Azure Active Directory: What Is Azure AD?
Join the cloud revolution! Between Microsoft 365, Azure AD and Cloud IAM – there’s a lot going on in the Microsoft universe at the moment. And to some, the imminent move to the cloud is a cause for uncertainty: can Azure AD really deliver the same functionalities as the on-prem Active Directory? The short answer is: no. While Azure Active Directory (Azure AD) and Active Directory Domain Services (AD DS) may look similar, they are most definitely not the same thing.
In this post, we are going to compare AD DS with Azure AD and examine in detail what our old friend, Active Directory, is capable of that our new friend, Azure AD, is not. We are also going to analyze how Microsoft goes about implementing hybrid solutions and why this approach might be a good one for some organizations.
What Is Azure AD?
Azure Active Directory (Azure AD or AAD) is a cloud-based directory service that is part of Microsoft’s cloud computing platform Azure. The main use of Azure AD is to manage access rights and identities, for example user access to Microsoft services such as Microsoft Dynamics, Microsoft Intune and the Microsoft 365 platform (which includes Office 365, as well as services such as Teams and Exchange Online). Azure AD is also used for managing external SaaS (Software as a Service) programs and other resources.
In contrast to on-premises Active Directory, Azure AD falls under the category of platform as a Service (PaaS) and is managed entirely by Microsoft. This means you can use it without a local server infrastructure, though you can also combine it with your existing AD setup. More on that later.
How Does Azure AD Work?
Azure AD is a directory service primarily aimed at web-based services. It comes with REST interfaces to support APIs for external services and applications. Instead of LDAP (Lightweight Directory Access Protocol), AAD accesses resources via HTTP requests. For user authentication and authorization, it uses protocols and standards such as SAML (Security Assertion Markup Language), OpenID and OAuth 2.0 (Open Authorization). Azure AD can be managed through a graphical web interface or, alternatively, via PowerShell.
If you invest in one of Microsoft’s cloud services, your organization automatically becomes an Azure AD subscriber. You can then access Azure Active Directory via the Azure portal to manage users, passwords and permissions.
Azure Active Directory supports single sign-on (SSO), which means that users have to log on only once to start using different Microsoft 365 services.
Azure AD Pricing: Free, MS 365 and Premium
There are four different versions of Azure Active Directory currently available, each of which includes a different range of features. The first version is included for free when you subscribe to one of Microsoft’s cloud services, such as Dynamics 365, Microsoft 365 or Intune.
On top of the free version, there are Microsoft 365 apps that bundle a number of Azure AD features included in Microsoft 365 plans E1, E3, E5, F1 and F3. The two premium versions of Azure Active Directory (P1 Premium and P2 Premium) provide advanced security features, self-service features and multi-factor authentication (MFA).
The difference between P1 and P2 is that P2 includes additional features for identity protection and governance. For a complete overview of pricing and features for all four Azure AD versions, click here.
Azure AD vs AD
How Does On-Prem Active Directory Work?
On-prem Active Directory is designed for basic user and computer management in the network. Essentially, it is a combination of multiple services, among which Active Directory Domain Services (AD DS) represents the core as it provides the directory services.
AD DS is the central database without which user and resource management in your business network would not be possible. In contrast to Azure AD, which is a cloud service and thus does not require local infrastructure, on-premises Active Directory employs a hierarchical framework. To deploy Active Directory, one server computer takes on the role of domain controller and becomes the central hub for user authentication. More information on how to deploy AD.
Identity Management With On-Premises AD
AD uses services such as DNS (Domain Name System) and Lightweight Directory Access Protocol (LDAP) for identifying and managing organizations, people and other resources (e.g. files and end devices) in the network. LDAP allows you to manage not only local directories, but also internet-based directories. Kerberos is commonly used to provide secure authentication.
Identity Management With Azure AD
Azure Active Directory uses HTTP and HTTPS protocols to manage identities. Instead of Kerberos, Azure AD relies on usernames and passwords for authentication, as well as other security protocols (such as Security Assertion Markup Language/SAML and Open Authorization).
Azure AD vs AD – Structural Differences
The biggest difference between on-premises Active Directory and Azure AD is in the way they are structured. While AD supports the use of organizational units (OUs) and group policy objects (GPOs) and allows admins to visualize and organize the enterprise in the entirety of its components and sub-units, Azure Active Directory does NOT support organizational units and group policy objects. For cloud-only users, this could lead to a number of problems:
Lack of organizational units: It is not possible to create the same domains, trees and forests in Azure AD as in the normal AD.
Greater administrative workload: As there are no organizational units, it is more difficult to delegate administrative tasks or to achieve a certain level of standardization and/or automation in Azure AD.
Less control: As Azure AD does not support group policies, there is no way of controlling device functions and settings in greater detail.
Fewer Features in AAD
Azure Active Directory was designed to integrate modern cloud programs. However, due to its flat structure, it lacks some features that have proven to be useful in an on-prem AD environment. The lack of support for GPOs and OUs is an issue especially for larger organizations with many, many users and multiple offices. They need to use group policies and organizational units in order to tackle the sheer amount of identities and permissions correctly.
For this reason, many organizations choose to keep their on-premises AD for identity management purposes and only use Azure AD to control cloud services. This is one way of combining both solutions. In fact, there are a couple of ways to combine the two to achieve the best possible outcome.
Combining On-Prem AD and Azure AD
Azure AD Connect
Azure AD Connect allows you to connect Azure AD to your on-prem AD. Azure AD Connect uses an agent that is installed on a server which is connected to the domain and automatically synchronizes data from AD to AAD. To learn how to set up and run Azure AD Connect, click here.
Azure AD Domain Services
The problem with Azure AD is that it treats organizations like “tenants” who access Azure AD through the Azure portal to manage their employees, passwords and permissions. Azure AD allows users to access various services once they have authenticated themselves, but you have no way of configuring access rights in detail, as Azure AD does not meet the necessary structural conditions for this.
Microsoft’s solution to this problem is Azure AD Domain Services (AAD DS). AAD DS is an Azure product that provides an Active Directory domain (managed by Microsoft) on two domain controllers. The domain controllers support LDAP, domain joining and authentication via Kerberos and NTLM. This version of Azure Active Directory also supports the use of organizational units and group policies.
Beware! While the upside is that Microsoft entirely takes care of managing Azure Azure AD Domain Services, which means you don’t have to worry about implementing patches, the downside is that your options of managing the domain are very limited. For instance, you won’t get any domain admin rights. For more information on Azure AD Domain Services, click here.
Domain Controller in the Cloud (IaaS)
Another way of joining both services is to extend the on-prem AD DS to Azure. To do this, you have to migrate your current domain controller to a virtual machine in Azure. In other words, you are deploying an AD infrastructure in the Azure VM. This solution works well for organizations that use both on-premises and cloud-based resources which are connected through VPN or an Azure ExpressRoute.
This option best resembles an on-premises Active Directory, as merely the infrastructure is provided by Microsoft (in the form of Windows servers on Azure VMs). Unlike Azure AD DS, this model gives you full control over the domain. However, it also means you are responsible for keeping it clean and up to date (patches, updates, backups, etc.).
Best Practices for Access Management In Microsoft® Environments
An in-depth manual on how to set up access structures correctly, including technical details. Also includes information on reporting and tips for implementation.