Thursday, 25 January 2024

Understanding the difference between Active Directory and Azure Active Directory

There has been an explicit sharing of ideas in regards to if Azure Active Directory and Active Directory are the same. It is one of the very common questions is: Is Azure AD the same as AD? Can I replace it? The short and simple answer is no. AD (Active Directory) can belong to multiple versions of various technologies. However, it is more complicated. Let's have a look at similarities, differences, and combinations.


                     (Image credit- Jumpcloud)


Active Directory Domain service is basically a database, where you can have all your computers, users and others organized. Active Directory not only organises centrally connected applications and users but integrate them in such an useful manner that they can talk to each other. It provides authentication and authorization to applications, file services, printers, and more on-premises resources. AD uses protocols such as NTLM and Kerberos for authentification and LDAP for resource discovery. With a great feature Group policy, you can distribute settings throughout a whole network. There are many security groups, user and admin accounts, passwords, identity and access rights, and that's why securing AD is the key. Nevertheless, the important point of view is that AD was not designed to cope with the world of web-based Internet services. As the world has shifted to cloud and web based portals, the synergy and dynamics of correlation has completely been taken over to cloud based networking.


Azure Active Directory is not Active Directory, unfortunately, its name leads to much confusion. However, AAD has a similar function with the authentification and authorization of applications. Compared with AD, Azure Active Directory was designed to support web-based services that use RESTful interfaces for Office 365, Google Apps, etc. It also uses different protocols for working with these services (SAML, OAuth 2.0.). You could say that AAD is an "AD service in the cloud". Another difference is that there is no such thing in AAD as forests and domains. Instead, you are a tenant representing your whole organization and you can manage all users with their passwords, permissions, etc. A user with one identity can sign on to thousands of SaaS applications and not just into Microsoft's Office 365, SharePoint or Exchange online. And he can do it without a repeated requirement to log in.


Nowadays, there are various models of using Active Directory services and every company has different needs and possibilities. In case your organization doesn't need the missing features of AD, you can move to Azure Active Directory and decommission the classic Active Directory. There are various scenarios containing Hybrid Azure AD, which means combinations of AD and AAD. This type of architecture offers a combination of both and thanks to Azure AD Connect your user/password data are synchronized. In the end, you can use just classic AD, however, you can hear every day more and more about the advantages of moving to the cloud.