Microsoft's marketing department probably thought it was a bright idea to leverage the brand of AD during the launch of Azure's Identity and access management service. Many years later, it still confuses a lot of people.

In this article, I will describe on a high level the difference between the On-prem Microsoft Active Directory Domain Services (AD DS), and Azure Active Directory.

Microsoft's single source of truth on-prem is called Active Directory Domain Services. AD for short, or AD DS if you want to be accurate. It is based on LDAP (Lightweight Directory Access Protocol) and is used to serve information that should be accessed across the entire domain on-prem, for an organization.

AD can be used to manage employees' user accounts, and what permissions those users have. The nice thing about AD is that it enables sysadmins to manage a single user living in a centralized database of users instead of having to manage users and permission on each individual system. The employees use that central user to access their computer, network shares, printers, wi-fi, and other IT resources they have permission to access at the company. AD can also be used to manage computers with policies that define what is allowed and not allowed, and how they are configured.

In essence, AD is a fantastic tool for any organization to manage user accounts, privileges, and device configurations.

Despite having a confusingly similar name to the on-prem Active Directory Domain Services, Azure Active Directory is only an identity and access management provider that Microsoft provides through their cloud platform Azure. It cannot be used like AD DS.

Azure AD can be used for any cloud service or web application that supports external identity providers through OpenID Connect for authentication, OAuth2 for authorization, or SAML for a combination.

What's special about Azure AD is that it is used to manage the identities used to access resources in the Azure cloud, and to manage what sort of access permissions those users have. In other words, you can use an Azure AD identity to access VMs, storage, or any other type of resource in Azure.

Microsoft uses Azure AD for all its Cloud-based services. Because of this, you will even use an Azure AD identity to access PaaS services like Microsoft 365 (previously known as Office 365).

To add value for organizations that have an Active Directory domain running on-prem, it's possible to install an Azure connect agent on the domain controllers on-prem. This agent will sync users and groups belonging to select organizational units (OU's) in AD DS to Azure AD.

Once the users are synced to Azure AD, it's possible to enable pass-through authentication and password hash synchronization. This makes it possible to use Azure AD as an identity provider, where users can use the same username and password in the cloud, as on-prem.

Pass-through authentication takes the authentication request coming from the cloud, passes it to the on-prem AD domain controller, and makes it validates the authentication. With password hash synchronization the password hash that is stored on-prem is synchronized to Azure AD. This enables Azure AD to validate the password instead of the on-prem domain controller.

To make the synchronization of identities between Azure AD and AD DS complete it's possible to active password write-back. This feature makes it possible for users to reset and change passwords for their user account with Azure AD and then write that password hash back to the on-prem domain controller. That way the user will always have the same username and password on-prem and in the cloud.