Azure Active Directory

Active Directory Domain Services (AD DS)AD DS is the traditional deployment of Windows Server-based Active Directory on a physical or virtual server. Although AD DS is commonly considered to be primarily a directory service, it is only one component of the Windows Active Directory suite of technologies, which also includes:

  • Active Directory Certificate Services (AD CS)
  • Active Directory Lightweight Directory Services (AD LDS)
  • Active Directory Federation Services (AD FS)
  • Active Directory Rights Management Services (AD RMS).
  • Although you can deploy and manage AD DS in Azure virtual machines it is recommended you use Azure AD instead, unless you are targeting IaaS workloads that depend on AD DS specifically.
  • True directory service with hierarchical X.500 based structure
  • Uses Organization Units (OU) and Group Polices (GPOs)
  • Can be queried and managed through LDAP calls
  • Primarily used Kerberos for authentication
  • Uses DNS for locating resources such as domain controllers.

Active Directory Domain Services (AD DS)Azure AD Domain Services provides a managed AD domain in an Azure virtual network. You can join machines to this managed domain using traditional domain-join mechanisms.

  • Azure AD also enables you to manage the identity of devices used by your organization and control access to corporate resources from these devices.
  • Azure AD joined devices give you the following benefits:
    • Single-sign-on (SSO) to applications secured by Azure AD.
    • Enterprise policy-compliant roaming of user settings across devices.
    • Access to the Windows Store for Business using your corporate credentials.
    • Windows Hello for Business
    • Restricted access to apps and resources from devices compliant with corporate policy.
  • Authentication: Kerberos, NTLM protocols
  • Management: Group policy
  • Great for Server virtual machines deployed in Azure

Azure Active Directory (Azure AD):

  • Azure AD is a multi-tenant cloud-based identity management system that runs within Azure.
  • Its Platform as a Service (PaaS) offering and can integrate with on-premises Active Directory Directory Service (AD DS).
  • It provides authentication and authorization for cloud identity, synchronized identity and federated identity.
  • You only manage the users, groups, and policies.
  • One of the main differences between Azure AD and Azure AD DS is the way devices are registered and joined.
  • Great for End-user mobile or desktop devices
  • Azure AD for cloud applications:
    • Cloud services such as Office 365, Microsoft Dynamics CRM, and Intunes require a directory
    • Each cloud service can have its own directory
    • Azure AD can serves as a single directory for multiple cloud services.
    • Azure AD can enable SSO
    • Azure AD can be integrated with custom apps.
  • Azure AD is different from AD DS:
    • Identity solution: Azure AD is primarily an identity solution, and it is designed for Internet-based applications by using HTTP and HTTPS communications.
    • REST API Querying: Because Azure AD is HTTP/HTTPS based, it cannot be queried through LDAP. Instead, Azure AD uses the REST API over HTTP and HTTPS.
    • Communication Protocols: Because Azure AD is HTTP/HTTPS based, it does not use Kerberos authentication. Instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID Connect for authentication (and OAuth for authorization).
    • Federation Services: Azure AD includes federation services, and many third-party services (such as Facebook).
    • Flat structure: Azure AD users and groups are created in a flat structure, and there are no Organizational Units (OUs) or Group Policy Objects (GPOs).
  • Benefits:
    • Seamless single sign-on (SSO)
    • Multi-factor authentication (MFA)
    • Device registration
    • Priviledged account management
    • Priviledged identity management
    • Self-service password and group management
    • Role-based access control (RBAC)
    • Application usage monitoring
    • Auditing and security alerts
    • Identity protection
  • Azure Active Directory Editions:
    • Free: Designed to introduce system administrators to Azure Active Directory.
      • This version includes common features such as directory objects, user/group management, single sign-on, self-service password change, on-premises connect, and security/usage reports.
    • Basic: Designed for task workers with cloud-first needs, this edition provides cloud centric application access and self-service identity management solutions.
      • With the Basic edition of Azure Active Directory, you get productivity enhancing and cost reducing features like group-based access management, self-service password reset for cloud applications, and Azure Active Directory Application Proxy (to publish on-premises web applications using Azure Active Directory), all backed by an enterprise-level SLA of 99.9 percent uptime.
    • Premium P1: Designed to empower organizations with more demanding identity and access management needs, Azure Active Directory Premium edition adds feature-rich enterprise-level identity management capabilities and enables hybrid users to seamlessly access on-premises and cloud capabilities.
      • This edition includes everything you need for information worker and identity administrators in hybrid environments across application access, self-service identity and access management (IAM), and security in the cloud.
    • Premium P2: Azure Active Directory Premium P2 includes every feature of all other Azure Active Directory editions enhanced with advanced identity protection and privileged identity management capabilities.
  • Azure Active Directory B2CAzure Active Directory (Azure AD) B2C is an identity management service that enables you to customize and control how customers sign up, sign in, and manage their profiles when using your applications. This includes applications developed for iOS, Android, and .NET, among others. Azure AD B2C enables these actions while protecting your customer identities at the same time.

About Ishtiaque

I am IBM Certified Infrastructure Systems Architect, Linux Foundation Certified System Administrator, Oracle Certified Programmer in Java and Web Component Developer, and TOGAF 9 certified with over 10 years of support and development experience in IBM middleware software and Java. Additionally, have a sound grip in databases and OpenStack administration. I hold the following certifications: IBM Certified Infrastructure Systems Architect Linux Foundation Certified System Administrator (LFCS) TOGAF 9 Certified Oracle Certified Expert, Java EE6 Web Component Developer Oracle Certified Professional – Java 6 Programmer ITIL v3 Foundation Certified IBM Certified Solution Architect – Cloud Computing Infrastructure V1 IBM Certified System Administrator – WebSphere Portal V8, V7, V6.1, V6 IBM Certified System Administrator – WebSphere Application Server V7, V6.1 IBM Certified System Administrator – AIX V7 IBM Certified System Administrator – WebSphere MQ V7 IBM Certified Deployment Professional – Business Process Manager Advanced V7.5 IBM Certified Solution Advisor – Cloud Computing Architecture V3 IBM Certified Solution Developer – WebSphere Portal V5.1
This entry was posted in azure. Bookmark the permalink.