Active Directory vs Azure Active Directory: Is there a difference?
There are many different paths that will lead you to Azure Active Directory (Azure AD). Maybe you’ve rolled out Office 365 in your organization. Maybe you’re moving some virtual machines into Azure. Or maybe you’re developing a cloud-native application that won’t touch your on-premises environment at all.
Whatever the reason, you might think that Azure Active Directory is just a Microsoft Azure Cloud version of the Active Directory Domain Services authentication platform running on your organization’s servers. It is . . . but then again, it isn’t.
So, what’s the difference between Active Directory and Azure Active Directory? Let’s take a look at the details.
Looking to sharpen your Azure Active Directory skills? Check out ACG’s new hands-on labs for Microsoft Azure AD.
Authentication and authorization platforms
To start with, both Active Directory and Azure Active Directory provide authentication and authorization services. They store information like usernames and passwords (technically, encrypted password hashes) that validate that the person logging in has correctly supplied the same credentials during a log-in attempt that match a valid, active user in the system.
They also act as an authorization service. Say you’re trying to access a resource that is configured to only allow members of the HR group to use it, these directory systems have an HR group and a list of its members. It gets a little broader than that with computer accounts and service accounts (neither of which are humans), but that authentication and authorization principle is a standard function of these systems.
Identity and Access Management (IAM)
While authentication and authorization are functions of both Active Directory and Azure AD, the systems themselves are also known as IAM or Identity and Access Management systems. This means that the directories are also used for . . . managing the identities of people and things and managing access to other things. Now we’re talking about adding, changing, or deleting user accounts, updating members of groups, and being used to add users or groups to the security controls of a thing (whether that’s file or folders, cloud resources, or applications).
And that’s where the similarities stop when comparing Active Directory vs Azure Active Directory. These IAM systems are very different under the covers.
Active Directory is a role of the Windows Server operating system, so you’ve now got an underlying OS to install, update, and manage the uptime and performance of (whether it’s a physical or virtual server). Windows clients go looking for a server running the Active Directory Domain Services role (known as a Domain Controller) within their reachable networks, so you set up servers in different locations that replicate all of that identity data (and any changes) between each other.
There are few important parts to how Active Directory data is structured: the directory schema, organizational units and domains, and forests.
- The directory schema is the “mapping” of what information is stored and what it relates to. For example, my schema might include “email address” and each person would have that populated as “firstname.lastname@example.org”. With Active Directory, you can extend this schema to add additional things. Maybe you want to add “birth month” so you can query and celebrate everyone who has a birthday in December, or maybe you have specific business attributes that are useful to store and use in a custom application.
- The organizational units allow you to prescribe a structure, like an organizational chart. Instead of having everyone in a “Users” OU, you might split into Head Office, Manufacturing, Retail, etc, so you can apply settings or access differently across the different OUs and you can restrict where that data replicates to to cut down on network traffic. For example, there may be no sense in having the Head Office data replicating to servers in the Manufacturing plants.
- Domains and forests are further ways to organize and segment authentication data at scale.
With Azure AD, there are no domain controllers for you to manage, no replication of data to worry about between locations, no organizational units (but you can manage groups), and no forests. One of the Azure AD services (Azure AD Domain Services) also doesn’t support the use of schema extensions – custom attributes you may have added to your on-premises Active Directory environment. That sounds like a lot less work (and it is) but it’s also less flexible for organizations who have a complicated on-premises environment with customized or third-party applications that might be relying on some of that configuration.
What do we get with Azure Active Directory then? In essence, you get to use an identity platform that’s delivered as a service (IDaaS), and that’s just the start. Microsoft manages the availability of the service and the replication of data across its global cloud regions. You don’t need to troubleshoot it.
You’ll also use Azure Active Directory to manage access to resources in Azure via the Azure Resource Manager (including tools like the Azure CLI and PowerShell). Role-based access control allows you to grant groups or individuals a very granular level of access to perform actions on types of Azure resources, or areas of your cloud environment like resource groups or subscriptions.
Extra cloud goodness
With Active Directory, the log-in process is kept within your corporate networks, which Microsoft has no visibility of.
With Azure Active Directory, its cloud location allows this directory service to benefit from advanced security features powered by Microsoft. These include:
- A “conditions-based” approach to challenging for another form of authentication (MFA) during login attempts that are evaluated as being risky — either by parameters the organization has set (such as coming from an unknown location where you don’t have staff) or behavior that Microsoft’s analysis has detected.
- The ability for users to reset their own passwords, because we can challenge for MFA before allowing it.
- Automatic provisioning of new users in third-party Software as a Service applications, like Salesforce and ServiceNow. There are pre-defined connectors and Azure AD supports applications that use the System for Cross-domain Identity Management (SCIM).
- A smart lockout system that can detect the difference between sign-ins that come from valid users versus ones that come from unknown sources and can treat them differently — locking out the bad actors while still letting users sign in.
Azure Active Directory comes in free, Premium 1, and Premium 2 tiers. Not all features are available in all tiers and some features are bundled with Microsoft 365 plans. In fact, if your organization uses Microsoft 365 at all, that runs on Azure Active Directory as the authentication platform.
Some of these features can be integrated with your on-premises Active Directory environment, like self-service password reset.
Azure Active Directory also allows for guest accounts, and you can trust accounts from other organizations or other identity systems with Azure AD B2B or Azure AD B2C. This is key for application developers who want users to log in with existing social or organizational accounts, based on OpenID Connect, OAuth 2.0, or SAML.
Active Directory and Azure Active Directory together
If already have an Active Directory environment, you can run that in conjunction with Azure Active Directory for cloud authentication. This is known as hybrid identity and is commonly used by organizations wanting a seamless single sign-on process for their users, so they can access both on-premises and cloud or Microsoft 365 resources. It also saves the admins from managing identities in two different systems.
How you architect that will depend on the specific requirements of your organization, including whether synchronizing your identities and password hashes to the cloud is allowable or not. To support various compliance scenarios, Microsoft supports password hash synchronization, pass-through authentication, and federation.
Cloud-native organizations jump into cloud-based identity services like Azure Active Directory without too much complication, but technologists that have to migrate from or continue to manage Windows Server environments will find Azure AD is a new thing to learn.
Any identity platform change requires careful planning and consideration, especially taking into account your current, specific uses. But you’ll find some great upside to the features in Azure Active Directory, including no overhead of managing the service infrastructure.
About the Author
Sonia Cuff connects with worldwide technical communities, as a Senior Cloud Advocate for Microsoft. With over 20 years of experience in tech, from large enterprises and government to small businesses and partners, Sonia is passionate about improving work and life for people in IT Operations roles.
Level up your Azure Active Directory skills
A Cloud Guru has new exclusive, hands-on labs for Microsoft Azure AD. With more than 1,600 scenario-based labs (and hundreds more on the way) A Cloud Guru is the hands-on way to learn cloud. Get started for free today!