AD vs Azure AD – confused about the difference? We get it – the distinction isn’t immediately clear.
Note: Microsoft renamed Azure AD to Entra ID in 2024
In this guide, we’ll be exploring the key differences between Active Directory (AD), Azure Active Directory (Azure AD) and their relevance to you.
What Is Active Directory?
AD stands for Active Directory. In order to understand what Active Directory is, you’ll need to understand the basics of a Domain Controller.
A Domain Controller is a server on the network that centrally manages access for users, PCs and servers on the network. It does this using AD.
Active Directory is a database that organises your company’s users and computers. It provides authentication and authorization to applications, file services, printers, and other resources on the network. It uses protocols such as Kerberos and NTLM for authentication and LDAP to query and modify items in the Active Directory databases.
Key Functions of AD
Active Directory Domain Services (to give it is full and proper name) run on the Domain Controller and have the following key functions:
- Secure Object store, including Users, Computers and Groups
- Object organization – Organisational Units (OU), Domains and Forests
- Common Authentication and Authorization provider
- LDAP, NTLM, Kerberos (secure authentication between domain joined devices)
- Group Policy – for fine grained control and management of PCs and Servers on the domain
So basically AD has a record of all your users, PCs and Servers and authenticates the users signing in (the network logon). Once signed in, AD also governs what the users are, and are not, allowed to do or access (authorisation). For example, it knows that John Smith is in the Sales Group and is not allowed to access the HR folder on the file server. It also allows control and management of PCs and Servers on the network via Group Policy (so for example you could set all users’ home page on their browser to be your intranet, or you can prevent users from installing other software etc).
Most established businesses will have AD running on one or more Domain Controllers on their network.
What are the Azure Active Directory benefits?
Azure AD Benefit 1
Azure AD is not simply a cloud version of AD as the name might suggest. Although it performs some of the same functions, it is quite different.
Azure Active Directory is a secure online authentication store, which can contain users and groups. Users have a username and a password which are used when you sign into an application that uses Azure AD for authentication. So for example all of the Microsoft Cloud services use Azure AD for authentication: Office 365, Dynamics 365 and Azure. If you have Office 365, you are already using Azure AD under the covers.
Azure AD Benefit 2
As well as managing users and groups, Azure AD manages access to applications that work with modern authentication mechanisms like SAML and OAuth. Applications are an object that exist in Azure AD, and this allows you to create an identity for your applications (or 3rd party ones) that you can grant access for users to. Besides seamlessly connecting to any Microsoft Online Services, Azure AD can connect to thousands of SaaS applications (e.g. Salesforce, Slack, ZenDesk etc) using a single sign-on.
When compared with AD, here is what Azure AD doesn’t do:
- You can’t join a server to it
- You can’t join a PC to it in the same way – there is Azure AD Join for Windows 10 only (see later)
- There is no Group Policy
- There is no support for LDAP, NTLM or Kerberos
- It is a flat directory structure – no OU’s or Forests
So Azure AD does not replace AD.
AD is great at managing traditional on-premise infrastructure and applications. Azure AD is great at managing user access to cloud applications. They do different things with the area of overlap being user management.
AD vs Azure AD – should you use one, the other or both?
If you have a traditional on-premise set up with AD and also want to use Azure AD to manage access to cloud applications (e.g. Office 365 or any of thousands of SaaS apps) then you can happily use both.
If you are using Office 365 then your users will have a username and password for that (managed by Azure AD), as well as a username and password for their network logon (managed by AD). These two sets of credentials are un-related. This is fine, and just means that if you have a password change policy that users will have to do this twice (and they could of course choose the same password for both).
Or you can synchronise AD with Azure AD so that the users only have one set of credentials which they use for both their network logon, and access to O365. You use Azure AD Connect to do this, it is a small free piece of Microsoft software that you install on a server to perform the synchronisation.
If you are a new business or one that is looking to transition away from having any traditional on-premise infrastructure and using purely cloud based applications, then you can operate purely using Azure AD.
In this case, although you will have all your applications in the cloud, you will of course still have physical devices – PCs and smart phones – that your team will use to access and work with these cloud applications.
So how do you secure and manage these devices?
In the case of PCs (this applies to Windows 10 only) you can Azure AD Join them and login to machines using Azure AD user accounts. You can apply conditional access policies that require machines to be Azure AD joined before accessing company resources or applications. However Azure AD Join provides limited functionality compared to AD Join (as there is no Group Policy) and in order to gain fine grained control over the PCs you would then use a Mobile Device Management solution, such as Microsoft Intune, in addition to this.
Other devices (Windows 10, iOS, Android, and MacOS) can be Azure AD Registered (which means you sign into the device itself without requiring an Azure AD account, but can then access apps etc using the Azure AD account) and controlled using Microsoft Intune.
If you can’t get all your applications as SaaS apps and have some that still need to run on your own servers, then you can migrate these to Virtual Machines (VMs) in Azure. If those VMs need to be domain joined, then you can either deploy a Domain Controller on another VM in Azure, or you can use Azure Active Directory Domain Services (Azure AD DS) which is a PaaS service (you don’t have to manage it) for domain joining Azure VMs. Azure AD DS automatically synchronises with Azure AD so all your users get the application access you want.
AD vs Azure AD Summary
In Summary, Azure AD is not simply a cloud version of AD, they do quite different things. AD is great at managing traditional on-premise infrastructure and applications. Azure AD is great at managing user access to cloud applications. You can use both together, or if you want to have a purely cloud based environment you can just use Azure AD.
Want to know more?
If you want to know more about the difference between AD vs Azure AD, Compete366 is here to help.
Contact Compete366 for a free discussion with one of our Office 365 or Azure consultants on how to take advantage of Azure AD and Azure, as well as to learn more about how to reduce your IT spend with ideal pricing.
Contact us
Want to keep in touch?
If you’ve enjoyed reading this blog, then sign up to receive our monthly newsletter where we share new blogs, technical updates, product news, case studies, company updates, Microsoft and Cloud news.
We promise that we won’t share your email address with other business or parties, and will keep your details safe. You can choose to unsubscribe at any time.
