Traditional AD vs. Azure AD Comparison Guide
September 16, 2021
| By IANS Faculty
For most organizations, a hybrid strategy with both on-premises Active Directory (AD) and cloud-based Azure AD will make sense for some time, because each is suited best to different functions. On-prem AD is still more capable for systems management and
control, while Azure AD is much more flexible for cloud-centric authentication and authorization. Azure AD also offers a wide variety of integration services that provide more parity than ever before with traditional AD capabilities. This piece details
the main difference between the two tools and offers tips for deploying them successfully.
Differences Between Traditional AD and Azure AD
Azure AD differs from traditional on-prem AD in several ways:
- Azure AD is a cloud-oriented identity platform, designed primarily for internet-based cloud applications and services with HTTP/HTTPS access over Ports 80 and 443 for identity service communications.
- Azure AD users and groups are created in a flat structure, and Azure AD does not rely on organizational units (OUs) and group policy objects (GPOs).
- Most Azure AD queries use RESTful APIs over HTTPS, although LDAP is now supported with Azure AD Domain Services.
- Azure AD primarily uses web-enabled authentication protocols. It can use Kerberos authentication with the Azure AD Application Proxy, but it primarily uses Security Assertion Markup Language (SAML), System for Cross-domain Identity Management (SCIM) and
OpenID Connect for authentication (and OAuth for authorization). Secure Shell Protocol (SSH), Remote Authentication Dial-In User Service (RADIUS) and other methods are supported, but often require significant architecture and/or application and service
modifications.
- Azure AD is a leading single sign-on (SSO) and identity federation service, and many third-party services can integrate with and trust Azure AD.
Traditional AD vs. Azure AD Security Feature Comparison
Figure 1 lists the many security distinctions between Azure AD and traditional on-prem AD.
Figure 1: AD vs. Azure AD Feature Comparison |
Features/ Capabilities | Traditional AD | Azure AD |
Provisioning | Users and groups are created manually or through central IT operational management platforms and applications | Most users are synchronized through SCIM or Azure AD Connect from on-prem or other identity stores |
Entitlement and group membership allocation | Uses groups to allocate privileges to members and associate these with services and applications | Can use groups to allocate privileges as well, but it has an entirely separate entitlement engine that can create automation workflows and supports more time-based criteria for access |
Administration and privilege management | Privileged groups and users are handled with domains, OUs and admin groups/roles, e.g. domain administrators | All administration and role-based control is handled through Azure role-based access control (RBAC) and privileged identity management (PIM) services. Credential management is also more flexible and cloud-ready. |
Application access | Access is provisioned using Kerberos, NTLM and LDAP | Can support legacy access with the Azure AD Application Proxy, but also supports provisioning to cloud services and apps |
Device access and management | Windows system management and controls are very mature and centrally manageable through group policy and tools like System Center Configuration Manager (SCCM) | Can manage systems through Azure AD Domain Services integration, use of the Microsoft Intune client, conditional access policies and managed identities |
Source: IANS, 2021 |
Migrating to Azure AD
When planning a move to Azure AD, organizations must keep several considerations in mind. To ensure success:
- Plan to employ both tools for the foreseeable future. On-prem AD is much better suited to management of legacy systems and applications (those primarily still in the data center), while Azure AD is best suited to cloud application access and enablement.
User account synchronization is the primary area of overlap between them.
- Focus on what needs to be synchronized between the two. It’s important to plan the types of user attributes and elements you want/need to synchronize from your on-prem AD to Azure AD with Azure AD Connect. For example, there is some debate about
whether organizations should sync password hashes to the Azure AD cloud. Microsoft offers an excellent primer with a decision flowchart.
- Plan to use Azure AD to provision access to cloud-based resources and services, not serve as the source of record for all services in a hybrid architecture. On-prem AD is still better for handling computer accounts, GPO-based security controls and group
membership for internal applications, and user entity attributes should simply be synced to Azure AD for use in cloud-associated connectivity scenarios (at least to start).
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
Access time-saving tools and helpful guides from our Faculty.