about | getting more of your information via sign-in services. And they | are not on this privacy bandwagon as Apple does. So they really | have no incentive for this. | aflag wrote: | Isn't every github account also a microsoft account? There are | plenty sites there integrating with github login. | pid-1 wrote: | Only very recently Windows started requiring a MS account. I'd | guess most people who don't own a Xbox don't have a MS account. | quickthrower2 wrote: | I was forced to use one to set up my new laptop | rejectfinite wrote: | Every hotmail and outlook email is an MS account... | MrStonedOne wrote: | MattGaiser wrote: | Do enough people still use consumer Microsoft accounts? Except | for myself, it has been a long time since I have encountered a | hotmail address or live address or outlook address in the wild. | | I've gotten career advice several times to get a GMail instead, | because Microsoft was considered out of date and backward (not | so much anymore). | daveoc64 wrote: | There are lots of very popular Microsoft services for | consumers including Xbox and Office 365. Combined, these have | hundreds of millions of paid subscribers. | ekianjo wrote: | minecraft too | faeriechangling wrote: | How times have changed, I mostly hear Google being called | backwards now for its view that customers are just beta | testers you dispose of when your latest moonshot project | doesn't hit orbit. | vladvasiliu wrote: | I'd expect this to grow now that Windows pushes more | aggressively to use an MS account to login. | | Plus, if this works as well as it does with the "corporate" | AzureAD, it would be a better experience for users. Just "log | on with your Windows account". | | Not saying that's necessarily a _good_ , thing, mind. Only | that I expect support to broaden. | quickthrower2 wrote: | You can have a ms account but never use or know or share the | ms email address associated with it | hedora wrote: | Anyone that uses Minecraft (edit: or Xbox) I'm sure it is | only a matter of time until some middle manager stakes their | promotion on merging it with github and/or linkedin. | | Microsoft is the only company I deal with where I cannot | reliably authenticate. I wish they'd just stop trying to run | consumer accounts. | vondur wrote: | I'm assuming if you were a heavy user of on prem AD, the moving | to Azure AD is a logical choice. | ascar wrote: | Why was that title editorialized as "around 83.4%"? | | 83.4% of 500 is exactly 417. The article is also exact about | these numbers. No need to add "around". | | Edit: Why was the title editorialized to begin with? | | Edit2: looks like the title was updated to the original. Thanks. | graiz wrote: | The article says that there may be other domains that it didn't | catch because it wasn't the first result in google or the | company has the server on a different domain, so it's likely a | slight undercount. | ascar wrote: | So "at least" would still have been a more accurate wording. | Retric wrote: | That 417 is probably low. It's hard to prove that nobody in a | giant organization is using some tool, but conversely that | undercuts the such statistics. If say 0.01% of Walmart's | employees are using X because of a recent acquisition then | that's hardly an endorsement of X by Walmart. | [deleted] | darkstar_16 wrote: | Nit picking much, are we ? | kzrdude wrote: | The article could use significant figures better at least. No | reason to not say 83% or even "at least 80%" (would be my | pick, to reflect the roundness of the number). | ascar wrote: | HN Guidelines: | | _" If the title contains a gratuitous number or number + | adjective, we'd appreciate it if you'd crop it. E.g. | translate "10 Ways To Do X" to "How To Do X," and "14 Amazing | Ys" to "Ys." Exception: when the number is meaningful, e.g. | "The 5 Platonic Solids." | | Otherwise please use the original title, unless it is | misleading or linkbait; don't editorialize."_ | | This is directly against the guidelines and how article | titles should be submitted. Editorialization of titles is | heavily discouraged and here it even says something the | article doesn't. Not at all a nitpick imho. | ocdtrekkie wrote: | So, I don't see anyone pointing it out here: This doesn't mean | they use Azure AD! If you use any Microsoft cloud services at | all, you get a "shadow tenant". One employee signs into Teams for | a meeting once and there you have Azure AD. | fweimer wrote: | Doesn't the end point show up once you have SSO with your own | identity provider enabled for any Microsoft services? Maybe | technically this means that you have an Active Directory tenant | as well, but it doesn't necessarily imply that you are using | those Active Directory services for anything beyond that SSO | capability. | | For Google Workspace, a similar URL is: | https://www.google.com/a/example.com/ServiceLogin | hirsin wrote: | Yes, it means that you have a tenant in AAD that's usable for | signing into SaaS products and Office. May not have many or any | users in it, but it exists. | curiousmindz wrote: | This is based on a 2017 script that looks up if their domain | names are attached to an Azure Active Directory Tenant. | cassianoleal wrote: | But also, what does it say about anything? | arkitaip wrote: | Microsoft absolutely dominates corporate IT. Their Office 360 | delivers to much values at a low cost that the corps suffer | from mediocre MS products because it's all there through a | single subscription. | mc32 wrote: | Same for the Google options; except the Google options tend | to make non-backward compatible changes and often only go | 90% of the way to meet the competition in terms of | features. Even their spam detection is not where postini | had it years ago. | jmathai wrote: | I worked in Google Workspace. | | A CIO needs to see significant upside in choosing a non | Microsoft solution to take the risk of not going with on- | prem /cloud AD. | | Very few enterprises, this is an understatement, use | Workspace exclusively. | | They need Active Directory Domain Services (on-prem AD) | regardless and it is their source of truth (typically | syncing to Workdpace for users/roles). The tooling and | expertise is in AD. Azure AD will always have a better | on-prem to cloud story than Workspace (or any | competitor). Plus their licensing makes it a no brainer. | It's a very strong moat. | rchaud wrote: | With AD we have SSO integration with a whole universe of | mediocre apps, Jira for instance | hulitu wrote: | I need to always give a password in Jira. | sofixa wrote: | Jira, and the whole of Atlassian Cloud services, bundle | SSO as a separate service you pay for. It's called | Atlassian Access and it costs $4-$2 depending on number | of users, so many companies skip it because it easily | doubles your Jira/Confluece costs. | | sso.tax | quickthrower2 wrote: | Security tax | realityking wrote: | Jira's cheapest license is $7.5, Atlassian Access as its | most expensive is $4 a month. It will never double your | Jira bill. | bob1029 wrote: | I know how we feel about the Microsoft Death Star consuming all | in its path, but there are some upsides to statistics like this. | | For instance, we are a B2B software vendor in the banking space, | and we have to survive all kinds of audits regarding the nature | of our code & vendors. By keeping nearly all of our 3rd party | items under the Microsoft umbrella, we can automagically skip | over vast chunks of our due diligence process (according to the | mutual trust equation). | | None of our customers is F500 (so far), but we have yet to | encounter one who didn't already have AAD, or a willingness to | set this up. From a product development perspective, we really | prefer having a few known-good ways to do things. Authentication | & authorization is one area that I strongly dislike having a | large variety of flavors on. Especially considering the nature of | our business and ever-increasing demands for complex MFA flows | (e.g. SAML). There's been so many fly-by-night operations in this | space, and our customers do not have patience for trying new | things. | ocdtrekkie wrote: | We don't use AAD and aren't willing to set it up. You've now | encountered a (potential) customer who doesn't use AAD. You're | welcome. :) | rwalle wrote: | Sorry your comment is not helping. You could be working alone | or in a 5-people startup and totally have not used anything | Microsoft (and your comment does not clarify that), in which | case nobody cares whether you want to set up AAD. | joebob42 wrote: | What makes you think you're a potential customer for them? | SgtBastard wrote: | Are you in the banking space? | | If not, you aren't a potential customer. | haxxorfreak wrote: | AADInternals[0] is an excellent set of PowerShell modules for | pentesting and performing recon against Azure AD as both an | outsider[1] and for someone who has been invited to a tenant. | | It has similar functionality integrated for discovering if a | domain has an associated Azure AD Tenant and enumerating | information about users in the tenant, who the "Owner" is and | their contact information. As with many Microsoft products there | are many configuration options and plenty of them aren't secure | by default. | | [0] https://o365blog.com/aadinternals/ [1] | https://o365blog.com/post/just-looking/ | PaulWaldman wrote: | Microsoft is traditionally great at bundling their products. This | is reminiscent of bundling Internet Explorer with Windows. | | Could an Okta have a claim against Microsoft similar to Netscape | in the late 90's? | ab_testing wrote: | Having Azure AD does not prevent clients from also having Okta | or any other 2FA provider for 2 factor authentication. In fact, | I have worked with at least 10 clients in the last 2 years that | used Azure AD for authentication but then something else for | 2-factor depending on the type of apps. | | Sometimes even within one company, there are multiple 2FA | protocols, e.g. using Oracle single sign on for ERP apps but | Okta for Citrix and other external facing apps. | hedora wrote: | Okta is a single sign on provider though. | | Clearly, authenticating via Azure and also Okta would not be | single sign on. | trevorishere wrote: | I've actually created this setup (in order to ditch Okta as | it is far more expensive than AAD P1 if you want MFA). | | You federate AAD and Okta. Sign in to Okta and it's smooth | sailing into AAD-based resources like M365. | | Okta puts on a good dog and pony show for execs. From a | technical perspective, they're no better for corps (at | least in first party auth or B2B -- I don't get into the | B2C space). We found, for the apps we used, AAD as of ~4 | years ago had better SCIM support (!) than Okta. | | On top of getting O365 E5 + Ent Sec (I think they're just | now called M365 E5) which gave us AAD P2 licenses, overall | it was much cheaper than Okta. The goal was to just get | MFA, which Microsoft gives away for free (with limited | toggles) or in P1 licenses (with more toggles) where-as | Okta wanted $6/user/month _just for_ MFA. | | Microsoft puts on a terrible sales pitch, though. We were | fortunate enough to have an _awesome_ Principal Program | Manager spend days with us in-person answering all of our | questions and explaining AAD to our IT management. | abruzzi wrote: | I don't know the specific setup, but the app passes you to | AAD which passes you to a SAML source (Okta in this | instance, but we use Cisco Duo). The SAML provider | authenticates you, sets a cookie, then sends you back to | AAD, which sets its own cookie, then passes you back to the | App. (Or something like that.) if the next app you sign | into is an AAD app, you pass through quickly, but if the | next app you sign into uses SAML directly you have a cookie | set for that as well. | | We use AAD for O365 and the few apps that won't use generic | SAML, but everything else uses Duo directly. The reason for | this is at our O365 license level we don't get the ability | to restrict access to applications by AD group--everyone or | we have to manually manage access account by account. | cratermoon wrote: | Identity federation can be pretty complex to set up and | administer, but once the trust relationship is configured | and the identity mapping set up, it's pretty transparent to | use. Source: I do this for a living. | RajT88 wrote: | Confirmed. I work with clients who use Ping and Okta for 2FA | on top of AAD. | pid-1 wrote: | > also having Okta or any other 2FA provider for 2 factor | authentication | | Why would you do that? | scarface74 wrote: | Will this meme ever die? | | Absolutely nothing came of Microsoft bundling IE with Windows | in the 90s in the US. There was never a day since IE came | bundled with Windows that it wasn't bundled with Windows . | There was never s browser choice initiative - nothing. | | Out of all of the anti trust allegations, bundling was the | nothingburger. MS was forced to stop making OEMs pay for | licenses for all of their PCs whether or not they came with | Windows and they were forcing OEMs to not include Netscape, | share APIS, and document file formats. | | Microsoft Office (bundling) has been a thing since 1990 and | today, every single major company bundles products together - | Apple, Amazon (Prime), Microsoft, Google, Adobe, Salesforce | (SFFC and Concur), etc. | | Next up: no, "cable was not ad free when it was introduced" | yardie wrote: | Yes, there was a version of Windows that did come unbundled, | Windows N <level> that was targeted for EU users to comply | with EU antitrust agreements. And there was a browser choice | selection during OOTB configuration with the top 4 or 5 | browsers in the marketplace. | scarface74 wrote: | That's why I was careful to repeatedly say "in the US". | jonhohle wrote: | The nuance that you're missing is that Microsoft was a | monopoly found guilty of antitrust violations. Bundling has | different consequence for them than non-monopolies or | monopolies that that have not had antitrust convictions. | scarface74 wrote: | "Bundling" had no consequences for them in the US, that's | just the point. | | The consent decree never required them to change anything | about IE in the US. | ghaff wrote: | The whole Windows/IE bundling fracas has to be looked at in | the context of Microsoft not only having a lot of unsavory | business practices--as did it's welded together at the hip | partner Intel--but also it was seen in the eyes of a lot of | people as on the way to utterly dominate computing once Unix | got pushed out of the way. | | Add in the dominance of Office and Microsoft's presumed | dominance of mobile once that became ubiquitous and a lot of | people were looking for _any_ lever to use against the | company. All this activity probably made Microsoft back off a | bit in some areas and likely tarnished its aura of | inevitability a bit--but it 's not entirely clear that it | made much difference in the end. (And there were certainly | people at the time arguing that the Microsoft winning over | all narrative was deeply flawed. | [deleted] | rejectfinite wrote: | Signing up for Office 365 gets the company in AzureAD as it is | used for logging into 365 on the back end. And all the user | accounts etc. You can have another identity solution and also | Azure AD. Its just why would you when everyone needs an email | and they are already in AAD | kn8 wrote: | What is Azure AD used for? | pid-1 wrote: | Active Directory is Microsoft's LDAP[1] server offering. | Eventually it got more features and is used by firms to enforce | company wide (or group wide) rules like "Every computer must | lock after 5min of inactivity" or "Adobe Acrobat must be | installed in all computers". | | Azure Active Directory is the cloud version of Active Diretory. | It has some extra features compared to on prem AD (MFA, SSO | with 3rd paty apps...) but the whole endpoint management part | was moved to another product (Microsoft Endpoint Manager). | | The reason so many companies have an AAD tenant is it is set up | automatically when you configure Microsoft 365. | | [1] | https://en.wikipedia.org/wiki/Lightweight_Directory_Access_P... | cratermoon wrote: | on-prem AD has SSO, it's called Active Directory Federation | Services. Compared to Azure AD, the on-prem Federation | Services has more features. To give one example, Azure AD | does SAML, but it's not full compliant. We ran into an issue | with at my last employer when a partner moved from AD-FS to | Azure Active directory and broke the SAML integration. It | required us to go back and re-do the federation model from | scratch. | mooreds wrote: | It is a directory with a lot of functionality. | | There's actually a number of products under the Azure AD name, | including: | | * Azure AD, their employee/workforce solution. It's a | directory, authentication and authorization system. Think Okta | or AWS SSO. I imagine this is mostly what the survey was | tracking. | | * Azure AD B2C, their CIAM solution. Think Auth0, Cognito or | FusionAuth (disclosure, I'm a FusionAuth employee). | | * Azure AD EI, external identity management (users outside your | org). | | * Azure AD DS, domain services (older Windows focused | services). This subsumes a lot of what Active Directory | provided. | | And they say AWS has a hard time with naming :). | | You can learn more about each of these here: | https://azure.microsoft.com/en-us/products/active-directory/ | (click on the "AAD" dropdown). | abledon wrote: | > And they say AWS has a hard time with naming :) | | honestly though, Azure's naming strategies do exactly what | they say. AWS uses names that are adjacent or completely | random (fargate?). i don't even think cognito is a word in | english language[0] | | [0] https://www.merriam-webster.com/dictionary/cognito | technion wrote: | Well if you're familiar with Google Workspace.. you know once | you've got email accounts in there then there's a whole lot of | user admin you can do? | | Azure AD is just Microsoft's version of that directory. The | thing is if you use for example Exchange Online, or even just | like Microsoft Office licensing, you've now got Azure AD where | the users have accounts. Then I see businesses spend a fortune | to integrate Okta or similar products that don't actually add | anything given how feature full Azure AD is at this point. | mrweasel wrote: | Authorization and authentication. Like it or not Microsoft | Active Ditectory or Azure AD (basically the cloud version) | works with everything and it's kinda the only single- | signon/shared login solution for enterprises. You can build | something yourself with LDAP, Kerberos and maybe Keycloak, but | why bother when you more or less need AD for Windows and | Exchange anyway. | Eduard wrote: | Self-hosted Gitlab instances also can act as authentication | services. | | Connecting git with an internal AD/LDAP allows for not | requiring Azure AD. | pdimitar wrote: | I'd love to read more about it. Got any links? | mutt2016 wrote: | If it's just SSO, I have many good things to say about | keycloak. | guoqi wrote: | Here has one related post: API Security with OIDC by | using Apache APISIX and Microsoft Azure AD | | https://dev.to/apisix/api-security-with-oidc-by-using- | apache... | jmathai wrote: | This isn't a solution for enterprises, however. | eastbound wrote: | For juniors: Enterprises and even small startups need to | comply with their industry's security certification (PCI, | ISO, whatever) which requires traceability of logins (and | central revocation when employees quit and provably | complex passwords and inability to retry 100 times, etc.) | aaronharnly wrote: | We use Okta, currently with on-prem AD, but are whittling | away at the use cases for the latter and hope to be AD-free | once we solve for RADIUS (suggestions welcome :) | discordance wrote: | Identity management for companies - SSO for office 365 and your | apps/services, multifactor auth, RBAC for whatever company | resources etc | SOLAR_FIELDS wrote: | It does a lot of things, but broadly the thing people know it | most for is handling roles, permissions and groups for your | organization. It's often the source of truth for things like | access and provisioning. Pretty core part of the organization. | dan000892 wrote: | Presumably this is the same thing whatismytenantid.com does under | the hood. | | Interesting (to me) is that the OpenID configuration endpoint | provides the tenant ID for not only Commercial tenants but US | Government (GCC & GCC-High) as well because the Azure AD portal | has relatively new functionality to configure cross-tenant access | settings by tenant ID or domain name but Gov tenants require you | to obtain the tenant ID from the organization which is either | security through obscurity or due to use of some Commercial-only | Graph API call. | tyingq wrote: | >Presumably this is the same thing whatismytenantid.com does | under the hood. | | Which is just something like (using slack.com as an example): | | https://login.microsoftonline.com/slack.com/.well-known/open... | | More urls here: https://o365blog.com/post/just-looking/ | not_enoch_wise wrote: | This is the answer to the question "why can't we get rid of | passwords?" | psanford wrote: | Nah. Azure AD is one of the few IdPs that already supports | FIDO2 Discoverable Credentials. You can use Passkeys with it | today. You can go passwordless with it today. | tialaramex wrote: | Unfortunately, unless this changed too recently for me to | know about it, that feature is default off and labelled | "Experimental" or something. | | So it's difficult (ask me how I know) for someone who knows | _way_ too much about this stuff and has implemented it | themselves, to explain to "leadership" why they should | change that default. | wil421 wrote: | Or you could do the opposite and be like the company I work | for. Force everyone to enter an RSA token on every SSO login. | Aperocky wrote: | It doesn't have to be that manual, yubikey etc can just plug | and press. | wil421 wrote: | The company I work for has around 250k employees. I'm sure | software RSA is going to be drastically less expensive than | yubikey. | | The people making the policies don't care at all. They are | just dotting is and crossing ts. | cratermoon wrote: | Unless your company is in a high-risk security-sensitive | business, they shouldn't. Most companies can accept the low | risk of only requiring a second factor sometimes. Usually | time-based, but also looking at location and device | fingerprint. For example, if you normally log in from your | laptop at work in one state and then it sees you trying to | log in from a computer in another state (maybe you're | visiting family?) it should definitely challenge you. | Terretta wrote: | For the HN B2B startups here supporting Google Workspace SSO and | not Microsoft Azure SSO, or offering Sign in with Google and not | Sign in with Microsoft... why? | | 85% of big businesses are on the one you don't support. | | _" Results for the Fortune 500 [to see who's on Azure AD using | a] CSV with a list of all the Company Names for all 500 | companies. Running it through this script, I find that 417, or | 83.4% of companies have AAD, which is just a little off from | Microsoft's public claim of 85%."_ | | https://www.shawntabrizi.com/aad/does-company-x-have-an-azur... | | See also this top comment: | https://news.ycombinator.com/item?id=33046968 | matthewaveryusa wrote: | azure AD presence does not imply they use msft ssso as their | sso. | pid-1 wrote: | Which products are used by large companies that don't have a AAD | / AD structure? | kube-system wrote: | On prem AD? | jeffmcjunkin wrote: | In contrast, the vast majority of companies with Azure AD | also have on-prem AD (full name: "Active Directory: Domain | Services") with some type of synchronization between them. | Usually this amounts to having an on-prem service that shleps | password hashes (technically salted, stretched hashed | versions of the on-prem hashes) to Azure. | chayesfss wrote: | I'd bet 100% have tenants but only some with names you know? Why | wouldn't they have a tenant, assess the technology and decide how | to incorporate? | rlv-dan wrote: | Exactly. I know one myself, one of the biggest companies in the | world, who's tenant name has no resemblance to their company | name. Security by obscurity is not a security feature but it is | a barrier... | ZiiS wrote: | Bet nearly 100% have a fax machine too. | bbarnett wrote: | Indeed. And a large corp can be using Azure AD, in one little | tiny department, spending 100 bucks a month, and it is on list. | | I bet some of this use is free promo credits. | tluyben2 wrote: | I thought it would be 100%; everyone switched to AD after Novell. | What are the 16.6% using is the interesting part? | detaro wrote: | _Azure Active Directory_. On-prem isn 't counted. (Also | assumptions about the domain used, which might not hold for | all) | jeffmcjunkin wrote: | Nearly 100% have on-prem AD (full name: "Active Directory: | Domain Services"). Azure AD is a separate identity provider -- | to a first approximation it's HTTPS and cookies, not Kerberos, | LDAP, and Ticket-Granting Tickets that we see on-prem. | trevorishere wrote: | > not Kerberos | | Well... https://techcommunity.microsoft.com/t5/azure-storage- | blog/pu... :-) | Spooky23 wrote: | Everyone with O365 has Azure AD. But a smaller number has Azure | AD Premium. | | That's growing as salespeople get canned if they don't sell it. | roflyear wrote: | MS is so bad with this stuff. It's difficult to determine | what value you get from premium. If I knew maybe I'd buy it! | Spooky23 wrote: | The service is good, but really expensive and the sales | tactics are sleazy. They want you paying $40/mo/head. | m348e912 wrote: | Azure AD Premium is $480/year per user???? What in the | world do you get for that price point? | realityking wrote: | It's not. Azure Ad P1 is $6/user/month, P2 is | $9/user/month. Cheaper than Okta. | | OP was probably thinking of Microsoft 365 E3 which does | cost $36/user/month. That however includes a bunch of | other stuff besides Azure AD P1. | pid-1 wrote: | You get Intune (which is called Microsoft Endpoint Manager | now) and AAD P1 for all users. | | The base use cases are "I want my users to be able to login | in MS 365 from company managed devices". and "I want to | manage my company's devices". | gw99 wrote: | NetIQ eDirectory tends to be the other big one. Although I am | seeing a rise in companies not having an SSO solution recently | at all. In fact some of the SMEs I've seen recently are running | most of their stuff entirely via basic Microsoft O365 accounts | or iCloud. | roflyear wrote: | I wouldn't think SSO is the primary use for AD. Definitely | one big use, though! | connordoner wrote: | What do you think the primary use is? | mooreds wrote: | A lot of startups or smaller companies I've worked with are | entirely on the Google stack (gmail, google drive). I imagine | there's a scale when that option breaks, but I think it'd be | fine until 50-100 employees. | gw99 wrote: | I've seen it working for schools with 5000+ account so | it'll go well past 100 users. Not sure I'd want to depend | on Google though. | flatiron wrote: | Good question. I've worked at apple and google and both like to | cook their own implementation. It was AD there. | connordoner wrote: | Where? ___________________________________________________________________ (page generated 2022-10-01 23:00 UTC)