Microsoft Azure AD complements Active Directory
Azure users have a cloud-based version of Active Directory at their fingertips, but it's not a carbon copy of the on-premises version. Learn how to use the services in tandem.
Microsoft IT shops are all too familiar with Active Directory for on-premises workloads. There's also an Azure variant of the service available when you're ready to move to the cloud, though don't expect it to be a one-to-one replacement.
Active Directory and Azure Active Directory (Azure AD) are different, but they aren't necessarily competing offerings from Microsoft. Instead, Azure AD extends Active Directory to the cloud and brings existing users and groups into Office 365 and Azure. Some features, such as Azure Single Sign-On (SSO) and self-service password reset, come along for the ride.
Know the Azure AD basics
Azure AD is an identity and access management service that provides sign-in capabilities and access to resources, including Office 365, Azure and any number of registered applications developed internally at an organization. It connects to a company's on-premises Active Directory to synchronize users, groups and other data so login credentials are consistent across an enterprise. Depending on the SKU chosen for Azure AD, user passwords can be reset and pushed to an on-premises implementation of Active Directory, too.
Organizations can invite external users into Azure AD to access applications registered with the service. It also serves as an endpoint for SSO configurations for all of the applications the organization uses, which often simplifies the process.
Additional functionality depends on the level of Azure AD subscription you purchase:
- Basic: Provides hybrid connectivity for corporate users as well as group-based access management, password reset for cloud applications and a web proxy that can be used to securely publish internal web applications.
- Premium P1: Includes all the features of Basic, plus dynamic group membership, password write back -- which will allow password to be updated in the cloud -- and sync back to hybrid user accounts.
- Premium P2: All the features of Basic and P1, plus identity protection using risk-based conditional access restrictions for the corporate network. This feature assesses the risk of an action and determines whether more authentication steps are needed or if a sign-in should be blocked. Privileged Identity Management is also available in P2, which provides a better logging and audit experience for accounts with privileged access rights within an environment.
Differences with Active Directory
Although Active Directory and Azure AD are intended to work together, it's important to know the differences between them -- as well as the limitations of the cloud-based version.
Microsoft Active Directory Domain Services (AD DS) uses a hierarchical structure to store information about objects on a Windows network. It has tools to authenticate users, grant access to resources on the network, and enforce rules and policies.
At a deeper level, Active Directory also controls an organization's internal DNS, making it simple to manage and highly available across multiple domain controls.
These services and configurations are core to Windows operations, but most of them fall outside of Azure Active Directory's management purview as it exists today. Yes, users and groups can sync between an implementation of AD DS and Azure AD, which makes Azure Single Sign-On and Multi-Factor Authentication easier to configure for some services, but Microsoft's Group Policy and DNS are not managed as part of Azure AD.
Another potential downside is also one of the biggest positives about Azure AD: the cloud. If anything interrupts the connection to Microsoft's public cloud, Azure AD becomes unreachable, unlike an internal AD DS setup. Sure, a link between locations within your organization might be unavailable when the internet is down, but both sides of the environment generally still can process logon events.
Other cloud vendors get in on Active Directory services
Microsoft isn't the only IaaS vendor to offer a cloud-based version of Active Directory.
The AWS Directory Service is an implementation of Active Directory, but it's altogether different from Azure AD. AWS Directory Service is a managed service built on Active Directory Domain Services. Users don't need to sync any data to the Amazon service for it to function, and they can use the same management tools they're already familiar with, from Microsoft Active Directory Users and Computers to the Active Directory Administrative Center and PowerShell. Unlike Azure AD, AWS does support Group Policy for object management because it's a fully functional Active Directory service.
Google Cloud has its own hardened Active Directory service, though it's in preview as of publication. Rather than to describe it as a subscription, it seems appropriate to say instead, given the preview, that users will be able to hook into the service. They will be able to join Google Cloud workloads to an Active Directory domain and extend their on-premises directory to their Google Cloud Platform organization. In many ways, the service will act like a site within an enterprise directory environment.
Ultimately, however, it's misguided to stack Azure AD and AD DS against each other. Again, Azure Active Directory is not a complete replacement for traditional AD DS, but rather an extension of it. The fact that users and groups exist in both is about the only feature parity between the products.
Azure AD is a great way to bring on-premises Active Directory into the cloud and allow online services -- Office 365, SharePoint, Azure and even your next web app -- to authenticate with the same login used for Windows.
Get started with Azure AD
The easiest way to get an instance or tenant of Azure AD is to start using Office 365, which creates an Azure AD tenant if there is not one already. If your organization already uses Microsoft Azure for public cloud hosting, there is a good chance it's configured Azure AD.
With the tenant configured, Azure AD helps streamline use of cloud resources compared to managing a cloud environment without it. Azure AD can provide a better management experience for IT admins and simplify the experience for an organization's employees. Azure AD synchronizes a copy of user and group objects to the cloud. This ensures a company's user accounts are already functional when cloud migration discussions start.