Traditional AD vs. Azure AD Comparison Guide

For most organizations, a hybrid strategy with both on-premises Active Directory (AD) and cloud-based Azure AD will make sense for some time, because each is suited best to different functions. On-prem AD is still more capable for systems management and control, while Azure AD is much more flexible for cloud-centric authentication and authorization. Azure AD also offers a wide variety of integration services that provide more parity than ever before with traditional AD capabilities. This piece details the main difference between the two tools and offers tips for deploying them successfully. 

Differences Between Traditional AD and Azure AD

Azure AD differs from traditional on-prem AD in several ways: 

• Azure AD is a cloud-oriented identity platform, designed primarily for internet-based cloud applications and services with HTTP/HTTPS access over Ports 80 and 443 for identity service communications. 
  
• Azure AD users and groups are created in a flat structure, and Azure AD does not rely on organizational units (OUs) and group policy objects (GPOs). 
  
• Most Azure AD queries use RESTful APIs over HTTPS, although LDAP is now supported with Azure AD Domain Services. 
  
• Azure AD primarily uses web-enabled authentication protocols. It can use Kerberos authentication with the Azure AD Application Proxy, but it primarily uses Security Assertion Markup Language (SAML), System for Cross-domain Identity Management (SCIM) and OpenID Connect for authentication (and OAuth for authorization). Secure Shell Protocol (SSH), Remote Authentication Dial-In User Service (RADIUS) and other methods are supported, but often require significant architecture and/or application and service modifications. 
  
• Azure AD is a leading single sign-on (SSO) and identity federation service, and many third-party services can integrate with and trust Azure AD. 
  

Traditional AD vs. Azure AD Security Feature Comparison  

Figure 1 lists the many security distinctions between Azure AD and traditional on-prem AD. 

Migrating to Azure AD 

When planning a move to Azure AD, organizations must keep several considerations in mind. To ensure success: 

• Plan to employ both tools for the foreseeable future. On-prem AD is much better suited to management of legacy systems and applications (those primarily still in the data center), while Azure AD is best suited to cloud application access and enablement. User account synchronization is the primary area of overlap between them. 
  
• Focus on what needs to be synchronized between the two. It’s important to plan the types of user attributes and elements you want/need to synchronize from your on-prem AD to Azure AD with Azure AD Connect. For example, there is some debate about whether organizations should sync password hashes to the Azure AD cloud. Microsoft offers an excellent primer with a decision flowchart. 
  
• Plan to use Azure AD to provision access to cloud-based resources and services, not serve as the source of record for all services in a hybrid architecture. On-prem AD is still better for handling computer accounts, GPO-based security controls and group membership for internal applications, and user entity attributes should simply be synced to Azure AD for use in cloud-associated connectivity scenarios (at least to start). 
  

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.