Active Directory (AD) is Microsoft's proprietary directory service. It runs on Windows Server and enables administrators to manage permissions and access to network resources. Active Directory stores data as objects. An object is a single element, such as a user, group, application or device such as a printer. Objects are normally defined as either resources, such as printers or computers, or security principals, such as users or groups.
Active Directory Domain Services run on the Domain Controller and have the following key functions:
Secure Object store, including Users, Computers and Groups
Object organization – Organisational Units (OU), Domains and Forests
Common Authentication and Authorization provider
LDAP, NTLM, Kerberos (secure authentication between domain-joined devices)
Group Policy – for fine-grained control and management of PCs and Servers on the domain
Centralized Control & Monitoring: The AD service offers a central place for administrators to control almost all things related to user access and network permissions.
Seamless User Experience: Users get to enjoy smooth access once the AD infrastructure is set and all permission policies have been enforced. Even with cloud services, AD makes sure that users don’t fact lag in accessing resources.
A Different Type For Every Different Need: There are many alternative versions of AD available for different scenarios, like AD Federation Services, Azure AD Directory Application Proxy, etc.
Far-reaching Policies With Group Policy Objects: GPOs are policy objects that help enforce global policies like password limits and system behavior. Microsoft offers a dedicated Group Policy Editor to help easily set up the policies and what level they will be enforced on.
Can Prove Expensive: A global infrastructure like AD can get pretty pricey to set up and maintain. Apart from that, once set up, changing its configurations is also expensive.
Network Becomes Excessively Dependent on AD: With AD services handling the whole network and its capabilities, the network will also die if the AD shuts off for some reason.
Security Risks: AD has several security risks, like root domains exposing the whole structure to vulnerabilities, unwanted permission inheritance, vulnerabilities due to inactive accounts, etc.
Azure Active Directory (Azure AD) is Microsoft’s enterprise cloud-based identity and access management (IAM) solution. Azure AD is the backbone of the Office 365 system, and it can sync with on-premise Active Directory and provide authentication to other cloud-based systems via OAuth.
Azure AD is a multi-tenant cloud-based identity and access management solution for the Azure platform. Active Directory (AD) is great at managing traditional on-premise infrastructure and applications. Azure AD is great at managing user access to cloud applications. You can use both together, or if you want to have a purely cloud-based environment you can just use Azure AD.
Azure AD comes with the backing of one of the largest tech companies today. This means support, security, and computing power won’t be an immediate issue. Microsoft does take care of its clients.
Breaches, crashes, and data loss are all the worries of Microsoft. Of course, that is to a limit. The company will take care of the software and hardware they host and offer as services. And, for the main part, administrators won’t have to worry about the security of backend devices and solutions.
Also, there is no need to worry about updates and upgrades as Microsoft handles it all.
There is that 0.1% to worry about when Azure AD could be down and affect productivity. While it is highly improbable, it isn’t unheard of.
As if that weren’t enough, failure to connect to Azure AD would also mean that connection to other dependent solutions like Microsoft 365, SharePoint, Teams, and even the Azure Portal could be affected.
And then there is the matter of problems that could be caused by failures in the architecture between a network and the Azure AD services (think government Internet cuts), which is usually also out of the scope of both Microsoft and the local administrator’s reach.
Difference Between Active Directory and Azure Active Directory
Active Directory Azure AD
Organizations create internal users manually or use an in-house or automated provisioning system, such as the Microsoft Identity Manager, to integrate with an HR system.
Existing AD organizations use Azure AD Connect to sync identities to the cloud.
Azure AD adds support to automatically create users from cloud HR systems.
Azure AD can provision identities in SCIM enabled SaaS apps to automatically provide apps with the necessary details to allow access for users.
Provisioning external identities
Organizations create external users manually as regular users in a dedicated external AD forest, resulting in administration overhead to manage the lifecycle of external identities (guest users)
Azure AD provides a special class of identity to support external identities. Azure AD B2B will manage the link to the external user identity to make sure they are valid.
Entitlement Management and groups
Administrators make users members of groups. App and resource owners then give groups access to apps or resources.
Groups are also available in Azure AD and administrators can also use groups to grant permissions to resources. In Azure AD, administrators can assign membership to groups manually or use a query to dynamically include users to a group.
Administrators can use Entitlement management in Azure AD to give users access to a collection of apps and resources using workflows and, if necessary, time-based criteria.
Organizations will use a combination of domains, organizational units, and groups in AD to delegate administrative rights to manage the directory and resources it controls.
Azure AD provides built-in roles with its Azure AD role-based access control (Azure AD RBAC) system, with limited support for creating custom roles to delegate privileged access to the identity system, the apps, and resources it controls.
Managing roles can be enhanced with Privileged Identity Management (PIM) to provide just-in-time, time-restricted, or workflow-based access to privileged roles.
Credentials in Active Directory is based on passwords, certificate authentication, and smartcard authentication. Passwords are managed using password policies that are based on password length, expiry, and complexity.
Azure AD uses intelligent password protection for cloud and on-premises. Protection includes smart lockout plus blocking common and custom password phrases and substitutions.
Azure AD significantly boosts security through Multi-factor authentication and passwordless technologies, like FIDO2.
Azure AD reduces support costs by providing users a self-service password reset system.
Active Directory forms the basis for many infrastructure on-premises components, for example, DNS, DHCP, IPSec, WiFi, NPS, and VPN access
In a new cloud world, Azure AD is the new control plane for accessing apps versus relying on networking controls. When users authenticate, Conditional access (CA), will control which users, will have access to which apps under required conditions.
Traditional and Legacy apps
Most on-premises apps use LDAP, Windows-Integrated Authentication (NTLM and Kerberos), or Header-based authentication to control access to users.
Azure AD can provide access to these types of on-premises apps using Azure AD application proxy agents running on-premises. Using this method Azure AD can authenticate Active Directory users on-premises using Kerberos while you migrate or need to coexist with legacy apps.
Active Directory doesn't support SaaS apps natively and requires a federation system, such as AD FS.
SaaS apps supporting OAuth2, SAML, and WS-* authentication can be integrated to use Azure AD for authentication.
Line of business (LOB) apps with modern authentication
Organizations can use AD FS with Active Directory to support LOB apps requiring modern authentication.
LOB apps requiring modern authentication can be configured to use Azure AD for authentication.
Services running in on-premises environments normally use AD service accounts or group Managed Service Accounts (gMSA) to run. These apps will then inherit the permissions of the service account.
Azure AD provides managed identities to run other workloads in the cloud. The lifecycle of these identities is managed by Azure AD and is tied to the resource provider can't be used for other purposes to gain backdoor access.
Active Directory doesn't natively support mobile devices without third-party solutions.
Microsoft's mobile device management solution, Microsoft Intune, is integrated with Azure AD. Microsoft Intune provides device state information to the identity system to evaluate during authentication
Active Directory provides the ability to domain join Windows devices to manage them using Group Policy, System Center Configuration Manager, or other third-party solutions.
Windows devices can be joined to Azure AD. Conditional access can check if a device is Azure AD joined as part of the authentication process. Windows devices can also be managed with Microsoft Intune. In this case, conditional access will consider whether a device is compliant (for example, up-to-date security patches and virus signatures) before allowing access to the apps.
Active Directory provides strong management capabilities for on-premises Windows servers using Group Policy or other management solutions.
Windows servers virtual machines in Azure can be managed with Azure AD Domain Services. Managed identities can be used when VMs need access to the identity system directory or resources.
Active Directory doesn't natively support non-Windows without third-party solutions, although Linux machines can be configured to authenticate with Active Directory as a Kerberos realm.
Linux/Unix VMs can use managed identities to access the identity system or resources. Some organizations, migrate these workloads to cloud container technologies, which can also use managed identities.
The Tech Platform