At first glance, on-prem Active Directory Domain Services (AD DS) and Azure Active Directory (AAD) may seem like two versions of the same service. Although they both provide directory services and sound quite similar, AD DS and Azure AD are definitely not the same thing.
This article looks at the differences between on-prem Active Directory and Azure AD. We’ll also discuss the features of each service and their ideal use cases.
What Is Azure AD?
Azure AD is a cloud-based directory service deployed by Microsoft’s Azure platform. A directory service is a customizable information store that maps the identities and characteristics of objects in a network, such as user accounts and resources. It functions as a single point from which to locate network resources and services. Directory services also manage the relationships between users and other network components. Azure AD is a universal PaaS-based identity and access management (IAM) system. Organizations use the platform to store critical user information such as names, emails, IDs, and addresses, which can then be used to identify users and permit them to access various resources across a corporate intranet.
Key Functions of AD
Active Directory Domain Services is part of the Windows Server operating system. AD DS basically authenticates users signing in to the corporate network. It keeps a record of all the users and network components in a database and cross-checks access requests against identities and permissions. AD also allows admins to control servers and PC workstations to some degree. For instance, admins can prevent certain users from installing software or altering configurations on their PCs. Below are AD’s main functions:
- Domain Services: Secure object store for AD components such as users, groups, computers, and servers.
- Lightweight Directory Access Services (LDAP), Kerberos, and NTLM: Provides secure authentications between trusted devices and domains. It also supports cross-platform domain services for non-Windows components.
- Rights Management: Determines permissions and rights for data access and other actions, such as sending email, installing software, and changing device settings through Group Policy.
- Active Directory Federation Services (ADFS): Allows sharing of identity information outside the company’s network so that users only have to log in once.
- Certificate Services: Enables to establish an on-premises Public Key Infrastructure (PKI). It also allows to create, validate and revoke public key certificates. These certificates have various uses such as encrypting files, emails, network traffic.
How Does Azure AD Work?
Think of Azure AD as the cloud version of on-prem or Windows Active Directory. The service is geared toward web-based services. It supports single sign-on (SSO) for Microsoft cloud applications as well as third-party services such as Google Apps, Salesforce, SAP, and ServiceNow. Single sign-on means that a user only has to log in once to access all the permitted apps, services, and resources on a network. AAD supports external web services through RESTful APIs.
Unlike Windows Server AD, which uses NTLM and Kerberos to authenticate access to network services, Azure AD does this using HTTP requests. It handles authentication between client and server through protocols and standards such as Open authentication (OAuth), Security Assertion Markup Language (SAML), and OpenID.
How Does On-Prem Active Directory Work?
Azure AD runs on the cloud, while AD DS runs on an on-prem server called a domain controller (DC). Large networks may have multiple DCs managed by a Global Catalog that updates and synchronizes directory copies across all DCs.
AD DS is structured into three main tiers: domains, trees, and forests. A domain is a group of closely related AD objects (users, computers, accounts, etc.). Multiple domains can be grouped into a tree, and multiple trees combined into a forest. Each domain is a management boundary, and all objects in a domain are stored and managed in a single database. Trees sharing the same Global Catalog are said to be in the same forest. A forest is a security boundary, meaning that objects in different forests can’t interact unless the administrator explicitly allows it by establishing linked trust.
This structure allows IT administrators to organize the network into hierarchical sub-units through Organizational Units (OUs) and Group Policy Objects (GPOs).
Identity Management with On-Premises AD
On-prem AD uses Domain Name Service (DNS) and LDAP to locate and identify objects and resources on a network. AD DS primarily uses Kerberos and NTLM for user authentication.
The DNS name resolution services store zones and zones data, making it possible for network clients to locate Active Directory domain controllers and the DC themselves to communicate with each other. DNS locates domain controllers every time an Active Directory operation is performed, such as a search, request, or update. The LDAP ensures that the distributed directory information is organized and ready to query. LDAP stores records containing the identities and attributes of all objects in a particular domain. Queries in AD DS are also made through this protocol.
Kerberos is a network authentication protocol that enables objects to prove identity through a trusted third-party service. In this case, the domain controller serves as the trusted third party or Key Distribution Center (KDC). Windows NT LAN Manager (NTLM) acts as a challenge-response authenticity provider for resources on an AD domain.
Identity Management with Azure AD
The identity management processes and protocols in Azure AD are very different from those used in on-prem Active Directory. For starters, Azure AD has a flat structure rather than a hierarchical framework; Indeed, Azure AD doesn’t support organizational units and group policy objects. Also, object identities and client queries are not handled by DNS or LDAP. Azure AD is more focused on managing identity and authentication through the internet. User identification and authentication are based on a number of protocols, including WS-Federation, SAML, OpenID, and OAuth. All these protocols work over HTTP (port 80) and HTTPS (port 443), which are used by all types of devices in a network. However, it’s possible to query Azure AD, but instead of using LDAP, the query goes through a REST interface called AD Graph API.
Besides verifying user credentials, Azure provides additional security authentication features and capabilities such as:
- Self-service password reset
- Multi-factor authentication
- Passwordless authentication
- Password protection
- Conditional Access policies
- Privileged Identity Management (PIM)
- Azure AD Connect (enables Pass-through authentication, identity information synchronization, federation integration, and health monitoring)
Azure AD Pros and Cons
Azure AD is a popular Identity and Access Management (IAM) solution. It currently handles more than 1.2 billion identities and processes over 8 billion authentications daily. It’s safe to say that Azure AD is a generally trusted IAM system. So, how does it stack up against on-prem AD in terms of value and benefits?
The pros
- Azure AD is a PaaS product offered and managed by one of the most reputable brands in the IT industry — Microsoft. The platform is backed by Microsoft’s support, Azure cloud, security, and customer service.
- Since Azure AD runs on the cloud, it doesn’t require any dedicated or additional on-prem infrastructure.
- Microsoft handles all the system’s upgrades and updates, eliminating the need to reserve resources for the directory’s maintenance.
- Azure Active Directory is incredibly reliable, with guaranteed 99.9 percent availability.
The cons
- Authentication and identity data is stored on the cloud, not locally. This might be a concern for some organizations.
- Failing to connect to Azure AD means that users cannot access any applications or services dependent on AAD authentication.
- Azure AD has less administration flexibility than on-prem AD, especially when it comes to low-level technical configurations.
Can I Replace Active Directory with Azure AD?
From what we’ve learned, Azure seems like a safer and more convenient alternative to Microsoft AD. So, is it possible to replace AD DS with Azure AD? The answer to this question is not that straightforward.
We mentioned earlier that Azure Active Directory is the cloud version of the Windows Server Active Directory. Well, that’s not strictly true. Technically speaking, Azure AD is more than a directory or domain controller, and it doesn’t have the same features as Active Directory. As an identity and access management solution, Azure AD has more capabilities, but they are different from those of on-prem AD.
In short, there is no direct migration path from on-prem AD to Azure AD. However, you can combine the two to get the best of both worlds. You can synchronize your on-prem directories with Azure AD and still preserve your GPOs and OUs. This is possible through the Azure AD Connect Sync Server that enables Azure AD to authenticate on-prem users.
Microsoft AD or Azure AD – What to Choose and When?
Microsoft Active Directory and Azure AD are not exactly interchangeable. Each is suited to a particular IT model. So, in which scenarios should you use either solution or a combination of both?
If you have an established on-prem intranet, then Microsoft AD is the way to go. You probably have AD installed if the network is large enough and runs Windows Server. Azure AD is designed for cloud authentication. This makes it the ideal IAM solution for organizations with a large cloud footprint. It also makes sense to consider Azure AD if you’re thinking about moving to the cloud. You could even implement Azure AD gradually with every stage of the transition. Combine both solutions for seamless authentication between on-prem and cloud resources.
In the end, it’s not really a matter of choice or preference; it’s more about what works for your authentication needs. For now, the seemingly superior Azure AD is yet to completely take over Microsoft AD. But with time, this may very well change as the business world leans more heavily toward cloud computing.
There is a lot more you should know about this topic than we could cover in one article. Get in touch with us to learn more about Azure AD and other Microsoft enterprise solutions.