While Active Directory Domain Services and Microsoft Azure Active Directory appear similar, they are not interchangeable.
Administrators exploring whether to move to Azure Active Directory for enterprise authentication and authorization should understand how the cloud-based platform differs from the traditional on-premises Active Directory.
Distinguish on-premises AD from Azure AD
Active Directory (AD) is a combination of services to help manage users and systems, including Active Directory Domain Services (AD DS) and Active Directory Federation Services (AD FS). AD DS is the database that provides the directory service, which is essentially the foundation of AD.
AD uses an X.500-based hierarchical framework and traditional tools such as domain name systems to locate assets, lightweight directory access protocol (LDAP) to work with directories both on premises and on the internet, and Kerberos and NT LAN Manager (NTLM) for secure authentication. AD also supports the use of organizational units (OUs) and group policy objects (GPOs) to organize and present assets.
Microsoft Azure Active Directory is a directory service from Microsoft's cloud that handles identity management across the internet using the HTTP and HTTPS protocols. Azure AD's flat structure does not use OUs and GPOs, which prevents the use of the organizational structure of on-premises AD.
Instead of Kerberos, Azure AD uses authentication and security protocols such as Security Assertion Markup Language and Open Authorization. In addition, the AD Graph API queries Azure AD rather than LDAP.
Structural differences between Azure AD and AD DS
Microsoft Azure Active Directory cannot create domains, trees and forests like AD DS. Instead, Azure AD treats each organization like a tenant that accesses Azure AD via the Azure portal to manage the organization's users, passwords and permissions.
Organizations that subscribe to a Microsoft cloud service, such as Office 365 or Exchange Online, are Azure AD tenants. Azure AD supports single sign-on to give users access to multiple services after logging in.
Microsoft Azure Active Directory is different from Azure Active Directory Domain Services. Where Azure AD provides fewer features than on-premises AD, Azure AD DS serves as a more full-featured domain controller that uses LDAP, domain joining, Kerberos and NTLM authentication. Azure AD DS is a complete version of AD in the Azure cloud.
When to consider a combination of AD DS and Azure AD
Administrators can use AD DS and Microsoft Azure Active Directory separately or use both for a single AD entity. For example, an application hosted in the cloud could use on-premises AD, but it might suffer from latency from authentication requests that bounce from Azure to the on-premises AD DS.
Organizations have several options to implement AD in Azure. For example, an organization can build an AD domain in Azure that integrates with the local AD domain via Azure AD Connect. This creates a trust relationship between the domains.
Alternatively, an organization can extend its on-premises AD DS to Azure by running AD DS as a domain controller in an Azure VM. This is a common method for enterprises that have local and Azure resources connected via a virtual private network or dedicated connectivity, such as an ExpressRoute connection.
There are several other ways to use a combination of the cloud and on-premises directory services. Admins can create a domain in Azure and join it to the local AD forest. A company can build a separate forest in Azure that is trusted by the on-premises AD forest. Admins can use AD FS to replicate a local AD DS deployment to Azure.