Understanding Microsoft Azure vs Azure AD (AAD)

Questions often come up about the difference between the Microsoft Azure and Azure AD adapters within Axonius. This is an understandable question, as there is some overlap for these services and how they are configured to integrate with Axonius. Let's talk about what each service is responsible for and what you can get out of each within the Axonius platform.

What is Microsoft Azure

Azure is Microsoft's Public cloud and hosts a wide variety of different IaaS/PaaS/SaaS components. All of these different components can be grouped into Management Groups, Azure Subscriptions, and Resource Groups, which act as varying levels of logical grouping of Azure resources for billing and administration purposes. All Azure subscriptions will be tied to one Tenant, which is the Azure AD Organization associated with these resources. Subscriptions may only be associated with a single AAD tenant.

The most common resource types ingested into Axonius for Microsoft Azure are Virtual Machines, Load Balancers, SQL Servers, and Storage Accounts. However, Axonius is constantly adding support for new resource types. Each Azure resource fetched will have their full Azure Resource Manager ID, Subscription/Resource Group details, and configuration details. The configuration details may vary depending on the resource type. For instance, a virtual machine will contain details about its network security groups, disks, OS, and other important details.

The Azure adapter utilizes the Azure Management API for all fetch operations.

What is Azure AD

Azure AD is Microsoft's Azure hosted Identity and Access Management service. It provides a lot of the same functionality as traditional on-premises AD deployments, but it was also designed with usage of the Azure public cloud in mind.

As mentioned in the previous section, Azure AD utilizes tenants as the primary grouping for different Azure AD organizations. Usually these tenants are associated with a custom domain name. Some organizations may have several different tenants. Within each of these tenants you can register devices, create users, groups, applications, and manage their permissions.

Due to the similarity in functionality between AD and AAD, you will see a lot of the same information fetched by the Axonius adapter, i.e. users, groups, and registered devices. The Axonius Azure AD adapter also fetches information regarding mobile device management through MS Intune through this adapter as well. One of the most important parts about the AAD adapter and the data it collects is that the referenced devices are not necessarily within Azure itself, they are simply registered or referenced by the AAD tenant. This means it will include many registered on premises, or devices that exist outside of Azure itself.

The Azure AD adapter utilizes the Microsoft Graph API for all fetch operations.

Integrating Axonius with Azure and Azure AD

Enabling your Axonius adapters for Azure and Azure AD to fetch their respective resources involves some overlapping steps. In both cases, Axonius integrates through the use of an Application Registration. Registering an application in Azure AD allows you to create a service principal that Axonius can use to interact with both the Management API (Azure) and Graph API (Azure AD), provided that the application is given the correct permissions.

You can find more documentation for the Azure and Azure AD adapters within the Axonius public documentation.