Active Directory (AD) vs Azure Active Directory (AAD)

This article describes the main difference between Active Directory and Azure Active Directory. It are one of the very common questions is: Is Azure AD the same as AD? Can I replace it? The short and simple answer is no. However, it is more complicated. That's why this article is formed. Let's have a look at similarities, differences, and combinations.

157857234922bfbbcd0857100ae126d94d1d4790ab3e8ef51e

Active Directory Domain service

Active Directory Domain service is basically a database, where you can have all your computers, users and others organized. It provides authentication and authorization to applications, file services, printers, and more on-premises resources. AD uses protocols such as NTLM and Kerberos for authentification and LDAP for resource discovery. With a great feature Group policy, you can distribute settings throughout a whole network. There are many security groups, user and admin accounts, passwords, identity and access rights, and that's why securing AD is the key. Nevertheless, the important point of view is that AD was not designed to cope with the world of web-based Internet services.

Azure Active Directory

First, Azure Active Directory is not Active Directory, unfortunately, its name leads to many confusions. However, AAD has a similar function with authentification and authorization to applications. Compared with AD, Azure Active Directory was designed to support web-based services that use RESTful interfaces for Office 365, Google Apps, etc. It also uses different protocols for working with these services (SAML, OAuth 2.0.). You could say that AAD is "AD service in the cloud". Another difference is that there is no such thing in AAD as forests and domains. Instead, you are a tenant representing your whole organization and you can manage all users with their passwords, permissions, etc. A user with one identity can sign on to thousands of SaaS applications and not just into Microsoft's Office 365, Sharepoint or Exchange online. And he can do it without a repeated requirement for logging in.

Conclusion

Hopefully, it is more clear now that AAD is different from AD. For example, in AAD there is no such thing as Group Policy or support of LDAP, but you can find many other brand new features. Nowadays, there are various models of using Active Directory services and every company has different needs and possibilities. In case your organization doesn't need missing features of AD, you can move to Azure Active Directory and decommission classic Active Directory. There are various scenarios containing Hybrid Azure AD, which means combinations of AD and AAD. This type of architecture offers a combination of both and thanks to Azure AD Connect your user/passwords data are synchronized. In the end, you can use just classic AD, however, you can hear every day more and more about the advantages of moving to the cloud. For more verbose information, you can visit the official websites of Microsoft.