The Bullet Point differences between Active Directory and Azure AD
I came across a Blog that did a really good job at explaining the differences between Active Directory and Azure AD. There is quite a bit of confusion around what the “newer kids on the block” do, or won’t do compared to Active Directory as we know it.
I have put together some Bullet Points for each Service below.
AD DS – Active Directory Domain Services
- Secure Object store, including Users, Computers and Groups
- Object organization use OU’s, Domains and Forests
- Common Authentication and Authorization provider
- LDAP, NTLM, Kerberos
- Group Policy
- Customizable Schema
- Certificate Services
- Federated Services
AAD – Azure Active Directory
- AAD is a cloud-based identity management store for modern applications
- AAD is designed to allow you to create users, groups, and applications that work with modern authentication mechanisms like SAML and Oauth
- Provided as part of an Office 365 Tenancy
- You can’t join computers to an Azure AD domain in the way you would with AD DS. There is something called Azure AD Join, but this is a different animal that I’ll address below. This means there are no computer objects in your AAD to apply things like GPOs to, and no centralized control of user rights on those machines.
- There is no Group Policy. AAD has some policy tools like conditional access, but it is more focused on access to applications.
- No support for LDAP, directory queries all use the REST API, Graph or PowerShell/CLI
- There’s no support for NTLM or Kerberos. AAD is modern authentication protocols only
- There’s no schema you have access to or can modify
- Flat structure, no OU’s, Domains or Forests
AAD DS – Azure AD Domain Services
- AAD DS is an Azure product that you enable on your virtual network which deploys two domain controllers.
- DC’s are synchronized with your Azure AD tenant
- You can grant machine access to users, implement custom OU’s, group policy, LDAP queries, NTLM and Kerberos
- Domain is managed by MS: No domain admin rights, only enough rights to undertake the tasks Microsoft allows
Can you join your server to Azure AD? NO
But you can extend your on-premises Active Directory to Azure AD…
Active Directory + Azure AD – When you need both
- Create Virtual Network in Azure
- Connect Cloud and On-prem with site to site VPN’s
- Deploy VM’s in cloud and turn them into DC’s