What is Active Directory
Once upon a time, IT pros believed that the risks of a data breach and compromised credentials were high enough to delay putting data on the cloud. After all, no organization wants to be a trending headline, announcing yet another data breach to the world. But over time with improved security, wider adoption and greater confidence, tech anxiety subsides and running cloud-based applications such as Microsoft’s subscription-based service Office 365 feels like a natural next step.
Once users start using Office 365, how do they manage AD? Windows Server AD or Azure AD? How are on-premise AD and Azure AD similar, and how are they different?
In this post, I will discuss the similarities, differences, and a few things in between.
Windows Active Directory: What we Know
Let’s start with what we know about Active Directory Domain Services.
First released with Windows 2000 Server edition, Active Directory is essentially a database that helps organize your company’s users, computers and more. It provides authentication and authorization to applications, file services, printers, and other on-premises resources. It uses protocols such as Kerberos and NTLM for authentication and LDAP to query and modify items in the AD databases.
There’s also that wonderful Group Policy feature to streamline user and computer settings throughout a network.
With so many security groups, user and admin accounts, and passwords stored in Active Directory, as well as identity and access rights managed there as well, securing AD is key to safeguarding an organization’s assets.
Now with emails, files, CRM systems and even applications stored in the cloud, can we be as confident they’re as safe as when they were in the company’s own servers?
Active Directory Service in the Cloud
As new startups and organizations build their companies, they most likely won’t have any on-premise data and the huge shocker is that they also won’t be creating forests and domains in AD. I’ll get more into this later.
But organizations with existing infrastructure have already made a significant investment in on-premise infrastructure and will have to visualize a new way of operationalizing their business.
Why? Azure AD will likely be a key part of Microsoft’s future. So if you’re already using any of Microsoft’s online services such as Office 365, Sharepoint Online and Exchange online, you’ll have to figure out how to navigate your way around it. And it already looks like organizations are rapidly adopting cloud-based apps and are running them nearly 50% of the time.
Learn more with our list of Active Directory Tutorials
Azure Active Directory: What’s Different
First, you should know that Windows Server Active Directory wasn’t designed to manage web-based services.
Azure Active Directory, on the other hand, was designed to support web-based services that use REST (REpresentational State Transfer) API interfaces for Office 365, Salesforce.com etc. Unlike plain Active Directory, it uses completely different protocols (Goodbye, Kerberos, and NTLM) that work with these services–protocols such as SAML and OAuth 2.0.
As I’ve pointed out earlier, with Azure AD, you won’t be creating forests and domains. Instead, you’ll be a tenant, which represents an entire organization. In fact, once you sign up for an Office 365, Sharepoint or Exchange Online, you’ll automatically be an Azure AD tenant, where you can manage all the users in the company as well as the passwords, permissions, user data, etc.
Besides seamlessly connecting to any Microsoft Online Services, Azure AD can connect to hundreds of SaaS applications using a single sign-on. This lets employees access the organization’s data without repeatedly requiring them to log in. The access token is stored locally on the employee’s device. Plus you can limit access by creating token expiration dates.
Learn more with our list of top Azure Active Directory Tutorials.
For a list of free, basic and premium features, check out this comparison chart.
Preparing for Azure AD Connect
For organizations ready to integrate their on-premises AD structure with Azure AD, Azure AD Connect provides an automatic synchronization mechanism.
Syncing user accounts across your local Active Directory and Azure Active Directory, users can use a unified set of credentials to access Office365 and local network resources.
By necessity, this project requires a deep understanding of the local Active Directory group and permissions configuration, which in many organizations has gradually become so entangled with overlapping permissions, stale user accounts and unnecessary roles that it’s all but impossible to move forward with Azure AD Connect.