Windows Azure AD terminology

Additional security verification

A security setting that a global admin can set on a user account in their organization’s tenant to require that both a user’s password and a response from their phone must be used to verify that identity to the Windows Azure Active Directory authentication system.

Directory integration

A feature of Windows Azure Active Directory that you can set up to improve the administrative experience associated with maintaining identities in both your on-premises directory and your cloud directory. Directory integration scenarios include directory synchronization, and directory synchronization with single sign on.

Directory synchronization

Used to synchronize on-premises directory objects (users, groups, contacts) to the cloud to help reduce administrative overhead. Directory synchronization is also referred to as directory sync in the Windows Azure AD portal and Windows Azure Management portal. Once directory synchronization has been set up, administrators can provision directory objects from your on-premises Active Directory into your tenant.

Microsoft Online Services Sign-In Assistant

The Sign In Assistant is an application installed on a client computer that makes it possible for a user to sign in once on that computer and then access services any number of times during the sign-in session. Without the Sign In Assistant, end users must provide a name and password each time they attempt to access a service. The Sign In Assistant should not be confused with single sign on which is a directory integration feature of Windows Azure Active Directory that can be deployed to leverage a user’s existing on-premises corporate credentials to seamlessly access Microsoft cloud services.

Multi-factor authentication (also known as two-factor authentication or 2FA)

Multi-factor authentication adds a critical second layer of security to user sign-ins and transactions. When you enable multi-factor authentication for a user account in Windows Azure AD, that user must then use their phone, in addition to their standard password credentials as their additional security verification method each time they need to sign in and use any of the Microsoft cloud services that your organization subscribes to.

Organizational account

A user account assigned by an organization (work, school, non-profit) to one of their constituents (an employee, student, customer) that provides sign in access to one or more of the organization’s Microsoft cloud service subscriptions, such as Office 365 or Windows Azure. These accounts are stored in an organization’s cloud directory (also known as Windows Azure Active Directory), and are typically deleted when the user leaves the organization. Organizational accounts differ from Microsoft accounts in that they are created and managed by admins in the organization, not by the user.

Single sign on

Used to provide users with a more seamless authentication experience as they access Microsoft cloud services while logged on to the corporate network. In order to set up single sign-on, organizations need to deploy a security token service on premises. Once single sign-on has been set up, users can use their Active Directory corporate credentials (user name and password) to access the services in the cloud and their existing on-premises resources.

User ID

A user ID is a unique identifier for an organizational account stored in Windows Azure Active Directory that a user provides on the Sign In page to access the Microsoft cloud services that your organization has subscribed to. Each user ID has a user principal name (UPN) suffix associated with it that is constructed using the accounts User Name (which must be unique) attribute value, the @ symbol and the Internet domain name value that are assigned to it in Windows Azure AD. For example, the construction of the initial user ID that was specified by the person who created your tenant might look similar to admin@contoso.onmicrosoft.com.

Windows Azure Active Directory

The identity service in Windows Azure that provides identity management and access control capabilities through a REST-based API.

Windows Azure Active Directory Access Control

The Windows Azure service that provides federated authentication and rules-driven, claims-based authorization for REST Web services.

Windows Azure Active Directory authentication system

Microsoft’s identity service in the cloud used to authenticate and authorize organizational accounts.

Windows Azure Active Directory Graph

A capability of Windows Azure Active Directory that accesses user, group, and role objects within a social enterprise graph to easily surface user information and relationships.

Windows Azure Active Directory Module for Windows PowerShell

A group of cmdlets used to administer Windows Azure Active Directory. You can use these cmdlets to manage users, groups, domains, cloud service subscriptions, licenses, directory sync, single sign-on, and more.

Windows Azure Active Directory portal

The Windows Azure AD portal is a web services front-end that reads from and writes to a single shared instance of your organization’s Windows Azure AD tenant.

Windows Azure Active Directory Rights Management

A capability of Windows Azure Active Directory that enables the ability to encrypt and assign usage restrictions to content for organizations that subscribe to Microsoft cloud services. Rights Management helps protect content created and exchanged using Microsoft Office as well as other applications or services that have been updated to integrate with the Rights Management service.

Windows Azure Active Directory Sync Tool

The application that provides one-way synchronization of directory objects from a company's on-premises Active Directory service to Windows Azure Active Directory.