More and more businesses are migrating their workloads to the public cloud and that’s great news. The cloud is flexible, scalable, secure and cost effective (when done correctly) – only 4 of many buzzwords that makes people want to get rid of all their servers, including domain controllers. In real life it’s not that simple. In this post I’ll talk about the differences between Active Directory, Azure AD & Azure AD Domain Services.
Azure AD is not Active Directory!
A lot of people think that Azure AD is a hosted version of Active Directory. This is wrong. Active Directory is a directory service that supports (older) protocols like NTML and Kerberos. Azure AD is a cloud-based identity and access management service that can be used to sign in to thousands of internal and external services by using modern protocols like OAuth 2.0.
When replacing Active Directory with Azure AD you need to be aware of all the pros and cons of it. Have a look at the list below to fully understand the impact of migrating to Azure AD. This is not a full list but it highlights the major differences that are important for a lot of admins.
UPDATE DECEMBER 2021: Azure AD now supports Kerberos Authentication (preview): Azure AD Kerberos authentication (Preview) | Microsoft Docs
What are the main differences?
Organizational Units don’t exist in Azure AD. Therefore, grouping your users and devices (by country, by department, ..) isn’t a thing in Azure AD. The only way of doing this (sort of) is by creating Azure AD Groups. A group can contain both users and devices and they can be added manually or dynamically.
OU’s are often (most of the time) used to scope Group Policy Objects in your on-premises environment. In Azure AD, GPO’s don’t exist. If you need a way to controll your devices you need to use Microsoft Intune. Be aware that Intune is more limited than the classic GPO’s and that not everything is possible (yet).
Lightweight Directory Access Protocol (LDAP) is not supported. It’s very important to understand this because a lot of (legacy) applications make use of LDAP(S). It’s possible to enable LDAP(S) on your Azure AD tenant by enabling Azure AD Domain Services but this comes with a lot of limitations which i’ll discuss below.
With an Active Directory Domain you need line of sight to one of the domain controllers. With Azure AD, this is not the case. An internet connection is enough to download the latest configuration policies and security settings. This is a big advantage for BYOD devices and for workers that are on the road all the time.
Active Directory Federation Services is a service that can be replaced by features like pass-through authentication with seamless single sign-on. This set-up can enable SSO without the overhead of maintaining ADFS & ADFS proxy servers (you still need Azure AD Connect!).
Azure AD Domain Services
Azure AD Domain Services is Microsoft’s answers to cloud-only customers that need features like LDAP, Kerberos, GPO’s and more. It’s very simple to set-up and not that expensive. Azure AD DS is the solution to lift-and-shift your legacy application to the cloud without refactoring. Be aware that Azure AD Domain Services is not a managed Active Directory domain with full functionality.
- You can join clients/servers to AADDS but line-of-sight is required. You’ll lose the advantage of Azure AD that’s ‘available everywhere’. You shouldn’t use it as a replacement for your on-premises domain controllers.
- The AADDS domain is a read-only copy of your Azure AD tenant. Everything that is created/changed in the AADDS domain is not written to Azure AD. Things like Account Lockouts aren’t written back to Azure AD and can cause confusion.
- All users in the AADDS domain are completely different identies than the Azure AD users – they simple happen to have the same name because of the synchronization.
- You’ll have limited permissions on the AADDS domain, you’re not a domain administrator.
- Not all AD Attributes, like ProxyAddresses, are available in AADDS. This is a limitation since a lot of services (like anti-spam services) make use of these attributes.
- You can’t extend your on-premises domain to AADDS.
Should we move?
Azure AD is a managed service with an uptime of 99.9%. It can be used to manage access to thousands of services and is with more than 8 billion authentications a day it’s the by far the most used identity system in the world and can be made extremely secure by configuring features like multi-factor authentication and conditional access. Eventually all domains will be replaced by Azure AD tenants (in the far far future) but it’s your choice to decide if your environemnt is ready for it.
Already using Azure Active Directory? Have a look at my best practices guide: https://azurescene.com/azure-active-directory-best-practices/