Microsoft Active Directory and Azure Active Directory – both usually shortened to Microsoft AD and Azure AD, respectively – are probably the most recognized identity and access management (IAM) solutions in use today.
In this comparison post, we will have a look at each AD and see which solution performs what task, and who it would be an ideal solution for.
Active Directory and Azure AD are not the same
But, before we begin, this point should be made clear: the two solutions are not different versions of the same product.
Indeed, AD is Microsoft’s predecessor to Azure AD. The company first released AD with Windows 2000 Server, and it quickly became the standard enterprise identity management solution.
AD is installed and runs on-premise, on Domain Controllers (DC). Each DC contains a catalog of users and computers that are authorized to access specific resources on a network. Two protocols – Kerberos and NTLM – are used in the DC authentication process.
Azure AD, on the other hand, organizes users and groups in each of its instances, which are known as “tenants.”
These tenants are where user authentication and identity management services are done to allow access to apps, data, and other resources using more modern protocols like OAuth 2.0.
Hardware devices like desktops and laptops can also join the Azure AD with the help of Microsoft Intune, which, in turn, needs Azure AD Domain Services (Azure AD DS) to manage any servers that reside in the Azure cloud VM environment.
Now, many people think that Azure AD is just an Active Directory in the cloud. But, this assumption is wrong. Active Directory is a directory service dealing with the local authentication of user access to hardware and local software resources, while Azure AD is a cloud-based identity and access management service that can be used to sign in to thousands of internal and external services.
Other important points to consider include:
- Organizational Units (OUs) don’t exist in Azure AD; this means grouping of users and devices (by country, by business unit, etc.) isn’t a done thing in Azure AD. Although a similar grouping can be done by creating Azure AD Groups, it is mainly used to group cloud-based apps or on-premises apps, rather than the physical assets themselves.
- Similarly, OUs are mostly used to define the scope of Group Policy Objects in on-premises network environments, which also don’t exist in an Azure AD. Instead, Microsoft Intune can be used to control devices – albeit, in a rather more limited way.
- With AD, at least one DC needs to remain in direct line-of-sight with each connected device. That is not necessary when it comes to Azure AD – an internet connection is all that is required to download the latest configuration policies or security settings, making it the ideal choice for networks catering to BYOD and remote devices.
Microsoft Active Directory
Microsoft AD stores data as objects – these objects can consist of users, groups, applications or devices.
When the objects include hardware devices like desktops and laptops, they are known as “resources” and when they consist of logical expressions of identity, like users and groups, they are called “security principals.”
The main defining characteristic of an AD is that it lives on-premise in DCs. Each DC contains a catalog of users and computers that are authorized to access resources on the network that the AD is responsible for.
It needs to be mentioned here that AD is the most popular IAM solution today, and in fact, it is estimated that, “approximately 90% of the Global Fortune 1000 companies use it as a primary method to provide seamless authentication and authorization.“
With that in mind, let’s have a look at the pros and cons of using AD:
- With an AD, the system administrator is the authoritative figure. There is no need to go to Microsoft and raise tickets, make calls or connect to chats when issues arise. The administrator can simply do what they see fit.
- Any decisions to make configuration changes can be initiated within minutes – there is no need to wait for remote technicians to come onboard and do them. It is all a matter of informing the system administrator.
- All information is kept local – a point that could be critical when it comes to organizations that work with sensitive data and don’t want any “outsider” to be privy to their information.
- The burden of maintaining and administering the AD server remains the responsibility of the local administrators; this can become an issue in a crisis and when there isn’t enough in-house technical know-how to resolve it.
- The hardware and overhead for the upgrade of AD, and the servers they run on, also remain the responsibility of the organization – again, this requires a technology budget and investment in technical knowledge.
Microsoft Azure Active Directory
Microsoft Azure AD is a cloud-based identity and access management service, which helps users sign in and access resources like:
- Local software resources like native apps that are hosted on the intranet or corporate network as well as any cloud apps that belong to an organization.
- Microsoft services like Microsoft 365 and the Azure Portal as well as thousands of other third-party Software-as-a-Service (SaaS) applications like Slack and Salesforce.
Azure AD, being a Microsoft managed service has a high uptime rate – 99.9%. It currently manages over 1.2 billion identities and processes over 8 billion authentications per day.
And, the tech company’s robust computing power means that a business using this IAM not only secures their network using features like Multi-Factor Authentication (MFA) and Conditional Access but also gains access to over a thousand more products and services.
Here are the pros and cons of using this solution:
- Azure AD comes with the backing of one of the largest tech companies today. This means support, security, and computing power won’t be an immediate issue. Microsoft does take care of its clients.
- Breaches, crashes, and data loss are all the worries of Microsoft. Of course, that is to a limit. The company will take care of the software and hardware they host and offer as services. And, for the main part, administrators won’t have to worry about the security of backend devices and solutions.
- Also, there is no need to worry about updates and upgrades as Microsoft handles it all.
- There is that 0.1% to worry about when Azure AD could be down and affect productivity. While it is highly improbable, it isn’t unheard of.
- As if that weren’t enough, failure to connect to Azure AD would also mean that connection to other dependent solutions like Microsoft 365, SharePoint, Teams, and even the Azure Portal could be affected.
- And then there is the matter of problems that could be caused by failures in the architecture between a network and the Azure AD services (think government Internet cuts), which is usually also out of the scope of both Microsoft and the local administrator’s reach.
Here’s a table for comparison of features:
Microsoft AD or Azure AD – what to choose and when
Ok; let’s now have a look at which of the two IAM solutions would be the ideal choice in various scenarios.
Choose Microsoft AD...
- If you are running an established enterprise network, you most likely already have AD installed. If things are running smoothly and there are no issues, then this should continue to be your IAM of choice.
- If you live in a country where Internet outages are a common occurrence, then it would make sense to keep access authentication and security accessible on a local level.
Choose Azure AD...
- If an organization with AD is thinking of making the move into cloud computing, then implementing Azure AD would make more sense. Gradual migration from AD to Azure can be done.
- If, on the other hand, an organization is new and building its cloud infrastructure from the ground up, it should adopt Azure AD fully as this would be the ideal solution to meet the requirements of such a network architecture.
Now, there are some that may argue that Azure AD is the future and that it will eventually take over AD. We leave that decision to you – it is up to the individual business to decide the right time to make the cross-over.
Remember to Hire Active Directory Professionals
An important thing to remember at this point is that the successful implementation of an IAM solution always comes down to the in-house tech know-how and support that can undertake the job.
Because, while both IAMs are equally complicated (of course, not too complicated as long as you know what you are doing), it does make sense to have a qualified technician to handle the installation and configuration of either IAMs. This ensures an optimal installation that helps avoid costly mistakes down the line.
Finally, and just to make sure it’s evident: Microsoft Azure AD is not a direct replacement for Microsoft AD. Their scopes are different, with the former designed for on-premises administration and the latter intended for cloud or hybrid architectures.