Microsoft Windows Azure Active Directory (Azure AD or AAD) is a cloud service that provides administrators with the ability to manage end-user identities and access privileges. When you use Office 365, Microsoft Azure, or Intune you are indirectly interacting with AAD which they use to manage all of their identities, authentication and permissions. So you can understand there are massive dependencies on Azure AD and that its uptime and performance is hyper-critical to everyone using Office 365 or Azure.
Its a shock that Microsoft guarantees only 3-nines (99.9%) of availability for the service according to this document. You would think for something as mission critical there would be a better SLA. That seems like it needs updating.
Knowing whether Azure AD is up and running well is where Exoprise CloudReady can help. You want to ensure that its highly available from all of your locations, that its fast and doing the right thing. That’s what our new sensor does and more:
- Continuously tests Azure AD availability and access, end-to-end from locations wherever you have end-users
- Monitors the ability to perform OAuth authentication and token generation
- Crowd-sourced performance and availability statistics for AAD in real-time and long-term trending
Read on for how easy it is to set up an the sensor so that you can detect, diagnose, and recover service credits when Azure AD experiences outages. It doesn’t matter if you are using a different Single Sign-on solution, Azure Active Directory is still relied upon for authentication when accessing Office 365.
Azure AD Monitoring and Testing
Setting up an Azure AD sensor against your tenant takes only a few minutes. You can monitor from public clouds without having to deploy anything on your machines or easily monitor from your own networks with an Exoprise Private Site.
OAuth Make It Magical
OAuth authentication makes for magical and secure access to your AAD tenant. And the new Azure AD sensor leverages OAuth authentication to test operations and functionality. OAuth is an open-standard authorization protocol that provides applications the ability for secure impersonation and delegated access. For example, you can tell Exoprise that it’s OK to access the profile and information on behalf of a user. OAuth doesn’t share password data but instead uses authorization tokens to prove an identity between consumers (Microsoft) and service providers (us). OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.
There are pros and cons to using OAuth authorization vs real credentials that other CloudReady sensors require:
Pros of OAuth Authorization for Testing and Monitoring
- Don’t have to share passwords for the account
- Can leverage multi-factor authentication for the account
- If the account password changes, it doesn’t affect the OAuth registration
Cons of OAuth Authorization for Testing and Monitoring
- OAuth authorization are only used for API access
- You can’t use OAuth registrations to log in interactively. In the case of CloudReady sensors, when using OAuth credentials, you’re only testing portions of the system you are targeting
- Caution should be exercised when accepting the permissions of an OAuth registration. Exoprise leverages least privilege principles when setting up the different OAuth registrations for each sensor
If you want to an entire system including user interactivity, more than an API test can provide, then we would recommend any of the Office 365 sensors that we offer such as the OWA, Portal, and SharePoint or Onedrive.
What’s Tested With the Azure AD Sensor
The Azure AD monitoring sensor tests a number of properties and access to proactively monitor of your AAD tenant from any location. The sensor sets up in minutes and provides the following insight:
- Sign-in access, performance and availability
Azure AD is the identity model for all of Office 365, Azure and Intune. Regardless of the Single Sign-on provider (SSO), AAD is relied upon for identity, access, delegation and permissions.
- OAuth registration, token serving, refresh and availability
More and more apps require OAuth registration and authentication to function properly. Ensuring that AAD is serving and refreshing tokens efficiently is critical for your user applications. The CloudReady Azure AD sensor can test and monitor as frequently as every 2 minutes.
- Azure Graph functionality, performance and uptime for your tenant
Since AAD is the identity model within SharePoint, OneDrive, Exchange and all things Office 365, you want to ensure that the API is performant. Whether you’re using SharePoint Online or Exchange Online, they are relying on the same Microsoft Graph calls.
The Azure AD sensor utilizes the Microsoft Graph API to perform queries on behalf of the registered user. You can safely use any account, even your own, to configure the sensor. The more realistic the account, the more representative the queries will be in terms of accessing your tenant. The API queries include:
- Basic AAD profile and tenant information for the supplied user
- Organization information for the supplied user
- Performs a search and list users against your Azure AD tenant
- Queries recent files and contacts for the supplied user
- End-to-end Network Path Performance to data-center that returned the results
- Token refresh access and performance
For each query, high-level timings, server query performance (how long it took the server to perform the query) and low-level metrics such as TCP/IP connect time, Time-to-first-byte, and SSL Negotiation time are captured. The low-level metrics are invaluable for diagnosing a problem or slowdown when something goes wrong. The high-level timings give you advance warning when something is slowing down with Azure AD.
Get Started Proactively Monitoring Azure AD
You can easily get started with CloudReady and deploy an Azure AD sensor in less then five minutes. Give it a try.