Skip navigation
Azure Active Directory Basic Released to General Availability

Azure Active Directory Basic Released to General Availability

New middle tier subscription targets deskless employees

Yesterday, Microsoft released Azure Active Directory Basic to general availability. This subscription is positioned as a new middle tier between the free version and Azure AD Premium. The free version offers basic IDaaS (identity management as a service) capabilities such as single sign on for up to 10 SaaS apps per user, self-service password change for Azure AD cloud users, and basic user and group management. At the other end of the spectrum, Azure AD Premium has Microsoft’s most sophisticated on-premises integration tools and security reporting.

The new Basic subscription adds four more capabilities to the free version:

  • Group-based access management and provisioning
  • Self-service password reset for cloud users (only - it doesn't provide writeback to change Windows Server Active Directory passwords)
  • Company branding of the logon page and access portal
  • An enterprise SLA of 99.9%

Why a new subscription tier?

The Basic subscription is designed to provide better account management than the free version, and is focused on cloud accounts (though Basic does support sourcing Azure AD accounts from on-premises Windows Server AD). According to Azure AD director of program management Alex Simons, Azure AD Basic was created to satisfy the needs of large employers with "deskless employees" who wished to take advantage of the cloud service's ability to provide single sign on to SaaS applications.

These companies, often in retail, food service, or hospitality, have large numbers of employees that don't fit the profile of a knowledge worker. A defining characteristic is that they don't have a desk, or indeed even a company provided computer. Nonetheless, they need access to employee-related services such as payroll, benefits, corporate portals, and task-related applications. These users have been traditionally been supported by adding them to HR systems and Windows Server Active Directory, which then grants them access to internal applications. In this on-premises scenario, these employees often use shared computers to access these resources; during my time at Intel, fab (microprocessor and assembly / test factories) employees used Windows clients configured as kiosks which were shared by all employees on the shift. Higher education is another potential user of this service, servicing large numbers of students that may need to access a limited number of institution-related websites (if the sites are browser or app-based and externally accessible).

What's changed as cloud services grow in maturity is that the internal applications these employees access can largely be replaced by SaaS applications that don't require corporate network access. As a result, they also don't require full Windows clients; a simple browser or perhaps a mobile device app will do the job. And most employees already own a device that can do this. What remains the same, regardless of the technology, is the provisioning process: You must create an account for a new employee, grant them access to resources, add and remove resource access as their job changes, and revoke access when the employee leaves the company. Azure AD needs very robust and automated tools to manage the CRUD - create, read, update, and delete - of large numbers of user accounts that change status often, which this scenario requires. Azure AD Basic's effectiveness will depend on it.

Azure Active Directory subscription levels (Microsoft)

Pricing for Azure Active Directory Basic is $1 per user per month for companies with an Enterprise Agreement (EA) license, though discounts may apply. Multi-factor authentication can be added for another $2 per user per month. (In contrast, Azure Active Directory Premium is $4 per user per month.) The Azure AD team is working on making Basic available for purchase outside of an EA agreement soon.

Sean writes about cloud identity, Microsoft hybrid identity, and whatever else he finds interesting at his blog on Enterprise Identity and on Twitter at @shorinsean.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.