The Difference between AD and Azure AD explained

 Confused about the difference between AD and Azure AD? We get it – the distinction isn’t immediately clear.

In this guide, we’ll be exploring the key differences between these two terms and their relevance to you. 

What Is AD?

AD stands for Active Directory.  In order to understand what Active Directory is, you’ll need to understand the basics of a Domain Controller.

A Domain Controller is a server on the network that centrally manages access for users, PCs and servers on the network. It does this using Active Directory (AD).

Active Directory is a database that organises your company’s users and computers. It provides authentication and authorization to applications, file services, printers, and other resources on the network. It uses protocols such as Kerberos and NTLM for authentication and LDAP to query and modify items in the Active Directory databases.

Active Directory Domain Services (to give it is full and proper name) or AD for short, runs on the Domain Controller and has the following key functions:

• Secure Object store, including Users, Computers and Groups
• Object organization – Organisational Units (OU), Domains and Forests
• Common Authentication and Authorization provider
• LDAP, NTLM, Kerberos (secure authentication between domain joined devices)
• Group Policy – for fine grained control and management of PCs and Servers on the domain

So basically AD has a record of all your users, PCs and Servers and authenticates the users signing in (the network logon). Once signed in, AD also governs what the users are, and are not, allowed to do or access (authorisation). For example, it knows that John Smith is in the Sales Group and is not allowed to access the HR folder on the file server. It also allows control and management of PCs and Servers on the network via Group Policy (so for example you could set all users’ home page on their browser to be your intranet, or you can prevent users from installing other software etc).

Most established businesses will have Active Directory running on one or more Domain Controllers on their network.

What is Azure AD?

Azure AD is not simply a cloud version of AD as the name might suggest. Although it performs some of the same functions, it is quite different.

Azure Active Directory is a secure online authentication store, which can contain users and groups. Users have a username and a password which are used when you sign into an application that uses Azure AD for authentication. So for example all of the Microsoft Cloud services use Azure AD for authentication: Office 365, Dynamics 365 and Azure. If you have Office 365, you are already using Azure AD under the covers.

As well as managing users and groups, Azure AD manages access to applications that work with modern authentication mechanisms like SAML and OAuth. Applications are an object that exist in

Azure AD, and this allows you to create an identity for your applications (or 3rd party ones) that you can grant access for users to. Besides seamlessly connecting to any Microsoft Online Services, Azure AD can connect to thousands of SaaS applications (e.g. Salesforce, Slack, ZenDesk etc) using a single sign-on.

When compared with AD, here is what Azure AD doesn’t do:

• You can’t join a server to it
• You can’t join a PC to it in the same way – there is Azure AD Join for Windows 10 only (see later)
• There is no Group Policy
• There is no support for LDAP, NTLM or Kerberos
• It is a flat directory structure – no OU’s or Forests

So Azure AD does not replace AD.

AD is great at managing traditional on-premise infrastructure and applications. Azure AD is great at managing user access to cloud applications. They do different things with the area of overlap being user management.

Should you use AD or Azure AD? Or should you use both?

If you have a traditional on-premise set up with AD and also want to use Azure AD to manage access to cloud applications (e.g. Office 365 or any of thousands of SaaS apps) then you can happily use both.

If you are using Office 365 then your users will have a username and password for that (managed by Azure AD), as well as a username and password for their network logon (managed by AD). These two sets of credentials are un-related. This is fine, and just means that if you have a password change policy that users will have to do this twice (and they could of course choose the same password for both).

Or you can synchronise AD with Azure AD so that the users only have one set of credentials which they use for both their network logon, and access to O365. You use Azure AD Connect to do this, it is a small free piece of Microsoft software that you install on a server to perform the synchronisation.

If you are a new business or one that is looking to transition away from having any traditional on-premise infrastructure and using purely cloud based applications, then you can operate purely using Azure AD.

In this case, although you will have all your applications in the cloud, you will of course still have physical devices – PCs and smart phones – that your team will use to access and work with these cloud applications.

So how do you secure and manage these devices? In the case of PCs (this applies to Windows 10 only) you can Azure AD Join them and login to machines using Azure AD user accounts. You can apply conditional access policies that require machines to be Azure AD joined before accessing company resources or applications. However Azure AD Join provides limited functionality compared to AD Join (as there is no Group Policy) and in order to gain fine grained control over the PCs you would then use a Mobile Device Management solution, such as Microsoft Intune, in addition to this.

Other devices (Windows 10, iOS, Android, and MacOS) can be Azure AD Registered (which means you sign into the device itself without requiring an Azure AD account, but can then access apps etc

using the Azure AD account) and controlled using Microsoft Intune.

If you can’t get all your applications as SaaS apps and have some that still need to run on your own servers, then you can migrate these to Virtual Machines (VMs) in Azure. If those VMs need to be domain joined, then you can either deploy a Domain Controller on another VM in Azure, or you can use Azure Active Directory Domain Services (Azure AD DS) which is a PaaS service (you don’t have to manage it) for domain joining Azure VMs. Azure AD DS automatically synchronises with Azure AD so all your users get the application access you want.

Summary

In Summary, Azure AD is not simply a cloud version of AD, they do quite different things. AD is great at managing traditional on-premise infrastructure and applications. Azure AD is great at managing user access to cloud applications. You can use both together, or if you want to have a purely cloud based environment you can just use Azure AD.