Azure Active Directory (or Azure AD) is a cloud-based service used to authenticate and authorize users for Microsoft Office 365 services, as well as for a variety of other internal and external applications and services.
Risk of Confusion
The name choice is somewhat unfortunate due to its similarity to Microsoft’s Active Directory. Choosing the same name was probably a marketing decision since, on a technical level, Active Directory (or its components, like domain services) and Azure Active Directory do not share any similarities. To avoid more confusion, we would like to clarify at this point: Azure Active Directory is NOT the same as Active Directory in the Cloud.
With the latest Microsoft operating systems (Windows 10 or later), it is possible to join an Azure Active Directory without having to become a member of a local, classic Active Directory domain service (AD DS) domain.
Advantages and Disadvantages
One advantage of Azure AD is that it requires no complex, local Active Directory infrastructure to be set up and managed. It also makes it easier to handle BYOD policies or a userbase spread out across various locations. These advantages are absolutely in line with Microsoft’s strict cloud-only strategy. However, banking on Azure AD alone also brings some disadvantages:
- The objects in Azure AD are not managed in organizational units, which makes it more difficult to delegate administrative tasks.
- Azure AD is unaware of group policies, which means that it is not possible to control device functions and settings in detail. MDM can help to model some parts of these options in Azure AD.
- Azure AD does not support LDAP. Access to the user and group directory is provided only via REST API and PowerShell.
- Azure AD does not support traditional authentication protocols, such as NTLM or Kerberos. Only new methods like OAuth are supported.
Azure AD was created for the purpose of integrating modern cloud applications. However, it lacks many of the traditional elements found in Active Directory environments, which is why the following alternatives to Azure AD Join were developed:
Azure AD Connect
Azure AD Connect enables hybrid operation between the traditional Active Directory and Azure AD. To do so, Azure AD Connect automatically synchronizes the relevant data from the local Active Directory to Azure AD.
For further information please visit our wiki entry for Azure AD Connect.
Azure AD Domain Services
Azure AD Domain Services (AAD DS) is an Azure product that provides an Active Directory domain (managed by Microsoft) on two domain controllers. This domain makes it possible to use organizational units and group policies. It also allows LDAP as a mode of connection to the directory service.
The domain controllers are managed by Microsoft, which also means automatic patch management. On the other hand, the possibilities of domain management are limited, e.g. domain administrator permissions are not provided.
Domain Controller to Azure (as IaaS)
Another alternative is to deploy your own Active Directory infrastructure through Azure VMs. This option would give you full control over the domain. The downside to this is that it means you are also entirely responsible for maintenance (patches, updates, backups, etc.). This option is most akin to a traditional, on-premises Active Directory. Merely the infrastructure in the form of Windows servers on Azure VMs is provided by Microsoft.
For organizations that follow a cloud-first or cloud-only approach and are willing to accept the limitations compared to a local Active Directory (or hybrid operation), Azure Active Directory can present a good, future-oriented alternative.
If, however, your organization depends on the functionalities of a traditional Active Directory, Azure AD is not a suitable choice. In this case, the Azure platform still provides some cloud-based approaches that allow you to implement a similar environment (Domain Controller to Azure and Azure AD Domain Services).