Azure AD vs. Active Directory: The Key Differences Explained

Between M365, Azure AD and new products like Microsoft Entra and Purview, a lot is happening in the Microsoft Cloud. But while Redmond’s platform-as-a-service offering continues to grow, for organizations that rely on their on-prem AD, there are still a lot of structural questions to address: Does Azure Active Directory really cover every feature and use case included in the local Active Directory?

In this article, we are going to compare Active Directory Domain Services (AD DS) with Azure Active Directory (Azure AD) and examine the most important differences. We’ll also look into how organizations can use Azure AD Connect, managed domain services or domain controllers hosted in Azure VMs to set up a hybrid environment.

What Is Azure AD?

Azure Active Directory (Azure AD or AAD) is a cloud-based directory service that is part of Microsoft’s cloud computing platform Azure. The main purpose of Azure AD is managing user identities for Microsoft’s various cloud services. Azure AD acts as the central hub that governs access to apps like Teams, SharePoint and OneDrive, Office 365, Exchange Online, Intune and many more. Azure AD can also be used to manage access to third-party business applications.

For end users, Azure AD’s role as the underlying platform for identity management across Microsoft’s different cloud applications has the advantage of providing them with a single sign-on (SSO) solution that supports multi-factor authentication and other security features like conditional access. For admins, it has the advantage of offering a central point of administration.

In contrast to on-premises Active Directory, Azure AD falls under the category of platform as a Service (PaaS) and is managed entirely by Microsoft. This means you can use it without a local server infrastructure, though you can also combine it with your existing AD setup. More on that later.

Note: Over the course of 2023, Azure AD will be renamed Entra ID to bring the cloud platform in line with the Entra product family. Although the name changes, the functionality of Azure AD remains the same and no action is required from users.

How Does Azure AD Work?

Azure AD is a cloud-based directory service aimed primarily at other web applications, though it is equipped with a REST API to connect with other services. Instead of LDAP, the Lightweight Directory Access Protocol used by on-prem AD, Azure AD accesses resources via HTTP requests. For user authentication and authorization, it uses protocols and standards such as SAML (Security Assertion Markup Language), WS-Federation (Web Services Federation), OpenID and OAuth 2.0.

By signing up for any of Microsoft’s cloud services, your organization automatically receives its own Azure AD tenant, which you can manage through the Microsoft Entra admin center (formerly the Azure AD admin center) or via PowerShell. Azure Active Directory acts as a single sign-on (SSO) platform for the Microsoft cloud, which means that users only have to sign in once to use different Microsoft 365 services like Teams, SharePoint and OneDrive.

Two figures with question-marked shaped clouds as heads representing identity management in Azure AD
Who is who in the cloud? Azure AD manages identities and privileges. Adobe Stock, (c) 1STunningART

Azure AD Pricing: Free, MS 365 and Premium

Azure Active Directory is available in four different versions that differ in terms of pricing per user and available features:

  • 1

    A free plan (included in subscriptions for Azure, Intune or Dynamics 365)

  • 2

    An Office 365 tier (bundled with a Microsoft 365 subscription)

  • 3

    Azure AD Premium P1

  • 4

    Azure AD Premium P2

The free version of Azure AD covers basic capabilities for managing online identities: secure authentication, identity federation, user provisioning and directory synchronization through Azure AD Connect. The Microsoft 365 version provides access to M365 apps included in your subscription, as well as any additional features that are part of the different Office/M365 plans: E1, E3, E5, F1 and F3. This includes features like sensitivity labels and Microsoft Defender for M365.

Premium P1 and Premium P2 include additional features for identity governance and administration, like dynamic groups, more self-service options and support for user access reviews. These tiers also offer enhanced security through conditional access policies, with some identity protection features like risk-based policies locked behind the P2 tier. Different tiers can also have an effect on the functionality of certain M365 services, such as a longer retention period for audit logs. For more information, please see the full comparison between Azure Active Directory plans.

White paper

Access Management in M365: Best Practice Guide

Everything you need to know to manage cloud privileges in Microsoft 365 – from built-in tools to essential best practices!

Azure Ad vs AD

How Does On-Prem Active Directory Work?

Active Directory is designed for basic device and user management in Windows networks. It consists of multiple services, with Active Directory Domain Services (AD DS) acting as the foundation for the local network. In essence, AD DS is a central database that stores information about users, groups and devices in the local domain. This information is then used to authenticate users, enforce group policy and govern access through NTFS permissions, share permissions and other settings. More specifically, AD DS checks a user’s security identifier (SID) against the access control list (ACL) of different directories and objects to determine access.

In contrast to Azure AD, which is a cloud service and thus does not need local infrastructure, on-premises Active Directory requires you to set up your own server infrastructure, which is based on a hierarchical framework. To deploy Active Directory, one computer on your network takes on the role of domain controller and becomes the central authority in your domain. However, to prevent outages and malfunctions, Microsoft generally recommends having a minimum of two domain controllers. Both store the same information and one can act as a backup. More information on how to deploy AD.

Identity Management With On-Premises AD

AD uses services such as DNS (Domain Name System) and Lightweight Directory Access Protocol (LDAP) to identify and manage users, groups and other resources (e.g. files and devices) in the network. Kerberos tickets are generally used to provide secure authentication. For the sake of backwards compatibility, Windows still supports the NT LAN Manager (NTLM), but this outdated method of authentication poses a significant threat to Active Directory security.

Identity Management With Azure AD

Instead of Kerberos, Azure AD relies on security protocols such as Security Assertion Markup Language/SAML and Open Authorization to authenticate users. For identity verification, there are a variety of MFA methods in Azure AD, including the Microsoft Authenticator app, OAUTH tokens and FIDO2 security keys. Similar to the local Active Directory, users can be managed through groups and roles.

Azure AD vs AD – Structural Differences

The biggest difference between on-premises Active Directory and Azure AD is in the way they can be structured: While the local AD can be split into multiple domains, trees and forests, Azure AD employs a flat hierarchy and does not support multiple domains on the same tenant. In other words, all users in your Azure AD are part of the same domain. For larger organizations, this can make it challenging to manage access across different locations or branches.

Azure AD vs AD – Missing Features

Unlike Active Directory, Azure AD does not include organizational units (OUs) and group policy objects (GPOs). To delegate user administration, AAD relies on administrative units (AUs). Similar to GPOs, device settings in Azure can be managed through Microsoft Intune and the Endpoint Manager. However, while these components offer most of the features admins are used to from regular AD, the fact that they are not identical can make it challenging to configure both correctly in hybrid environments.

Combined with Azure AD’s flat, single domain structure, this can lead to a number of problems:

  • Different structure: It is not possible to create the same domains, trees and forests in Azure AD as in the normal AD.

  • Greater administrative workload: Even though migration and sync options exist, managing administrative units alongside organizational units adds extra steps to user and device management.

  • Less control: Not all settings available through group policy objects are covered by Intune and cloud policy.

Watch Our Free WEbinar

Behind the Scenes of Teams & OneDrive: The Secret Life of Shared Data

Combining On-Prem AD and Azure AD

Azure AD Connect

Azure AD Connect is a utility that allows you to sync data from your local AD to Azure AD. You install the application on a domain-joined server and it automatically synchronizes users, devices, account attributes and groups to AAD. This enables you to extend your on-prem AD into the cloud without the need to manage both services independently. Thanks to pass-through authentication, your staff can even use the same password for their AD and AAD accounts. However, you still need to configure cloud-specific settings to grant users access to the right apps and resources.

Azure AD connect supports various use cases and topologies, including linking a single forest to a single AAD tenant, linking multiple forests to one tenant or one forest to multiple tenants. However, there are some restrictions. For example, only one Azure AD tenant can write back to your local Active Directory (with the exception of password writeback). More information on how to set up Azure AD Connect.

Azure AD Connect Cloud Sync

Like Azure AD Connect, Azure AD Connect cloud sync enables you to sync data between AD and AAD in hybrid setups. However, instead of a local application on your server, cloud sync uses AAD’s cloud provisioning agent. This makes the service easier to deploy and reduces hardware use on your end. Additionally, cloud sync works in some scenarios that are not normally supported by Azure AD Connect. For example, cloud sync can synchronize data from multiple disconnected forests. This can prove useful to organizations that have recently merged, but not integrated their IT landscape.

Sysadmin using Azure AD Connect to sync user accounts between AD and AAD.
You can sync Azure AD with your local AD using Azure AD Connect. Adobe Stock, (c) Blue Planet Studio

Azure AD Domain Services

Azure AD Domain Services (Azure AD DS) provides a managed Active Directory domain on virtual domain controllers hosted in Azure and provided, patched and maintained by Microsoft. Because Azure AD DS emulates Active Directory Domain Services in the cloud, it offers many features missing from Azure AD that organizations expect from their local AD: organizational units, group policy objects, domain join, LDAP support, Kerberos and NTLM authentication.

You can use Azure AD DS for a cloud-only deployment or as part of a hybrid setup where AD DS and Azure AD DS are synced through Azure AD Connect. The fact that AAD DS is managed by Microsoft has both advantages and disadvantages: You don’t have to worry about maintenance or security patches, but have limited control over the managed domain. For example, you won’t get any domain or enterprise admin rights.

Azure AD vs Azure AD DS

Despite their similar name, Azure AD and Azure AD DS are two very different products. While Azure AD acts as the directory service for Microsoft 365, it has a lot of structural differences that set it apart from your regular Active Directory: its flat, single-domain hierarchy, the lack of OUs and GPOs, different protocols and authentication methods.

By contrast, Azure AD DS has a lot more in common with on-premise AD. You can think of Azure AD DS as Active Directory in the cloud. However, as a managed cloud service, it is likewise limited to a single domain. There are a few additional restrictions to bear in mind: No support for AD certificate services, forest trust or schema extensions.

Azure AD DSAzure AD
Identity provider for your own domainIdentity provider for M365 apps
Virtual domain controllers in AzureTenant in Azure
Authentication through Kerberos, NTLMAuthentication through SAML, OAuth, OpenID
Supports LDAPNo LDAP support
Group Policy ObjectsIntune and Endpoint Manager for device settings
Organizational Units (OUs)Administrative Units (AUs)

Domain Controller in Azure Cloud VM

If you want to extend your local AD into the cloud in a way that offers even more control, another option is to host a domain controller on your own virtual machine in Azure. There are different ways to go about this method: You could deploy a new domain in the cloud, migrate your existing DC into the VM or use it to replicate an on-premise domain controller. This approach works well for organizations that use both local and cloud-based resources, which can be connected through a VPN or Azure ExpressRoute.

This option most closely resembles on-premises Active Directory, as merely the underlying infrastructure (in the form of Azure VMs) is provided by Microsoft. Unlike the managed service Azure AD DS, this model gives you full control over the domain. However, this also means you are responsible for maintenance and need to personally apply security updates, create your own backups and so on.


Best Practices for Access Management In Microsoft® Environments

Our in-depth guide explains how to manage access securely and efficiently from a technical and organizational standpoint, including tips for implementation, reporting and auditing.

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.