On-Premises Active Directory vs. Azure Active Directory
Since the introduction of Windows 2000 Server some 22 years ago, managing an organization’s technology systems typically means purchasing Windows servers, configuring Active Directory and maintaining the corresponding domain. The advent and popularity of cloud services, however, is changing how many companies administer their technology environments. IT administrators now have choices when managing users and permissions and determining how identity management, authentication and authorization processes occur. Just because cloud services are growing in popularity, though, doesn’t mean companies can jump to using Microsoft’s cloud-based Azure Active Directory services and abandon on-premises Active Directory installations altogether.
Chances are, unless you’re an IT professional, you may not immediately appreciate the differences between on-premises Active Directory and Azure Active Directory or even understand well the role Active Directory fulfills within an organization. Whether you’re seeking to better understand your options or make sense of information and guidance you’re receiving from an in-house IT team or consultant, here’s what you need to know about on-premises Active Directory and Azure Active Directory, two Microsoft solutions that assist IT administrators in managing and securing their systems.
What is the difference?
Active Directory refers to the hierarchical database within Microsoft Windows servers that collects information about users, computers, security certificates, federation services, rights management services and similar elements. These objects are used in concert with permissions set by administrators to authenticate and authorize users and computers on the network and provide access to various files and information, applications and services.
In other words, Active Directory stores multiple objects within its database. This object information assists confirming a user or system is who they or it say they are and granting and restricting permissions to resources. Thus, Active Directory is both a directory of information about users and systems and a collection of services that determine what those users and systems are permitted to do.
Typically, Active Directory lives on-premises on servers physically present on the customer site. Azure Active Directory, however, resides upon Microsoft servers within Microsoft’s cloud computing infrastructure. While performing some similar functions, Azure Active Directory is actually quite different from on-premises Active Directory.
With on-premises Active Directory, you’re responsible for purchasing the server hardware and Windows operating system and licenses, installing and configuring the environment and administering and maintaining the services and software on what are typically called domain controllers, as controlling the “domain” is among the functions such servers fulfill. Often, multiple servers are maintained for a variety of purposes including redundancy, powering other services, file sharing, and application hosting. This fact exponentially complicates the challenges of purchasing servers, installing and maintaining server operating systems and licenses, installing and configuring software, administering and maintaining the infrastructure, securing the systems (including physically) and backing up the servers.
But the differences between on-premises Active Directory and Azure Active Directory are not limited just to the location and who owns the servers upon which Active Directory services run. With on-premises Active Directory, objects are organized within a domain. Multiple domains can be collected within trees. And trees can be collected within a forest.
Azure Active Directory is a comparatively flat construct. With Azure Active Directory, the tenant is the dedicated instance created with Microsoft for your organization. It’s within this tenant account that authentication and authorization services are fulfilled when working with Azure Active Directory and other Microsoft 365 services. Azure Active Directory also includes components specially designed for the cloud environment
The protocols, or communications mechanisms, two Active Directory implementations use are different, too. On-premises Active Directory typically relies upon older New Technology LAN Manager (NTLM) and Kerberos protocols, whereas Azure Active Directory uses newer technologies, including OAuth and OpenID Connect.
The authorization of access, a critical Active Directory service, occurs differently on the two platforms, too. On-premises Active Directory uses security groups. Security groups are essentially a collection of user accounts and corresponding permissions, as well as directly assigned permissions that provide granular control. While security groups provide extensive security customization, they can become unwieldy in a larger organization or as a smaller organization grows.
Group policy is another important on-premises Active Directory service. Group policies permit centralizing user management controls and applying a wide range of access settings and restrictions depending upon which user or device is attempting to access a resource.
Azure Active Directory, on the other hand, doesn’t include group policies. Device management is instead managed using another Microsoft 365 solution: Microsoft Intone. Azure Active Directory also offers
Microsoft 365 groups, formerly Office 365 groups, which are similar to a security group in that they list members while also connecting to resources—such as Microsoft Azure, Exchange, Planner and SharePoint—and can include members outside your organization.
Azure Active Directory roles, meanwhile, also enable setting specific permissions for different administrators. The feature proves helpful, especially in larger organizations, when needing to better control and manage larger numbers of IT administrators managing different tenants, organizations, services and resources.
It might help to think of Azure Active Directory as more for administering cloud identity and access management, whereas on-premises Active Directory is a true comprehensive directory service that uses a hierarchical versus flat structure that can be queried using LDAP (often used by other applications and services) and that provides numerous other services, including certificate, federation, rights management and traditional domain services roles, as well as enabling organizational units (OUs), group policy objects (GPOs) and trusts between domains.
Azure Active Directory supports federation services, too. Federation services are important, as they provide a mechanism whereby administrators can enable single sign-on (SSO) capabilities for users, thereby eliminating the need to remember numerous complex passwords for multiple applications and networks.
Fortunately, your organization need not choose one or another. On-premises Active Directory can be supplemented with Azure Active Directory. And, on-premises Active Directory federation services can be linked with Azure Active Directory to help ensure all authentication requires a local (on-premises) component, especially as some administrators prefer such a higher level and more rigorous control than just the cloud can provide by itself.
Microsoft 365 apps and services can also connect with an organization’s servers running Active Directory on-premises using Azure Active Directory Connect, a service that runs on the server locally and accesses local Active Directory information within the Windows domain. The Azure connector then synchronizes information between the local Active Directory database and Azure Active Directory information held in the cloud.
Benefits and Features
Among the reasons your organization might seek to retain on-premises Active Directory include the continued use of older or proprietary programs that aren’t cloud friendly or cloud capable. Security concerns are another reason, as are compliance requirements and even business continuity and disaster planning priorities.
Azure Active Directory does offer several compelling benefits that warrant considering its use. For example, Azure Active Directory can alert IT administrators to credential hacking attempts. The Microsoft cloud solution also simplifies integration of single sign-on platforms and boasts enhanced self-selection capabilities permitting business users to perform some basic Active Directory administration within preconfigured parameters—such as adjusting an existing user’s permissions—without requiring IT department intervention.
Using Azure Active Directory, administrators can also manage Microsoft service licenses directly from within Azure’s administrative portal. Other Azure Active Directory features include privileged identity management (PIM), an Azure Active Directory service that permits managing, controlling and monitoring access to resources—such as Microsoft Azure, Intune and 365 resources—within your company. The capability can help prevent authorized users from mistakenly receiving access to sensitive information and helps protect against hackers receiving access to internal systems and information.
Tenant restriction capabilities are another Azure Active Directory feature. With tenant restrictions, administrators can limit the access users receive to different tenants, thereby better protecting against users (particularly other administrators) receiving access to other tenant organizations and software as a service (SaaS) applications.
Protecting identities—ensuring users and systems are indeed who they claim to be—is another important check Azure Active Directory assists performing in multiple ways. Azure Active Directory Identity Protection, for example, leverages massive amounts of data to assist your organization in automating the detection and resolution of identity-based risks (such as an unauthorized user or hacker claiming to be a specific employee), investigating risks and exporting risk detection information—including audit logs, sign-in information and multifactor authentication (MFA) data—to other tools for additional follow up and resolution.
Identity Secure Score is another Azure Active Directory security mechanism. Microsoft describes the Azure Active Directory identity secure score as the “percentage that functions as an indicator for how aligned you are with Microsoft’s best practice recommendations for security.” The score provides organizations an objective measure they can use to plan identity security improvements, measure the success of enhancements and further improve their security posture.
Azure Active Directory’s subsequent increased flexibility and capacity to scale as quickly or slowly as an organization requires provides other benefits, too. With the cloud solution, organizations don’t need to build out and maintain additional servers now to prepare for future growth later. Costs, subsequently, improve.
But it’s important to remember Azure Active Directory isn’t just a cloud version of on—premises Active Directory which, especially for small and medium-size businesses (SMBs), continues providing a cost-effective and granular method for administering systems, securing resources and planning for contingencies. As cloud trends continue, however, it’s likely inevitable that even SMBs familiarize themselves with the Azure alternative and understand the differences.
If you have questions regarding which Active Directory solution is best for your organization, or if you’re curious how supplementing your on-premises Active Directory installation with the Azure cloud-based option can bolster your organization’s own security posture, reach out to a Louisville Geek expert today. Just call 502-897-7577 or email [email protected]