Office 365 – Software as a Service (SaaS):
Office 365 Service is basically a SaaS (Software as a Service) as explained here in the Wikipedia Page. This Service helps user to utilize the features provided by Microsoft Office – Word, PowerPoint, Excel and many more when they are even connected to Internet through a Browser which makes it call a “Service” (unlike using Software installed) and thus making it available anywhere/anywhere. A Service like this would generally be hosted in large datacenters with high availability as well. This process of making the Software utilities as a Service enables the SaaS Service Provider to come up with Subscription plans to which user could Subscribe or buy licenses to use the Services Online. A Subset of Office 365 Subscriptions/Licenses are listed here.
Now, when a Software Service is available over Internet and if it is Subscription/Licensing based, the database of “who” purchased the license, “which” license to assign to a user, how to “login” a user to an application and many more requirements around how a user is managed comes up thereby leaving a space to think about Identity Management. This Identity Management for a SaaS application is generally maintained by a database which may/may not be hidden from the End User. This “database” used in Identity Management for Office 365 SaaS is Azure Active Directory.
Azure Active Directory (Azure AD) – Identity as a Service (IDaaS):
Azure Active Directory is basically a limited Active Directory Service available over Internet/in Cloud. It can also be referred as the Identity Management Service. The features of Azure Active Directory which are released right now are described here but there are many other features which may come up later. Again Azure Active Directory is also a Service – thus making it available in a Subscription based model.
Now, this Azure Active Directory is made extremely significant for the Identity Management of Office 365 SaaS. The users using Office 365 are always stored in Azure Active Directory. The Login/Logout and most of Identity Management functionalities for Office 365 is handled by Azure Active Directory Service. Thus Azure Active Directory acts as a “Backend Database” for Office 365 SaaS Service. Now to think about this with more insight we can consider the two statements –
(1) when we subscribe to an Office 365 Service, a corresponding Azure Active Directory Service should be created for Identity Management.
(2) Also, the reverse is true! Whenever we create an Azure Active Directory Service, Office 365 SaaS also gets registered to it by default.
Interesting? Let’s try these out:
(1) So, how to exactly see the Azure Active Directory Service after we create an Office 365 Service?
Basically to Sign-up for Office 365, we have to definitely sign-up for any trial license “Office 365 Enterprise E3 Trial” or any other trial. You could sign-up here. For this demo, I have created an Office 365 trial with the tenant name – ballance3.onmicrosoft.com. My first user that I created is firstname.lastname@example.org. I can login to the Office 365 Service with this ID created by going anytime to https://portal.office.com.
Now, how to see the “back-end” Azure Active Directory associated with my Office 365 Service “ballance3.onmicrosoft.com”? Here is the way – The trick is that we can see the Azure Active Directory feature in Azure Portal either Classic or New Portal (preview). The feature of viewing our Office 365 directory is available by default in New Portal without any Azure Subscriptions and not in Classic Portal where an active Azure Subscription is required.
Seeing our Azure Active Directory through New Azure Portal (also called “Ibiza” portal):
Just Sign-in to Office 365 portal with Global Administrator User and then just open a new tab, navigate to https://portal.azure.com, you will be able to manage the Azure AD for your Office 365 Tenant.
The key thing to notice here is your Tenant Name – Default Domain name – in my case its ballance3.onmicrosoft.com. This is the unique identifier of a tenant and this data/value helps in various scenarios.
Since the New Azure Portal is in preview, we will also work this through the Classic Portal which we would discuss in the next Post.
(2) Whenever we create an Azure Active Directory Service, Office 365 SaaS also gets registered to it by default.
(For trying this, we need an account which could login to Azure Classic Portal since we can create an Azure Active Directory only through Classic portal and not through New Azure portal as of now)
- Login to the Azure Classic Portal with an account. Navigate to Active Directory section.
- Click on New -> App Services -> Directory -> Custom Create.
- Choose “Create New Directory” and type in the available domain name of your choice. Click on OK.
- A New Azure AD will be created.
- As mentioned a domain name is like the identifier for an Azure AD Service or an Office 365 Tenant. In this case, our default domain was ballance4.onmicrosoft.com which we can find it in “Domains” section:
- You can click on the Directory and go to “Applications” section.
- This is where we find the Office 365 SaaS pre-integrated. This is by default and always gets registered once when we create an Azure Active Directory.
- Now create a user in Azure AD (with local domain name) and make it a Global Administrator. Create a Temporary Password too.
- Confirm that the user is created.
- Then open an In-private Browsing Window and navigate to https://portal.office.com . Use the newly created account to login. Update the password as well.
- After login, you will find out your “Admin” Tile. Click on it. You will be redirected to Office 365 Admin Center from where you can see and manage the users/objects of the same Azure AD.
- Click on Users -> Active Users
- You will be able to see the same list as you saw in your Azure Active Directory
- Also, since domain names are like unique identifiers, we could easily use this information to confirm that its the same tenant that we are operating on. Its in Settings -> Domains. You will find our test tenant – ballance4.onmicrosoft.com!
Hence we are able to see our Tenant or our Azure Active Directory Service at our Office 365 Portal as well. By this, we can conclude the below statements:
- If we have an Office 365 Subscription, there is definitely an Azure Active Directory Service linked to it.
- If we have an Azure Active Directory, we could also use Office 365 Portal to manage the Users/Identity to a certain extent.
The above two statements are extremely important as they help in solving some common and weird issues which we will discuss in subsequent posts.