Azure AD vs AD

Photo by Maro Luke on Unsplash

Photo by Maro Luke on Unsplash

Microsoft's marketing department probably thought it was a bright idea to leverage the brand of AD during the launch of Azure's Identity and access management service. Many years later, it still confuses a lot of people.

In this article, I will describe on a high level the difference between the On-prem Microsoft Active Directory Domain Services (AD DS), and Azure Active Directory.

Active Directory DS

On-prem domain service

Microsoft's single source of truth on-prem is called Active Directory Domain Services. AD for short, or AD DS if you want to be accurate. It is based on LDAP (Lightweight Directory Access Protocol) and is used to serve information that should be accessed across the entire domain on-prem, for an organization.

AD can be used to manage employees' user accounts, and what permissions those users have. The nice thing about AD is that it enables sysadmins to manage a single user living in a centralized database of users instead of having to manage users and permission on each individual system. The employees use that central user to access their computer, network shares, printers, wi-fi, and other IT resources they have permission to access at the company. AD can also be used to manage computers with policies that define what is allowed and not allowed, and how they are configured.

In essence, AD is a fantastic tool for any organization to manage user accounts, privileges, and device configurations.

Azure AD

Cloud identity provider

Despite having a confusingly similar name to the on-prem Active Directory Domain Services, Azure Active Directory is only an identity and access management provider that Microsoft provides through their cloud platform Azure. It cannot be used like AD DS.

Azure AD can be used for any cloud service or web application that supports external identity providers through OpenID Connect for authentication, OAuth2 for authorization, or SAML for a combination.

What's special about Azure AD is that it is used to manage the identities used to access resources in the Azure cloud, and to manage what sort of access permissions those users have. In other words, you can use an Azure AD identity to access VMs, storage, or any other type of resource in Azure.

Microsoft uses Azure AD for all its Cloud-based services. Because of this, you will even use an Azure AD identity to access PaaS services like Microsoft 365 (previously known as Office 365).

Azure AD Connect

Same sign-in

To add value for organizations that have an Active Directory domain running on-prem, it's possible to install an Azure connect agent on the domain controllers on-prem. This agent will sync users and groups belonging to select organizational units (OU's) in AD DS to Azure AD.

Once the users are synced to Azure AD, it's possible to enable pass-through authentication and password hash synchronization. This makes it possible to use Azure AD as an identity provider, where users can use the same username and password in the cloud, as on-prem.

It's important to note that Azure AD Connect does not provide a "single sign-on", but rather a "same sign-in". You will not use the same session token to sign in to your on-prem AD user when you have signed in to Azure or the other way around. You will simply use the same credentials to authenticate on-prem and in Azure.

Pass-through authentication takes the authentication request coming from the cloud, passes it to the on-prem AD domain controller, and makes it validates the authentication. With password hash synchronization the password hash that is stored on-prem is synchronized to Azure AD. This enables Azure AD to validate the password instead of the on-prem domain controller.

To make the synchronization of identities between Azure AD and AD DS complete it's possible to active password write-back. This feature makes it possible for users to reset and change passwords for their user account with Azure AD and then write that password hash back to the on-prem domain controller. That way the user will always have the same username and password on-prem and in the cloud.