In today’s Ask the Admin, I’ll explain what Azure Active Directory is and how is works compared to Windows Server Active Directory.
You’ve probably heard of Azure Active Directory (AAD) even if you don’t know how it differs from Active Directory in Windows Server. Azure AD is a multi-tenant cloud-based directory and identity management service that offers a subset of the services of Windows Server AD but in the cloud.
While AAD doesn’t support all the services provided by Windows Server AD, Microsoft is gradually expanding AAD’s capabilities. For example, Azure AD Domain Services was released in preview last October and provides features, such as native domain-join, Group Policy, Kerberos and NTLM authentication, and Lightweight Directory Access Protocol (LDAP) access to the directory. For more information, see What is Azure AD Domain Services? on the Petri IT Knowledgebase.
Cloud, Synchronized, and Federated Identities
While intended primarily for cloud-born apps — Office 365 uses AAD for identity management for example — AAD can also be integrated with on premise Active Directory for the purposes of simplifying identity management in hybrid cloud environments. As such, AAD offers several different types of identity.
Cloud identities exist only in AAD and require organizations to manage usernames and passwords separately from Windows Server Active Directory. Windows Server AD user accounts can be synchronized to AAD, and optionally password hashes. Azure AD Connect replaces the DirSync tool that was previously the standard means of synchronizing Windows Server AD accounts with Office 365 and Azure AD. Synchronized identities have the same password in the cloud as in Windows Server Active Directory but users need to sign in again to access cloud services.
Federated identities use Windows Server Active Directory for user authentication, connecting the onsite service to AAD using Active Directory Federation Services (ADFS). Federated identities are the only way to provide true single sign-on capabilities. Other advantages include the ability to continue using onsite multifactor authentication, password hashes are never synchronized to the cloud, users can be blocked immediately and logon restrictions set in AD are honored.
Identity Management for the Cloud
The ability to quickly provision AAD in the cloud allows developers to concentrate on the nitty gritty of writing their applications, leaving AAD to provide identity management services. Multifactor authentication is also supported for additional security. It’s also worth noting that Windows 10 can be joined to AAD giving users access to Windows Store for Business, Microsoft Passport, single sign-on to cloud apps and Azure AD Enterprise State Roaming.
AAD comes in three editions: Free, Basic, and Premium. The Free edition is limited to 500,000 user objects, while the Basic edition adds support for group-based access management and branding of the login pages. The Premium edition includes features such as self-service password reset and group management. More detailed information and prices can be found at Microsoft’s website.