In this video, learn the difference between Azure Active Directory and Windows Server Active Directory, and explore Azure Active Directory Domain Services.
- [Instructor] Let's start this course by looking at the difference between Azure Active Directory and Windows Server Active Directory. Even though the names sound the same, they are definitely not the same thing. Windows Server Active Directory was introduced in Microsoft Windows 2000 Server. Active Directory is a domain service and really all it is is just a list of objects that are in your network. It authenticates and handles communication between our users and the domain. Typically we think about this being on-premise, but you could also build this entire infrastructure in Azure if you wish.
Now, let's take a look at Azure Active Directory. Azure Active Directory is a cloud-based service that manages the identities both in the cloud and on-premise. In the cloud it could be Office 365, Intune, or your Custom Line of Business Apps. Azure Active Directory will also authenticate other SaaS apps, including LinkedIn, Box, Salesforce, Citrix, and Workday, just to name a few. I like to think of Azure Active Directory as a pivot point not only for Azure, but for Office 365, Windows Intune, Dynamix, and other Microsoft cloud based services.
Azure Active Directory is not just for single sign-on for those Saas Apps, but it also includes several identity management functions, including multi-factor authentication, or MFA, you can use Azure Active Directory for device registration, and self-service password management, as well as self-service group management. Azure Active Directory includes privileged account management, and you can control access to your resources using RBAC, or role-based access control, and finally, Azure Active Directory will also provide application usage and monitoring.
Server Active Directory structure is a hierarchy, whereas in Azure Active Directory it is a flat structure. In Azure Active Directory we manage users in groups, whereas in Server Active Directory we can use GPOs or OUs. GPOs being Group Policy Objects and OUs being Organizational Units. Server Active Directory can have trust between domains and authentication is done using Kerberos, whereas in Azure Active Directory we can actually sync to that Server Active Directory and our authentication is done using SAML, WS-Fed, and OAuth and we'll talk about these a little bit later in the course.
You may be thinking, "I already have "an on-premise infrastructure, "but I'd like to connect it to Azure Active Directory." And you can definitely do so, and we refer to this as a hybrid environment. In the hybrid model we can provide a common identity for Office 365 and your other SaaS apps as well as your on-premise infrastructure and we do this using Azure Active Directory Connect and this will link Server Active Directory and Azure Active Directory. Let's go ahead and see what that looks like. As we can see here on the left, we have our on-premise environment, we have a Windows Server, some apps, a domain controller, which is hosting our Active Directory.
On the right, we have our cloud infrastructure and Azure Active Directory's kind of sitting in the middle right now. We can also add in our users and devices into Azure Active Directory to provide access to those cloud based applications and to tie it to our on-premise environment, we are using Azure Active Directory Connect. We'll be looking at Azure Active Directory Connect in more detail in an upcoming lesson, but for now, just understand that Azure Active Directory Connect synchronizes Server Active Directory with Azure Active Directory.
And finally, I want to touch on Azure Active Directory Domain Services. This service only became generally available in late 2016 and it takes domain services as we traditionally think about them on-premise and converts them into an actual service, which is perfect for cloud only implementations. It's incredibly simple to deploy, we can domain join our virtual machines within the network, it does allow for a single group policy in which we can push out our security policies for our users in domain joined virtual machines.
We can create custom OUs within it, it provides LDAP and NTLM authentication, so we can still use apps that use Windows integrated authentication, it integrates with Azure Active Directory. Accounts that are in Azure Active Directory are automatically available in the Azure Active Domain Services. We can use groups to manage access to our resources and we can create custom domain names. Now before you get all excited and go, "Yes, I'm going to go and use Azure "Active Directory Domain Services!" There are a few things you need to know about.
First, you do not have domain or enterprise admin privilege. If you need this, Azure Active Directory Domain Services is not the service for you at this time. You cannot update schema extensions. It does not support Active Directory domain or forest trusts, there is not LDAP write, and as I've already mentioned, it only allows for one single simple group policy to be pushed out to your users in virtual machines. But you can live within these considerations, Azure Active Directory Domain Services may be a great solution replacing your traditional Azure Active Directory.
To quickly recap this lesson, we explored the differences between Azure Active Directory, which is our cloud identity solution, we looked at Server Active Directory which is our Windows Server identity solution, and we briefly touched on the new Azure Active Directory Domain Services offering, which provides managed domain services in your Azure environment.
- Securing with managed identities
- Securing with hybrid identities
- Security with identity providers
- Identifying the right solution
- Designing a role-based Azure security solution
- Managing security risks