[HN Gopher] Does Company 'X' have an Azure Active Directory Tenant?
___________________________________________________________________
Does Company 'X' have an Azure Active Directory Tenant?
Author : curiousmindz
Score : 182 points
Date : 2022-10-01 12:44 UTC (10 hours ago)
(HTM) web link (www.shawntabrizi.com)
(TXT) w3m dump (www.shawntabrizi.com)
| parkingrift wrote:
| Bundling is anticompetitive and illegal. The MS ecosystem
| deserves close antitrust scrutiny.
| scarface74 wrote:
| So in that case are the following "illegal"
|
| - Apple One
|
| - Microsoft Office
|
| - Amazon Prime
|
| - Google GSuite
|
| - Adobe Creative Cloud
|
| - Salesforce bundling SFDC with Concur
| azalemeth wrote:
| Honestly, I think the regulators should look at basically all
| of those things. Here in Europe scrutiny is building and a
| lot of those organisations do party hard and play loose with
| the rules. Microsoft is famously anticompetitive, but Adobe,
| Google and Apple can't be far behind in their respective
| areas.
| scarface74 wrote:
| Really? So you really think companies shouldn't be able to
| sell software that works together bundled together? Why
| stop there? Phones and computers shouldn't be "bundled"
| with operating systems? Computers shouldn't be "bundled"
| with sound hardware? Where does it stop?
| cratermoon wrote:
| Bundling is fine. Bundling by a company that is a
| monopoly in the space is (or rather, used to be) a
| violation of antitrust law. But see Amazon's Antitrust
| Paradox, especially sections IIA and IIIB:
| https://www.yalelawjournal.org/note/amazons-antitrust-
| parado...
| scarface74 wrote:
| So in that case, every cable company is a local monopoly
| and shouldn't be allowed to bundle channels. Doesn't
| anyone see how silly this sounds in 2022?
|
| Disney is by far the largest entertainment conglomerate.
| Should they not be allowed to bundle Hulu, Disney and
| ESPN?
|
| Intel has over 80% of the PC market, how much hardware
| should they be able to bundle on their motherboard?
|
| And HN has a habit of calling any big company a
| "monopoly". Amazon only has 56% share of e-commerce and a
| tiny share of all commerce in the US
|
| But getting back to MS Office, I have three "office
| suites" right now on my phone - all three made by
| companies worth 1 trillion dollars - Google, Microsoft,
| and Apple.
|
| There is no "monopoly" in the IDP space.
| sabujp wrote:
| even apple's business manager is compatible with AD
| parkerhiggins wrote:
| Apple Business Manager added (beta) support for Google
| Workspace a few months ago.
| vinay_ys wrote:
| The way Microsoft does enterprise price bundling, this is not
| surprising at all.
| SOLAR_FIELDS wrote:
| They are insanely good at onboarding people onto it as well. I
| have a small startup just me and a cofounder right now and we
| pay $12 a month for 365 which includes all of Azure AD. Can
| start doing full integrations right away to lock us in.
| eastbound wrote:
| This is awesome! I went 6 times to Microsoft AD's pricing
| page and I could never figure out how much it would be! Then
| I remembered it would be bundled with Azure, which, like any
| cloud, has the "It's 0.0062$ per unit of consumption, so
| sometimes it's 2EUR per month, sometimes it's 647EUR, we
| never know ourselves, good luck!" effect.
|
| Has anyone else sometimes avoided a cloud service because the
| pricing was opaque?
| vinay_ys wrote:
| They are much nicer in recent years and are quite
| transparent with pricing - https://www.microsoft.com/en-
| us/microsoft-365/compare-micros... See full pdf for all
| plans: https://go.microsoft.com/fwlink/p/?linkid=2139145
|
| Basically if you have a Microsoft Office 365 Enterprise
| license (E3 or E5 license - which you need if have business
| people in your company who can't live without Excel on
| desktop), you get Azure AD Premium (P1 or P2) bundled for
| free.
|
| As I was writing this comment I just went looking at their
| AD page and found they have launched a new thing called
| Entra which includes Decentralized ID. And there's a white
| paper - interesting.
| logifail wrote:
| > you get Azure AD Premium (P1 or P2) bundled for free
|
| Last time I checked what was included with Azure AD the
| activity logging data was where it looked like things
| could get expensive. Exporting your authentication logs
| and/or keeping them for more than a week was a premium
| add-on.
| pid-1 wrote:
| M365 Business Premium includes P1 and costs 22 USD per
| user. You also get MDM (Intune) and other security
| related stuff.
| sebazzz wrote:
| > We assume the first result is the homepage of that company, and
| the domain they would use for their tenant.
|
| That is a big assumption though. A very well known big-four with
| two letters uses for instance [letters]gs.com ("Global Services")
| for instance.
| imron wrote:
| > However, if we say that a company does not have a tenant, we
| are not necessarily correct. It is possible that the google
| result did not point to their actual domain name, or they are
| using a different domain name for their AAD Tenant
| idiocrat wrote:
| So many eggs in a basket!
| x86_64Ubuntu wrote:
| They can still have On-Prem failover for domain controllers if
| Azure has downtime.
| mrweasel wrote:
| That's kinda the point isn't it. Central management of access
| to everything.
| benrow wrote:
| I initially had the same thought as the parent. From the
| perspective of so many companies relying on the security of
| one authentication provider (rather than any one company
| using AD for all their authentication needs).
|
| So if AD were to be compromised, that would be significant
| impact.
|
| There are of course advantages to such a "single point of
| failure" such as concerted effort in one place. But one way
| to mitigate the spof is transparency, and I'm reminded of
| LastPass versus Bitwarden.
| unreal37 wrote:
| Assuming the #1 Google result on page 1 of search is the
| companies public domain is a flaw.
|
| Some companies use a different domain for corporate use than
| their public domain name.
|
| Like fb.com
| homero wrote:
| They said that
|
| One thing to note about these results is that when we get a
| result that says the company has a tenant, we are nearly 100%
| correct in that fact. However, if we say that a company does
| not have a tenant, we are not necessarily correct. It is
| possible that the google result did not point to their actual
| domain name, or they are using a different domain name for
| their AAD Tenant.
|
| If you wanted to do this really robustly, you would probably
| want to get a better source for your domain names than
| automated google search results. You might want to also look at
| other combinations like "companyname.onmicrosoft.com", however
| we are doing just rough estimates here.
| Eleison23 wrote:
| Well, you can also spot Facebook when their IPv6 addresses
| contain :face:b00c:
| ldjb wrote:
| The script also seems to assume that the company's domain name
| is of the form (foo.bar), which may be a reasonable assumption
| for the US-based Fortune 500, but won't work so well if trying
| to replicate this with international companies (which often
| have domain names like example.co.uk or example.co.jp).
| computerfriend wrote:
| I genuinely don't know what AD is used for. If you need SSO, why
| not just use a SSO/SAML IdP?
| dmarlow wrote:
| What's the source of data and truth for your SSO?
| barbazoo wrote:
| AAD can be used as a SAML IdP.
|
| https://learn.microsoft.com/en-us/azure/active-directory/fun...
| mnd999 wrote:
| OpenID Connect seems like the current popular flavour. SAML
| seems to be increasingly considered legacy.
| cratermoon wrote:
| Indeed legacy, but you know how Fortune 500 companies are
| about new technology not directly relevant to their line of
| business.
|
| Also, SAML as a spec is really complex precisely because it
| was created to satisfy a broad range of Enterprise-y
| requirements. I don't know if OpenID Connect is there yet. It
| certainly could be, the underlying spec (oauth2) could
| support a lot of variant complexity, and OIDC supports mobile
| and there are lot of extensions available or in progress.
| https://openid.net/developers/specs/
| rootsudo wrote:
| This is assuming the domain has it, but it's even easier actually
| - you can just DIG DNS records and see if what they run as MX,
| cnames, etc, if there is teams DNS records and the MX record
| points to *.onmicrosoft.com or
| $tenantname.mail.protection.outlook.com there you go, even easier
| than "querying" google and seeing what's index.
|
| And much easier to script too. ;)
| altdataseller wrote:
| This shows you which domains uses Microsoft365 though not Azure
| AD
| technion wrote:
| You can also enumerate that tenant and see which businesses
| share infrastructure/accounts.
|
| https://github.com/technion/azure_enum
| petercooper wrote:
| I know next to nothing about AD, but my company appears to match
| against this merely because we have an Office 365 account (from
| which we do nothing except download Word and Excel every now and
| then) so it doesn't necessarily mean you're using whatever it is
| much.
| flumpcakes wrote:
| If you have Office 365 you have AAD. If you use pretty much any
| cloud hosted Microsoft business services, (E# licenses) you are
| using AAD. If you are using Azure, you are using AAD.
| rejectfinite wrote:
| You dont use it for email/exchange online?
|
| All 365 accounts get created in AAD. And your user has access
| to the portal even. https://aad.portal.azure.com/
| simonw wrote:
| I never thought about how the "I'm Feeling Lucky" button on
| Google can double as an API to return the URL of the first search
| result before. That's pretty neat.
| altdataseller wrote:
| So Okta (their main conpetitor) uses Azure AD
| https://login.microsoftonline.com/okta.com/.well-known/openi...
| simonw wrote:
| Apparently so does Google:
| https://login.microsoftonline.com/google.com/.well-known/ope...
| insomniacity wrote:
| Could easily be for testing/development/research.
| OrvalWintermute wrote:
| And still, in 2022, we don't have Azure AD replicating the full
| functionality of an on-premise AD.
| dmarlow wrote:
| What about coupling AAD with AADDS?
| rejectfinite wrote:
| What are you missing?
| mberning wrote:
| They have it in some capacity. Most places still have a very
| significant on-prem or self hosted instance of AD.
| rejectfinite wrote:
| This, a company/person just needs to sign up for Office 365 and
| then an Azure AD tenant "exists" for them as the Office 365 are
| in there.
| cloudking wrote:
| I wrote a similar script once that took company domain names and
| then looked up their MX records to see if they were using Google
| Workspace.
| wsjeffro wrote:
| What I can't understand is why Azure AD doesn't have a stronger
| position in the consumer space. Authentication via Google, Apple,
| and even still Facebook are nearly always supported on customer-
| facing logins. I rarely see an option for Microsoft.
|
| They have a commanding position in the enterprise. What's keeping
| them from crossing those enterprise boundaries?
| andylynch wrote:
| They were an early mover in this area twenty years ago with the
| original Hailstorm / .Net Passport which was skeptically
| received and wasn't helped by some spectacular outages. Google
| and Facebook leveraged their apps and especially GMail - Apple
| had the leverage from their App Store to force everyone that
| mattered to at their service too.
| Terretta wrote:
| Incidentally, a Microsoft Passport login still works on any
| site with today's "Login with Microsoft" ... and there are
| starting to be more along side "Login with Google" or "Login
| with Apple".
|
| These days, a consumer + biz page login page can look like
| this:
|
| https://www.xsplit.com/user/auth
|
| There's almost no good reason to require emails/password
| rather than let users use their preferred IdP.
|
| I think the reason it's less common is simply that indie devs
| assume everyone uses free Google Workspaces. This year we're
| seeing more Microsoft Logins. Perhaps one reason is that now
| Google Workspaces is no longer free and startups are
| realizing they can get actual Office with actual apps at the
| same per $6 to $12 per user cost. Then in turn, supporting
| that login.
| candiddevmike wrote:
| Microsoft's support for multiple accounts is atrocious. I can
| easily have 5+ Google accounts that I switch between, moving
| between MS accounts is awful. Additionally MS's free consumer
| offerings are not competitive with Gmail/Drive IMO.
| yellow_postit wrote:
| I'm not a fan of Google's solution either. With a device with
| multiple G accounts it's always a guessing game when opening
| up a google doc which account it'll choose.
| GordonS wrote:
| It's even worse if you have personal and business accounts
| tied to the same email address - you never know which one
| you're using, or which you need.
| logifail wrote:
| > It's even worse if you have personal and business
| accounts tied to the same email address - you never know
| which one you're using, or which you need
|
| I have a friend who managed to do get into this mess, and
| he's still not sure how he did it.
|
| firstname.lastname@companybizname.TLD is apparently linked
| to two separate identities at Microsoft, one is a business
| account, one is a "personal" account.
|
| Every time he experiences any kind of login issue, this
| bites him :/
| magicalhippo wrote:
| I read an explanation from some Microsoft page or rep.
| that it had to do with making personal purchases in the
| Windows Store when you're signed in using your business
| account. IIRC the rationale was that the personal account
| could persist beyond your employment, so you wouldn't
| lose any purchases if you switched jobs.
|
| If I indeed recall correctly, then that doesn't really
| make sense. Just force people to make a different, actual
| personal account, and have them use that.
| trevorishere wrote:
| This is a legacy setup that can no longer be created.
| Microsoft removed the option to use a custom domain for
| Microsoft accounts many years ago, but hasn't forced
| people to change.
|
| However, your friend can get out of this scenario by
| following the instructions on this site:
|
| https://support.microsoft.com/en-us/account-
| billing/change-t...
|
| They'll end up with <whatever_they_can_find>@outlook.com
| for their Microsoft account. When using Org services via
| a browser, you'll automatically use your Org account.
| When using consumer services, you'll automatically use
| your Microsoft account (assuming you've selected stay
| sign-in for both).
| nine_k wrote:
| This is a terrible idea to begin with.
| magicalhippo wrote:
| Indeed. I've never understood this distinction. Either it's
| a business account, or it's a personal account. It's bad
| enough that people use their business mail to sign up for
| personal stuff, we don't need Microsoft to make it even
| worse.
| trevorishere wrote:
| > we don't need Microsoft to make it even worse.
|
| Microsoft made it better by preventing the scenario from
| occurring beginning 3 - 5 years ago.
| thakoppno wrote:
| In the US at least it seems like we're at the stage where every
| new account created is essentially tied back to a social
| security number.
|
| One cannot get an e-mail address without a phone. One cannot
| get a phone without a credit check. A credit check requires a
| social security number.
| DanAtC wrote:
| Prepaid phones are readily available in the US, no ID or SSN
| required.
| Gh0stRAT wrote:
| Prepaid phones all-too-often can't be used for SMS/phone
| authentication. Banks in particular seem to dislike them.
|
| (when it doesn't work, you'll usually get an error message
| about the number not being supported or words to that
| effect)
| rwalle wrote:
| There is an obvious reason.
|
| Facebook and Google provide "Sign-in with Facebook/Google
| account" not because they do it out of goodwill, to only make
| it "easier" or "smoother" to login -- it obviously cost
| resources on their end to enable such features -- it helps them
| better identify users and then serve ads. And Google can be
| really aggressive -- try reddit or Quora.
|
| Apple, on the other hand, tries to sell "login with Apple
| account" with a different approach: they advertise the
| "privacy" part of it and how you can hide your email address by
| using it's sign-in service. And they have a term where login
| with Apple must be enabled on an app _and_ website if a company
| has an app on the app store and it supports any other third-
| party login. In other words, if Reddit supports login with
| Google on iPhone, it must also support login with Apple ID.
| This helped the adoption a lot.
|
| For Microsoft, they are relatively late and small in the ad
| business (for now) so I guess they don't really care about
| getting more of your information via sign-in services. And they
| are not on this privacy bandwagon as Apple does. So they really
| have no incentive for this.
| aflag wrote:
| Isn't every github account also a microsoft account? There are
| plenty sites there integrating with github login.
| pid-1 wrote:
| Only very recently Windows started requiring a MS account. I'd
| guess most people who don't own a Xbox don't have a MS account.
| quickthrower2 wrote:
| I was forced to use one to set up my new laptop
| rejectfinite wrote:
| Every hotmail and outlook email is an MS account...
| MrStonedOne wrote:
| MattGaiser wrote:
| Do enough people still use consumer Microsoft accounts? Except
| for myself, it has been a long time since I have encountered a
| hotmail address or live address or outlook address in the wild.
|
| I've gotten career advice several times to get a GMail instead,
| because Microsoft was considered out of date and backward (not
| so much anymore).
| daveoc64 wrote:
| There are lots of very popular Microsoft services for
| consumers including Xbox and Office 365. Combined, these have
| hundreds of millions of paid subscribers.
| ekianjo wrote:
| minecraft too
| faeriechangling wrote:
| How times have changed, I mostly hear Google being called
| backwards now for its view that customers are just beta
| testers you dispose of when your latest moonshot project
| doesn't hit orbit.
| vladvasiliu wrote:
| I'd expect this to grow now that Windows pushes more
| aggressively to use an MS account to login.
|
| Plus, if this works as well as it does with the "corporate"
| AzureAD, it would be a better experience for users. Just "log
| on with your Windows account".
|
| Not saying that's necessarily a _good_ , thing, mind. Only
| that I expect support to broaden.
| quickthrower2 wrote:
| You can have a ms account but never use or know or share the
| ms email address associated with it
| hedora wrote:
| Anyone that uses Minecraft (edit: or Xbox) I'm sure it is
| only a matter of time until some middle manager stakes their
| promotion on merging it with github and/or linkedin.
|
| Microsoft is the only company I deal with where I cannot
| reliably authenticate. I wish they'd just stop trying to run
| consumer accounts.
| vondur wrote:
| I'm assuming if you were a heavy user of on prem AD, the moving
| to Azure AD is a logical choice.
| ascar wrote:
| Why was that title editorialized as "around 83.4%"?
|
| 83.4% of 500 is exactly 417. The article is also exact about
| these numbers. No need to add "around".
|
| Edit: Why was the title editorialized to begin with?
|
| Edit2: looks like the title was updated to the original. Thanks.
| graiz wrote:
| The article says that there may be other domains that it didn't
| catch because it wasn't the first result in google or the
| company has the server on a different domain, so it's likely a
| slight undercount.
| ascar wrote:
| So "at least" would still have been a more accurate wording.
| Retric wrote:
| That 417 is probably low. It's hard to prove that nobody in a
| giant organization is using some tool, but conversely that
| undercuts the such statistics. If say 0.01% of Walmart's
| employees are using X because of a recent acquisition then
| that's hardly an endorsement of X by Walmart.
| [deleted]
| darkstar_16 wrote:
| Nit picking much, are we ?
| kzrdude wrote:
| The article could use significant figures better at least. No
| reason to not say 83% or even "at least 80%" (would be my
| pick, to reflect the roundness of the number).
| ascar wrote:
| HN Guidelines:
|
| _" If the title contains a gratuitous number or number +
| adjective, we'd appreciate it if you'd crop it. E.g.
| translate "10 Ways To Do X" to "How To Do X," and "14 Amazing
| Ys" to "Ys." Exception: when the number is meaningful, e.g.
| "The 5 Platonic Solids."
|
| Otherwise please use the original title, unless it is
| misleading or linkbait; don't editorialize."_
|
| This is directly against the guidelines and how article
| titles should be submitted. Editorialization of titles is
| heavily discouraged and here it even says something the
| article doesn't. Not at all a nitpick imho.
| ocdtrekkie wrote:
| So, I don't see anyone pointing it out here: This doesn't mean
| they use Azure AD! If you use any Microsoft cloud services at
| all, you get a "shadow tenant". One employee signs into Teams for
| a meeting once and there you have Azure AD.
| fweimer wrote:
| Doesn't the end point show up once you have SSO with your own
| identity provider enabled for any Microsoft services? Maybe
| technically this means that you have an Active Directory tenant
| as well, but it doesn't necessarily imply that you are using
| those Active Directory services for anything beyond that SSO
| capability.
|
| For Google Workspace, a similar URL is:
| https://www.google.com/a/example.com/ServiceLogin
| hirsin wrote:
| Yes, it means that you have a tenant in AAD that's usable for
| signing into SaaS products and Office. May not have many or any
| users in it, but it exists.
| curiousmindz wrote:
| This is based on a 2017 script that looks up if their domain
| names are attached to an Azure Active Directory Tenant.
| cassianoleal wrote:
| But also, what does it say about anything?
| arkitaip wrote:
| Microsoft absolutely dominates corporate IT. Their Office 360
| delivers to much values at a low cost that the corps suffer
| from mediocre MS products because it's all there through a
| single subscription.
| mc32 wrote:
| Same for the Google options; except the Google options tend
| to make non-backward compatible changes and often only go
| 90% of the way to meet the competition in terms of
| features. Even their spam detection is not where postini
| had it years ago.
| jmathai wrote:
| I worked in Google Workspace.
|
| A CIO needs to see significant upside in choosing a non
| Microsoft solution to take the risk of not going with on-
| prem /cloud AD.
|
| Very few enterprises, this is an understatement, use
| Workspace exclusively.
|
| They need Active Directory Domain Services (on-prem AD)
| regardless and it is their source of truth (typically
| syncing to Workdpace for users/roles). The tooling and
| expertise is in AD. Azure AD will always have a better
| on-prem to cloud story than Workspace (or any
| competitor). Plus their licensing makes it a no brainer.
| It's a very strong moat.
| rchaud wrote:
| With AD we have SSO integration with a whole universe of
| mediocre apps, Jira for instance
| hulitu wrote:
| I need to always give a password in Jira.
| sofixa wrote:
| Jira, and the whole of Atlassian Cloud services, bundle
| SSO as a separate service you pay for. It's called
| Atlassian Access and it costs $4-$2 depending on number
| of users, so many companies skip it because it easily
| doubles your Jira/Confluece costs.
|
| sso.tax
| quickthrower2 wrote:
| Security tax
| realityking wrote:
| Jira's cheapest license is $7.5, Atlassian Access as its
| most expensive is $4 a month. It will never double your
| Jira bill.
| bob1029 wrote:
| I know how we feel about the Microsoft Death Star consuming all
| in its path, but there are some upsides to statistics like this.
|
| For instance, we are a B2B software vendor in the banking space,
| and we have to survive all kinds of audits regarding the nature
| of our code & vendors. By keeping nearly all of our 3rd party
| items under the Microsoft umbrella, we can automagically skip
| over vast chunks of our due diligence process (according to the
| mutual trust equation).
|
| None of our customers is F500 (so far), but we have yet to
| encounter one who didn't already have AAD, or a willingness to
| set this up. From a product development perspective, we really
| prefer having a few known-good ways to do things. Authentication
| & authorization is one area that I strongly dislike having a
| large variety of flavors on. Especially considering the nature of
| our business and ever-increasing demands for complex MFA flows
| (e.g. SAML). There's been so many fly-by-night operations in this
| space, and our customers do not have patience for trying new
| things.
| ocdtrekkie wrote:
| We don't use AAD and aren't willing to set it up. You've now
| encountered a (potential) customer who doesn't use AAD. You're
| welcome. :)
| rwalle wrote:
| Sorry your comment is not helping. You could be working alone
| or in a 5-people startup and totally have not used anything
| Microsoft (and your comment does not clarify that), in which
| case nobody cares whether you want to set up AAD.
| joebob42 wrote:
| What makes you think you're a potential customer for them?
| SgtBastard wrote:
| Are you in the banking space?
|
| If not, you aren't a potential customer.
| haxxorfreak wrote:
| AADInternals[0] is an excellent set of PowerShell modules for
| pentesting and performing recon against Azure AD as both an
| outsider[1] and for someone who has been invited to a tenant.
|
| It has similar functionality integrated for discovering if a
| domain has an associated Azure AD Tenant and enumerating
| information about users in the tenant, who the "Owner" is and
| their contact information. As with many Microsoft products there
| are many configuration options and plenty of them aren't secure
| by default.
|
| [0] https://o365blog.com/aadinternals/ [1]
| https://o365blog.com/post/just-looking/
| PaulWaldman wrote:
| Microsoft is traditionally great at bundling their products. This
| is reminiscent of bundling Internet Explorer with Windows.
|
| Could an Okta have a claim against Microsoft similar to Netscape
| in the late 90's?
| ab_testing wrote:
| Having Azure AD does not prevent clients from also having Okta
| or any other 2FA provider for 2 factor authentication. In fact,
| I have worked with at least 10 clients in the last 2 years that
| used Azure AD for authentication but then something else for
| 2-factor depending on the type of apps.
|
| Sometimes even within one company, there are multiple 2FA
| protocols, e.g. using Oracle single sign on for ERP apps but
| Okta for Citrix and other external facing apps.
| hedora wrote:
| Okta is a single sign on provider though.
|
| Clearly, authenticating via Azure and also Okta would not be
| single sign on.
| trevorishere wrote:
| I've actually created this setup (in order to ditch Okta as
| it is far more expensive than AAD P1 if you want MFA).
|
| You federate AAD and Okta. Sign in to Okta and it's smooth
| sailing into AAD-based resources like M365.
|
| Okta puts on a good dog and pony show for execs. From a
| technical perspective, they're no better for corps (at
| least in first party auth or B2B -- I don't get into the
| B2C space). We found, for the apps we used, AAD as of ~4
| years ago had better SCIM support (!) than Okta.
|
| On top of getting O365 E5 + Ent Sec (I think they're just
| now called M365 E5) which gave us AAD P2 licenses, overall
| it was much cheaper than Okta. The goal was to just get
| MFA, which Microsoft gives away for free (with limited
| toggles) or in P1 licenses (with more toggles) where-as
| Okta wanted $6/user/month _just for_ MFA.
|
| Microsoft puts on a terrible sales pitch, though. We were
| fortunate enough to have an _awesome_ Principal Program
| Manager spend days with us in-person answering all of our
| questions and explaining AAD to our IT management.
| abruzzi wrote:
| I don't know the specific setup, but the app passes you to
| AAD which passes you to a SAML source (Okta in this
| instance, but we use Cisco Duo). The SAML provider
| authenticates you, sets a cookie, then sends you back to
| AAD, which sets its own cookie, then passes you back to the
| App. (Or something like that.) if the next app you sign
| into is an AAD app, you pass through quickly, but if the
| next app you sign into uses SAML directly you have a cookie
| set for that as well.
|
| We use AAD for O365 and the few apps that won't use generic
| SAML, but everything else uses Duo directly. The reason for
| this is at our O365 license level we don't get the ability
| to restrict access to applications by AD group--everyone or
| we have to manually manage access account by account.
| cratermoon wrote:
| Identity federation can be pretty complex to set up and
| administer, but once the trust relationship is configured
| and the identity mapping set up, it's pretty transparent to
| use. Source: I do this for a living.
| RajT88 wrote:
| Confirmed. I work with clients who use Ping and Okta for 2FA
| on top of AAD.
| pid-1 wrote:
| > also having Okta or any other 2FA provider for 2 factor
| authentication
|
| Why would you do that?
| scarface74 wrote:
| Will this meme ever die?
|
| Absolutely nothing came of Microsoft bundling IE with Windows
| in the 90s in the US. There was never a day since IE came
| bundled with Windows that it wasn't bundled with Windows .
| There was never s browser choice initiative - nothing.
|
| Out of all of the anti trust allegations, bundling was the
| nothingburger. MS was forced to stop making OEMs pay for
| licenses for all of their PCs whether or not they came with
| Windows and they were forcing OEMs to not include Netscape,
| share APIS, and document file formats.
|
| Microsoft Office (bundling) has been a thing since 1990 and
| today, every single major company bundles products together -
| Apple, Amazon (Prime), Microsoft, Google, Adobe, Salesforce
| (SFFC and Concur), etc.
|
| Next up: no, "cable was not ad free when it was introduced"
| yardie wrote:
| Yes, there was a version of Windows that did come unbundled,
| Windows N <level> that was targeted for EU users to comply
| with EU antitrust agreements. And there was a browser choice
| selection during OOTB configuration with the top 4 or 5
| browsers in the marketplace.
| scarface74 wrote:
| That's why I was careful to repeatedly say "in the US".
| jonhohle wrote:
| The nuance that you're missing is that Microsoft was a
| monopoly found guilty of antitrust violations. Bundling has
| different consequence for them than non-monopolies or
| monopolies that that have not had antitrust convictions.
| scarface74 wrote:
| "Bundling" had no consequences for them in the US, that's
| just the point.
|
| The consent decree never required them to change anything
| about IE in the US.
| ghaff wrote:
| The whole Windows/IE bundling fracas has to be looked at in
| the context of Microsoft not only having a lot of unsavory
| business practices--as did it's welded together at the hip
| partner Intel--but also it was seen in the eyes of a lot of
| people as on the way to utterly dominate computing once Unix
| got pushed out of the way.
|
| Add in the dominance of Office and Microsoft's presumed
| dominance of mobile once that became ubiquitous and a lot of
| people were looking for _any_ lever to use against the
| company. All this activity probably made Microsoft back off a
| bit in some areas and likely tarnished its aura of
| inevitability a bit--but it 's not entirely clear that it
| made much difference in the end. (And there were certainly
| people at the time arguing that the Microsoft winning over
| all narrative was deeply flawed.
| [deleted]
| rejectfinite wrote:
| Signing up for Office 365 gets the company in AzureAD as it is
| used for logging into 365 on the back end. And all the user
| accounts etc. You can have another identity solution and also
| Azure AD. Its just why would you when everyone needs an email
| and they are already in AAD
| kn8 wrote:
| What is Azure AD used for?
| pid-1 wrote:
| Active Directory is Microsoft's LDAP[1] server offering.
| Eventually it got more features and is used by firms to enforce
| company wide (or group wide) rules like "Every computer must
| lock after 5min of inactivity" or "Adobe Acrobat must be
| installed in all computers".
|
| Azure Active Directory is the cloud version of Active Diretory.
| It has some extra features compared to on prem AD (MFA, SSO
| with 3rd paty apps...) but the whole endpoint management part
| was moved to another product (Microsoft Endpoint Manager).
|
| The reason so many companies have an AAD tenant is it is set up
| automatically when you configure Microsoft 365.
|
| [1]
| https://en.wikipedia.org/wiki/Lightweight_Directory_Access_P...
| cratermoon wrote:
| on-prem AD has SSO, it's called Active Directory Federation
| Services. Compared to Azure AD, the on-prem Federation
| Services has more features. To give one example, Azure AD
| does SAML, but it's not full compliant. We ran into an issue
| with at my last employer when a partner moved from AD-FS to
| Azure Active directory and broke the SAML integration. It
| required us to go back and re-do the federation model from
| scratch.
| mooreds wrote:
| It is a directory with a lot of functionality.
|
| There's actually a number of products under the Azure AD name,
| including:
|
| * Azure AD, their employee/workforce solution. It's a
| directory, authentication and authorization system. Think Okta
| or AWS SSO. I imagine this is mostly what the survey was
| tracking.
|
| * Azure AD B2C, their CIAM solution. Think Auth0, Cognito or
| FusionAuth (disclosure, I'm a FusionAuth employee).
|
| * Azure AD EI, external identity management (users outside your
| org).
|
| * Azure AD DS, domain services (older Windows focused
| services). This subsumes a lot of what Active Directory
| provided.
|
| And they say AWS has a hard time with naming :).
|
| You can learn more about each of these here:
| https://azure.microsoft.com/en-us/products/active-directory/
| (click on the "AAD" dropdown).
| abledon wrote:
| > And they say AWS has a hard time with naming :)
|
| honestly though, Azure's naming strategies do exactly what
| they say. AWS uses names that are adjacent or completely
| random (fargate?). i don't even think cognito is a word in
| english language[0]
|
| [0] https://www.merriam-webster.com/dictionary/cognito
| technion wrote:
| Well if you're familiar with Google Workspace.. you know once
| you've got email accounts in there then there's a whole lot of
| user admin you can do?
|
| Azure AD is just Microsoft's version of that directory. The
| thing is if you use for example Exchange Online, or even just
| like Microsoft Office licensing, you've now got Azure AD where
| the users have accounts. Then I see businesses spend a fortune
| to integrate Okta or similar products that don't actually add
| anything given how feature full Azure AD is at this point.
| mrweasel wrote:
| Authorization and authentication. Like it or not Microsoft
| Active Ditectory or Azure AD (basically the cloud version)
| works with everything and it's kinda the only single-
| signon/shared login solution for enterprises. You can build
| something yourself with LDAP, Kerberos and maybe Keycloak, but
| why bother when you more or less need AD for Windows and
| Exchange anyway.
| Eduard wrote:
| Self-hosted Gitlab instances also can act as authentication
| services.
|
| Connecting git with an internal AD/LDAP allows for not
| requiring Azure AD.
| pdimitar wrote:
| I'd love to read more about it. Got any links?
| mutt2016 wrote:
| If it's just SSO, I have many good things to say about
| keycloak.
| guoqi wrote:
| Here has one related post: API Security with OIDC by
| using Apache APISIX and Microsoft Azure AD
|
| https://dev.to/apisix/api-security-with-oidc-by-using-
| apache...
| jmathai wrote:
| This isn't a solution for enterprises, however.
| eastbound wrote:
| For juniors: Enterprises and even small startups need to
| comply with their industry's security certification (PCI,
| ISO, whatever) which requires traceability of logins (and
| central revocation when employees quit and provably
| complex passwords and inability to retry 100 times, etc.)
| aaronharnly wrote:
| We use Okta, currently with on-prem AD, but are whittling
| away at the use cases for the latter and hope to be AD-free
| once we solve for RADIUS (suggestions welcome :)
| discordance wrote:
| Identity management for companies - SSO for office 365 and your
| apps/services, multifactor auth, RBAC for whatever company
| resources etc
| SOLAR_FIELDS wrote:
| It does a lot of things, but broadly the thing people know it
| most for is handling roles, permissions and groups for your
| organization. It's often the source of truth for things like
| access and provisioning. Pretty core part of the organization.
| dan000892 wrote:
| Presumably this is the same thing whatismytenantid.com does under
| the hood.
|
| Interesting (to me) is that the OpenID configuration endpoint
| provides the tenant ID for not only Commercial tenants but US
| Government (GCC & GCC-High) as well because the Azure AD portal
| has relatively new functionality to configure cross-tenant access
| settings by tenant ID or domain name but Gov tenants require you
| to obtain the tenant ID from the organization which is either
| security through obscurity or due to use of some Commercial-only
| Graph API call.
| tyingq wrote:
| >Presumably this is the same thing whatismytenantid.com does
| under the hood.
|
| Which is just something like (using slack.com as an example):
|
| https://login.microsoftonline.com/slack.com/.well-known/open...
|
| More urls here: https://o365blog.com/post/just-looking/
| not_enoch_wise wrote:
| This is the answer to the question "why can't we get rid of
| passwords?"
| psanford wrote:
| Nah. Azure AD is one of the few IdPs that already supports
| FIDO2 Discoverable Credentials. You can use Passkeys with it
| today. You can go passwordless with it today.
| tialaramex wrote:
| Unfortunately, unless this changed too recently for me to
| know about it, that feature is default off and labelled
| "Experimental" or something.
|
| So it's difficult (ask me how I know) for someone who knows
| _way_ too much about this stuff and has implemented it
| themselves, to explain to "leadership" why they should
| change that default.
| wil421 wrote:
| Or you could do the opposite and be like the company I work
| for. Force everyone to enter an RSA token on every SSO login.
| Aperocky wrote:
| It doesn't have to be that manual, yubikey etc can just plug
| and press.
| wil421 wrote:
| The company I work for has around 250k employees. I'm sure
| software RSA is going to be drastically less expensive than
| yubikey.
|
| The people making the policies don't care at all. They are
| just dotting is and crossing ts.
| cratermoon wrote:
| Unless your company is in a high-risk security-sensitive
| business, they shouldn't. Most companies can accept the low
| risk of only requiring a second factor sometimes. Usually
| time-based, but also looking at location and device
| fingerprint. For example, if you normally log in from your
| laptop at work in one state and then it sees you trying to
| log in from a computer in another state (maybe you're
| visiting family?) it should definitely challenge you.
| Terretta wrote:
| For the HN B2B startups here supporting Google Workspace SSO and
| not Microsoft Azure SSO, or offering Sign in with Google and not
| Sign in with Microsoft... why?
|
| 85% of big businesses are on the one you don't support.
|
| _" Results for the Fortune 500 [to see who's on Azure AD using
| a] CSV with a list of all the Company Names for all 500
| companies. Running it through this script, I find that 417, or
| 83.4% of companies have AAD, which is just a little off from
| Microsoft's public claim of 85%."_
|
| https://www.shawntabrizi.com/aad/does-company-x-have-an-azur...
|
| See also this top comment:
| https://news.ycombinator.com/item?id=33046968
| matthewaveryusa wrote:
| azure AD presence does not imply they use msft ssso as their
| sso.
| pid-1 wrote:
| Which products are used by large companies that don't have a AAD
| / AD structure?
| kube-system wrote:
| On prem AD?
| jeffmcjunkin wrote:
| In contrast, the vast majority of companies with Azure AD
| also have on-prem AD (full name: "Active Directory: Domain
| Services") with some type of synchronization between them.
| Usually this amounts to having an on-prem service that shleps
| password hashes (technically salted, stretched hashed
| versions of the on-prem hashes) to Azure.
| chayesfss wrote:
| I'd bet 100% have tenants but only some with names you know? Why
| wouldn't they have a tenant, assess the technology and decide how
| to incorporate?
| rlv-dan wrote:
| Exactly. I know one myself, one of the biggest companies in the
| world, who's tenant name has no resemblance to their company
| name. Security by obscurity is not a security feature but it is
| a barrier...
| ZiiS wrote:
| Bet nearly 100% have a fax machine too.
| bbarnett wrote:
| Indeed. And a large corp can be using Azure AD, in one little
| tiny department, spending 100 bucks a month, and it is on list.
|
| I bet some of this use is free promo credits.
| tluyben2 wrote:
| I thought it would be 100%; everyone switched to AD after Novell.
| What are the 16.6% using is the interesting part?
| detaro wrote:
| _Azure Active Directory_. On-prem isn 't counted. (Also
| assumptions about the domain used, which might not hold for
| all)
| jeffmcjunkin wrote:
| Nearly 100% have on-prem AD (full name: "Active Directory:
| Domain Services"). Azure AD is a separate identity provider --
| to a first approximation it's HTTPS and cookies, not Kerberos,
| LDAP, and Ticket-Granting Tickets that we see on-prem.
| trevorishere wrote:
| > not Kerberos
|
| Well... https://techcommunity.microsoft.com/t5/azure-storage-
| blog/pu... :-)
| Spooky23 wrote:
| Everyone with O365 has Azure AD. But a smaller number has Azure
| AD Premium.
|
| That's growing as salespeople get canned if they don't sell it.
| roflyear wrote:
| MS is so bad with this stuff. It's difficult to determine
| what value you get from premium. If I knew maybe I'd buy it!
| Spooky23 wrote:
| The service is good, but really expensive and the sales
| tactics are sleazy. They want you paying $40/mo/head.
| m348e912 wrote:
| Azure AD Premium is $480/year per user???? What in the
| world do you get for that price point?
| realityking wrote:
| It's not. Azure Ad P1 is $6/user/month, P2 is
| $9/user/month. Cheaper than Okta.
|
| OP was probably thinking of Microsoft 365 E3 which does
| cost $36/user/month. That however includes a bunch of
| other stuff besides Azure AD P1.
| pid-1 wrote:
| You get Intune (which is called Microsoft Endpoint Manager
| now) and AAD P1 for all users.
|
| The base use cases are "I want my users to be able to login
| in MS 365 from company managed devices". and "I want to
| manage my company's devices".
| gw99 wrote:
| NetIQ eDirectory tends to be the other big one. Although I am
| seeing a rise in companies not having an SSO solution recently
| at all. In fact some of the SMEs I've seen recently are running
| most of their stuff entirely via basic Microsoft O365 accounts
| or iCloud.
| roflyear wrote:
| I wouldn't think SSO is the primary use for AD. Definitely
| one big use, though!
| connordoner wrote:
| What do you think the primary use is?
| mooreds wrote:
| A lot of startups or smaller companies I've worked with are
| entirely on the Google stack (gmail, google drive). I imagine
| there's a scale when that option breaks, but I think it'd be
| fine until 50-100 employees.
| gw99 wrote:
| I've seen it working for schools with 5000+ account so
| it'll go well past 100 users. Not sure I'd want to depend
| on Google though.
| flatiron wrote:
| Good question. I've worked at apple and google and both like to
| cook their own implementation. It was AD there.
| connordoner wrote:
| Where?
___________________________________________________________________
(page generated 2022-10-01 23:00 UTC)