AD vs AAD (Active Directory vs Azure Active Directory)

Comparing AD vs AAD is a bit like comparing apples and oranges; they are two very different technologies used for different scenarios and needs.

As organizations look to move a great deal of their infrastructure to Azure, Active Directory ceases to become the right option
Azure AD therefore, becomes the solution that is recommended.

This post is aimed at explaining the main reasons behind this statement.

On-Premise Active Directory

Windows Server AD offers 5 core services.

· Active Directory Domain Services (ADDS)

· Active Directory Certificate Services (ADCS)

· Active Directory Rights Management Services (ADRMS)

· Active Directory Lightweight Directory Services (ADLDS)

· Active Directory Federation Services (ADFS)

Those 5 services together make up the entirety of on-premises AD. When most of us talk about AD, we’re mostly talking about ADDS.

None of those 5 services are available in Azure AD.

When you think about Active Directory you're talking about a true directory service that has a hierarchical structure (based on X.500) that uses DNS as its locator mechanism and can be interacted with via LDAP. In addition, Active Directory primarily uses Kerberos for authentication. Active Directory enables organizational units (OUs) and Group Policy Objects (GPOs) in addition to joining machines to the domain, and trusts are created between domains.

The fundamental component of Microsoft’s identity management platform is Active Directory Domain Services (AD DS).


 High-level Microsoft cloud identity management architecture.
Active Directory Domain Services provide secure, structured, hierarchical data storage for objects in a network such as users, computers, printers, and services. Active Directory Domain Services provide support for locating and working with these objects.


Azure Active Directory

Azure AD, while having some aspects of a directory service, is an identity solution and allows users and groups to be created, but in a flat structure without OUs or GPOs. You can't join a machine to Azure AD. There's no Kerberos authentication, and you can't query it via LDAP.

An Azure AD does have a domain name; it does contain users and groups. It contains Service Principals, like on-premises AD, that represent applications. But there is no tree of domains, no trusts between domains or forests. Indeed, there are no forests.


Azure AD is focused around identity throughout the Internet, where the types of communication are typically limited to HTTP (port 80) and HTTPS (port 443) and are used by all types of devicesnot just corporate assets. Authentication is performed through several protocols such as SAML, WS-Federation, and OAuth. It's possible to query Azure AD but instead of using LDAP you use a REST API called AD Graph API. These all work over HTTP and HTTPS.

Azure AD is a gargantuan multi-tenant service that is the identity and access management (IAM) system underpinning all of Windows Azure, including Microsoft Online Services (MOS)

The copy of Azure AD you can see and manage (your tenant) is a teeny little instantiation of a much larger whole, as Figure below shows.
You're Just One of More Than 1.5 million Azure Active Directory Tenants

Functional Comparison of Active Directory Domain Services vs. Windows Azure Active Directory

This big difference of technologies can be bridged with a Hybrid Network that connects the On-Premises AD to the Azure AD, hence allowing to use the best of the two AD.

A video is available on Channel 9 to display these differences.

If only LDAP authentication is supported by an existing application, the application must be updated to support federation, and an instance of Active Directory (either On-Premise or in an Azure Virtual Network) must be connected to Azure AD.

Microsoft Azure Active Directory Premium Features

The features that make Azure AD a competitive cloud identity management solution are licensed via the Premium Edition.

The premium feature set of Azure Active Directory is focused around four areas:

·         Branding and Customization – The Azure AD sign-in pages and Access Panel can be branded to resemble the organization’s brand and IT’s look-and-feel for corporate services and applications. This includes replacing the default Azure AD logos with custom logos.

·         Group Based Access Control – Groups can be used to control access to applications federated with Azure AD. In addition, users can request to join groups that grant access to applications and group owners can approve requests via the Azure AD Access Panel. Administrators can also delegate end users the ability to create and manage their own groups.

·         Self Service Password Management – Self-service password recovery for users that have their password stored solely in Azure AD. Users who login via federated authentication (e.g. AD FS) or via a password synchronized with Azure AD Directory Synchronization cannot take advantage of this feature.

·         Multi-Factor Authentication – Users can be required to register for and provide a second factor of authentication (SMS (text) message, voice call, or push notification to an app) at login time.

·         Advanced Reporting – The advanced security reports available in the premium version of Azure AD provide common IT security reports centered on application and device usage and security analytics that detect irregular and suspicious activity.


CONCLUSIONS

Microsoft advertises the free edition of Microsoft Azure Active Directory, and the free edition is a very capable platform for federation with cloud applications. The hidden costs often lie with AD FS, the need for the Azure AD Premium edition, and in translating existing identity management processes to function in the age of the cloud.


References

Choosing the Right Active Directory Framework for Cloud Apps
http://resources.onelogin.com/WP-Choosing-the-Right-Active-Direcetory-Framework-for-Cloud-Apps.pdf

Azure Active Directory vs. On-Premises Active Directory
http://windowsitpro.com/azure/azure-active-directory-vs-premises-active-directory

Differences Between Active Directory and Azure Active Directory
https://jumpcloud.com/blog/active-directory-azure-active-directory/


How Azure AD Different Then Active Directory and Azure ADDS (Azure Active Directory Domain Services) and AWS Directory Service
https://www.linkedin.com/pulse/how-azure-ad-different-active-directory-domain-services-eray-altili


Azure Active Directory Pricing
https://azure.microsoft.com/en-us/pricing/details/active-directory/

Comments

  1. UnknownJune 12, 2018 at 9:22 AM

    Nice article, users are attracted when they see your post thanks for posting keep updating Azure Online Course

    ReplyDelete
  2. likithaOctober 25, 2018 at 8:21 AM

    It was really a nice post and I was really impressed by reading this
    AWS Online Training

    ReplyDelete
  3. Azure DevOpsJanuary 25, 2019 at 10:44 AM

    Nice and good article. It is very useful for me to learn and understand easily. Thanks for sharing your valuable information and time. Please keep updatingAzure Online Training.
    Microsoft Azure Online Training

    ReplyDelete
  4. Bhanu SreeOctober 28, 2019 at 10:11 AM

    This comment has been removed by the author.

    ReplyDelete
  5. PI-IndiaJune 28, 2024 at 12:18 PM

    This comment has been removed by the author.

    ReplyDelete

Post a Comment

Popular posts from this blog

Cloud Computing using Microsoft Azure for Dummies

Image
Microsoft Azure is one of the first On-Demand Cloud Services available since several years, along with Amazon . So what is this Cloud Computing ? “Cloud computing, also known as 'on-demand computing', is a kind of Internet-based computing, where shared resources, data and information are provided to computers and other devices on-demand” [ Wikipedia ] Since a few years, and especially thanks to the worldwide Globalization , the amount of data exchanged over the Internet has been growing exponentially, bringing into the game some new paradigm such as Big Data , which challenged the existing hardware and infrastructure at every level. Most public exposed systems and websites had suddenly to deal with a huge amount of traffic, data and requests, from any part of the world, with potential peaks at any given time, 24/7.  This represented a big challenge for the stability and availability of systems, which for most businesses required an incredib
Read more

RabbitMQ on Kubernetes Container Cluster in Azure

Image
Introduction This post is quite technical (and long, and detailed), so sit down, enjoy your coffee, and let’s get started! Containers are becoming the way forward in the DevOps and IT worlds, as they greatly simplify deployments of applications and IT infrastructure . RabbitMQ is “the most widely deployed open source message broker”, and easy to use within a Docker Container Image . Kubernetes is considered the De-facto Standard for Container Orchestration . To follow this tutorial you can use the built in Azure Cloud Shell , or download and install the Azure CLI , and use PowerShell locally. Make sure you have installed  Azure PowerShell . You will also need Kubectl , so make sure you install that too (I suggest Choco as the easiest way). Here I am using PowerShell . Resource Group First you have to login to Azure through PowerShell: az login You will receive a message such as: To sign in , use a web browser to open the page http
Read more

PowerHell

Image
So here's another rant about Microsoft inconsistency and UN-usability of their products (sorry but I cannot hold this anymore).. Since it's been introduced years ago, Microsoft Powershell looked very promising, with its CMDLet approach to reuse scripts, not only for sysadmin tasks, but for almost everything Microsoft . There is only one problem with it (still nowadays): inconsistency . The reason why I say this, is because most of the times (I am serious, most of them) I try to use Powershell , I get the famous error message: The term '[ Put your Powershell Module name here]' is not recognized as the name of a cmdlet, function, script file, or operable program. That seems like a trivial error, so the next thing to do is to install the missing module. This generally requires a few steps: Figure out which module contains the command you are trying to run (not always straightforward). Figure out which version of the module contains the exact comman
Read more