AD On-Prem and Azure AD

Most often, people think Azure AD is just another copy of Active Directory in the cloud. Despite the similarity in names, this is actually not the case.

  • Active Directory
    • is a true directory service with a hierarchical structure.
    • hierarchical structure is created using organizational units (OUs) and Group Policy Objects (GPOs).
    • on-premises you can connect to a domain by accessing a domain controller.
    • hierarchical data storage for objects in a network such as users, computers, printers, and services.
    • uses Kerberos for authentication.
    • uses LDAP for querying.
    • doesn’t use claims, but can be added via ADFS. ADFS is a security token service.
    • the fundamental component is Active Directory Domain Services (AD DS).
  • Azure AD:
    • is an identity solution focused on the modern Internet-centric, BYOD, mobile style of work environment.
    • is the Identity and Access Management (IAM) system for Azure.
    • allows users and groups to be created in a flat structure without OUs or GPOs.
    • let’s you define applications to federate with.
    • cannot be used to join machines to a network domain.
    • uses OAuth, SAML and WS-Federation for authentication
    • uses the REST Graph API for querying.
    • is claims aware by nature.

The features that make Azure AD a competitive cloud identity management solution are licensed via the Premium Edition. The premium feature set of Azure Active Directory is focused around four areas:

  • Branding and Customization – The Azure AD sign-in pages and Access Panel can be branded to resemble the organization’s look-and-feel.
  • Group Based Access Control – Groups can be used to control access to applications federated with Azure AD. In addition, users can request to join groups that grant access to applications and group owners can approve requests via the Azure AD Access Panel.
  • Self Service Password Management – Self-service password recovery for users that have their password stored solely in Azure AD. Users who login via federated authentication (e.g. AD FS) or via a password synchronized with Azure AD Directory Synchronization cannot take advantage of this feature.
  • Multi-Factor Authentication – Users can be required to register for and provide a second factor of authentication (SMS (text) message, voice call, or push notification to an app) at login time.
  • Advanced Reporting – Provide common IT security reports centered on application and device usage and security analytics that detect irregular and suspicious activity.

Today, businesses typically use a mixture of on-premises and cloud applications. Users require access to those applications both on-premises and in the cloud. For that reason they need a hybrid identity. To achieve hybrid identity, one of three authentication methods can be used:

  • Password Hash Synchronization (PHA). The accounts in AD and AAD are actually two different user objects (no SSO), but for the user it feels like there’s one account. The user authenticates against AAD. There’s no need for communication with my on-premise AD. Note that I store a password hash in AD and a hash of that password hash in AAD. I can never reverse the password hash in AAD to the password hash in AD. It’s a very safe method.
  • Federation via ADFS. Typically used by larger organizations that already have ADFS. The idea is that I want to be able to access cloud applications or Office365 with my on-prem credentials instead of having different accounts for all these cloud applications. I can federate directly from ADFS to all of these cloud applications or I can federate from ADFS to AAD and then use the federation capabilities of AAD (which is a key value proposition of AAD). Authentication is performed against on-premise AD through ADFS.
  • Pass-Through Authentication (PTA). The user authenticates against AAD. You don’t need the quite extensive ADFS infrastructure. You don’t need to maintain ADFS. The authentication request is stored in a PTA queue in AAD (Azure Service Bus is used behind the scenes). One or more PTA agents are installed on-premises, it picks up the authentication request from the list via an outbound connection, authenticates against AD and sends back a yes/no to AAD.