What’s the Difference Between Azure AD Premium P1 vs P2?
Azure Active Directory
Microsoft offers its domain management software, Active Directory, as a product in Azure services which provides all the same security features as an on-premise implementation. The Azure product can be used on its own or as a hybrid implementation with an on-premise AD structure, making it a highly valuable feature of Azure.
Azure AD is present with all kinds of virtual and cloud services since security is an important feature in Azure. Since AAD is already functional in Azure and can be extended into an existing Active Directory structure, it’s important to understand the compatibility of additional versions which may already be in use. Either as a stand-alone product or an extension to the cloud, AAD is very important for organizational security, especially with integration into Office 365 and remote user sign-on.
The variation of tools in Azure AD replaced Dirsync and Azure AD Sync so that cloud and on-premise implementations mesh with each other seamlessly. Synchronization between the two is a key component for security as is AD Connect which is another integration tool that provides development and management of services for the use of single-user identities and single sign-on access including on-premise applications, cloud-based applications and Office 365.
With the Azure AD services, items in Active Directory are kept synchronized so that information about resource and identity security is up-to-date. Additionally, authentication methods in a wide variation are equally available in AAD including cloud authentication with Hash Synchronization, pass-through authentication and ADFS (federated authentication). Azure AD Connect Health monitors AD resources from the Azure portal for centralized management.
The premium additions of Azure AD are important to understand as these provide enterprise level tools for organizations in need of higher security measures, especially in Azure. While subscription services like Office 365 and Azure are automatically provided in Azure AD, these premium editions include important additional features for security and resource management. The premium versions are P1 and P2 and include these additional features to those basic in Azure AD.
- Azure AD Premium P1 – is an enterprise level edition which provides identity management for on-premise users, remote users and hybrid users accessing applications both locally and over the cloud. This edition includes support for self-service identity, access management, administration of dynamic groups including self-service group management, as well as Microsoft Identity Manager which is a suite of on-premise identity and access management tools.
- Azure AD Premium P2 – is an edition includes all of the features of Azure AD Premium P1 with the addition of Identity Protection and Privileged Identity Management (PIM). Identity Protection provided management of conditional access to apps and critical data. PIM enhances management of privileged accounts tied to administrative access to resources.
A deeper dive into these editions is necessary for better understanding of available features offered in each one.
One of the important factors in using a premium edition of AAD is dynamic group administration. IT administrators can receive many security group membership requests but the use of dynamic groups in premium editions provides for management with policies. Assigning policies to user ID’s means that group memberships are included based on assigned criteria and no additional requests are necessary.
The Premium P2 tier differs from the alternate P1 tier with added Identity Protection and Privileged Identity Management (PIM) which increase security measures to meet the toughest of expectations. Azure AD Identity Protection adds improved reporting of risk events so organizations can further assess potential vulnerabilities for all identities with the function of blocking or remediating these security risks with adaptive actions. PIM provides additional information about administrative accounts which allows for higher protection and lower risk of security breaches with this level of accounts. The Privileged Identity Management package clearly identifies Azure AD Administrators, adds a just-in-time administrative access for Office 365, provides reports about administrative access history and changes to admin assignments and sends alerts about access to privileged accounts.
Azure AD Premium P2 is especially important in environments where a shift has occurred to mobile-based applications. In these computing environments, traditional security measures such as firewalls are ineffective for the protection of a cloud domain since there is no perimeter.
Considering the roles individuals possess in organizations coupled with mobile factors, higher levels of security for identities becomes paramount. Regular users often access data from multiple devices on a variety of networks while making decisions about storage and sharing. Organizational IT retains less and less control of how data is protected. Additionally, privileged access can be assigned based on job title and little else while working outside specific network boundaries so that security audits are much harder to achieve with SaaS-based applications and systems. Access often is retained by users even after job changes occur.
Both of the additional functions of Privileged Identity Management and Identity Protection included in Azure AD Premium P2 perform the necessary functions to manage the changing roles present in cloud-based environments. Identity Protection alone gathers information from the internet which offers trend material for security concerns regarding vulnerabilities and role history. Based on this information remediation recommendations are provided based on user trends which can be assessed for adjustments. Risk severity calculations are obtained for determining events such as:
- Leaked credentials
- Sign-ons from infected devices or suspicious activity via unknown IP addresses and unfamiliar locations
- The nature of user lock-out events
Suspicious log-ons can be assessed and risk-based policies applied in reaction to security breaches of credentials in addition to changing bad credentials or blocking identified attacks.
PIM creates a workflow automated for user requests for elevated access. MFA (multi-factor authentication) is required for additional privileges after which the new access will time-out within a pre-determined time. Microsoft uses the same method with customer Office 365 subscriptions.
PIM and Identity Protection provide additional security for IT teams to manage and account for risks with improved effectiveness, making it a step up for enterprise-class customers in need of these features. The additional protection keeps Azure customers ahead of the curve for avoiding costly, damaging intrusions while managing access with less overhead.