This articles describes “What you need to know before integrating on-premise AD with Azure Active Directory and MFA”. Azure Active Directory (AAD) is a Cloud Identity and Access Management solution that provides directory services, application access management, and advanced identity protection. Its single sign-on (SSO) and Multi-Factor Authentication (MFA) capability help protect employees from cyberattacks. Please see the following guide Azure Active Directory integration with on-Premise AD using PTA, and Microsoft Azure Multi-Factor Authentication (MFA).

There is a slight difference as Windows Active Directory is focused on securing Windows desktops and servers on-premise. While AAD is all about web-based authentication standards such as OpenID and OAuth.

For more information and also this guide for reasons to deploy AAD, how to set up Azure AD Tenant, and how to add or delete users, and set permissions in Azure Active Directory. Also, see why do I need to deploy Azure Active Directory and how to use the built-in AAD Connect troubleshooting tool.

Integrating On-Premise AD with Azure AD and MFA Tips

Prices (License) – Editions of AAD: See the following link for pricing. As of this time, this comes in four editions, which are as follows;

Free Edition
Office 365 apps edition
Premium 1
Premium 2

Free Edition

This edition has a 12-month free subscription (Azure AD) is not included. But it has an option to test Azure AD for one month which is regarded as AAD Premium Free. See the following link for more information. see the following article on how to add a custom domain in the Azure Active directory.

Office Apps Edition

This licensing edition does not include lots of basic identity and access management functionalities such as MFA with Conditional Access. Also does not provide Identity Protection / Governance functionalities such as Risk-based conditional access policies and permission management. Also does not include Hybrid Identities, Advanced Management of Group Access, etc.

Premium Editions:

These license options are available through the Open Program / Volume License Program (Integrating On-Premise AD with Azure AD and MFA Tips). This is a simple and cost-effective way to acquire the latest Microsoft technology, sub-divided into Premium 1 and Premium 2.

Premium 1:

This option also does not include some advanced functionalities of Identity Protection and Governance in determining risks and vulnerable accounts and Privileged Identity Management (PIM) etc.

Premium 2

This license model is recommended as it has all the advanced functionalities such as Identity and Access Management on-premise, cloud, and hybrid environments. It also offers adds reports as shown below.

Sign in from IP addresses and suspicious activities
Irregular sign-in devices used and show users that most actively use an application.
Alerts in the form of emails to Azure AD administrators when anomalous behaviors are detected.

It might interest you to know that, Microsoft offers open programs to Government Organization and Educational Institution which allows the initial purchase of 5 or more licenses and this depends on your eligibility. Here are the different license programs available for the open program.

Open Value: This program is basically for small and medium-scale companies with relatively few desktops. It also has software assurance, technology training courses, and product support, etc. The license is valid over the total years of agreement. Meaning the total cost of the license can be spread through the entire subscription period.
Open Value Subscription: It provides the lowest budget upfront of the open program options. With the flexibility to reduce the total licensing cost in the future if the need decreases. Here the software is not purchased but subscribed to and the monthly costs are lower.
Open License: One-time payment but grants unlimited use of software (i.e., upfront payment in a large sum). In this program, the five license minimum initial purchase is waived. This is not ideal as it is difficult to tell, how many licenses and updates would be needed in the coming years. This has technical support included.

I hope you found this blog post on what you need to know before integrating on-premise AD with Azure Active Directory and MFA helpful. Please let me know in the comment session if you have any questions.