Azure Active Directory? Windows AD vs Azure AD

Sharing is caring!

Azure Active Directory (AAD)

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources. Azure AD is the backbone of the Office 365 system, and it can sync with on-premise Active Directory and provide authentication to other cloud-based systems, Internal resources, such as apps, intranet via OAuth.

Windows Active Directory

Windows Active Directory lives on-premise in servers called Domain Controllers (DC). Each DC contains a catalogue of users and computers that are authorized to access resources on the network. Users authenticate to DCs via Kerberos or NTLM authentication.

Azure AD and Windows AD are both created by Microsoft, and they are both IAM systems, but that’s pretty much where the comparisons stop. They are fundamentally different systems that exist in an interconnected enterprise environment.

Azure Active DirectoryWindows Active Directory
Communication RESTLDAP
AuthenticationCloud-based protocolsKerberos and NTLM
Network OrganisationFlat Structure of users into groupsOU’s, Domains and forests
DevicesMobile Device Management No MDM
Entitlement ManagementAdmins organised users into groupsAdmins or data owners assign users to groups
DesktopsWindows desktops can join Endpoint management Desktops are governed by GPOs
ServersUses Domain services to manage serversManaged by GPOs or On-premise server management system

Directories, Subscriptions and Users

It’s Important to understand that Azure offers several cloud-based services. All of those services can use Azure AD to identify users and control access.

When a company or organization signs up to use one of these offerings, they are assigned a default directory, which is an instance of Azure AD. This directory holds the users and groups that will have access to each of the services the company has signed up for. This default directory is sometimes referred to as a tenant. A tenant represents the organization and the default directory assigned to it.

An organization (tenant) always has one default Azure AD directory it’s associated with, however, owners can create additional directories to support development or testing purposes, or because they want to have separate directories to synchronize with their local Windows Server AD forests.

Subscriptions in Azure are both a billing entity and a security boundary. Resources such as virtual machines, web sites, and databases are always associated to a single subscription. If you belong to multiple directories, you can switch the current directory you are working in through the Directory + subscription button in the Azure portal header.

Every user who needs access to Azure resources needs an Azure user account. A user account contains all the information needed to authenticate the user during the sign-on process. Once authenticated, Azure AD builds an access token to authorize the user and determine what resources they can access and what they can do with those resources.

You use the Azure Active Directory dashboard in the Azure portal to work with user objects. Keep in mind that you can only work with a single directory at a time – but you can use the Directory + Subscription panel to switch directories. 

Typically, Azure AD defines users in three ways:

  1. Cloud identities – These users exist only in Azure AD. Examples are administrator accounts and users that you manage yourself. 

2. Directory-synchronized identities – These users exist in an on-premises Active Directory. A synchronization activity that occurs via Azure AD Connect brings these users into Azure. 

3. Guest users – These users exist outside Azure. Examples are accounts from other cloud providers and Microsoft accounts such as an Xbox LIVE account. Their source is Invited user. This type of account is useful when external vendors or contractors need access to your Azure resources