I have often been asked over the years how Active Directory differs from “Azure AD”, luckily one of the benefits of Microsoft’s name change of Azure AD to Microsoft Entra ID is that people seem to grasp a little easier that these products are not identical but rather separate identity solutions that are utilized in different situations.
Active Directory Domain Services, introduced in Windows 2000, allowed organizations to manage on-premises systems with a single user identity. Expanding on this, Microsoft Entra ID offers Identity as a Service (IDaaS) for managing apps across both cloud and on-premises environments. IT administrators familiar with Active Directory will notice similarities and differences in Microsoft Entra ID. Below we visit the differences in the services in various use cases.
Provisioning users
Windows Server Active Directory
Organizations can manually create internal user accounts or leverage an in-house solution or automated provisioning tools like Microsoft Identity Manager to integrate with their HR systems.
Microsoft Entra ID
Organizations with existing Microsoft Windows Server Active Directory can use Microsoft Entra Connect to synchronize their identities to the cloud.
Microsoft Entra ID enhances this by enabling the automatic creation of users from cloud-based HR systems. Additionally, it can provision identities in software-as-a-service (SaaS) applications that support the System for Cross-Domain Identity Management (SCIM) standard, ensuring these apps receive the required user details for access.
Provisioning external identities
Windows Server Active Directory
Organizations often manually create external users as standard accounts within a separate Microsoft Windows Server Active Directory forest. This approach adds administrative complexity, as managing the lifecycle of external identities (guest users) requires additional effort.
Microsoft Entra ID
Microsoft Entra ID offers a dedicated type of identity specifically designed for managing external users. With Microsoft Entra B2B, the system maintains and validates the connection to external user identities.
Management and groups
Windows Server Active Directory
Administrators assign users to groups, and app or resource owners grant those groups access to specific applications or resources.
Microsoft Entra ID
Microsoft Entra ID also supports groups, which administrators can use to manage access to resources. In Microsoft Entra ID, group memberships can be assigned manually or dynamically through queries that automatically include users based on specified criteria.
Additionally, administrators can leverage Entitlement Management in Microsoft Entra ID to provide users with access to multiple applications and resources through workflows, with the option to apply time-based conditions if needed.
Admin management
Windows Server Active Directory
Organizations utilize a mix of domains, organizational units, and groups in Microsoft Windows Server Active Directory to delegate administrative responsibilities for managing the directory and its associated resources.
Microsoft Entra ID
Microsoft Entra ID includes predefined roles within its role-based access control (RBAC) system, along with limited options for creating custom roles to delegate privileged access to the identity system, applications, and managed resources.
Role management can be further streamlined using Privileged Identity Management (PIM), which enables just-in-time, time-limited, or workflow-based access to privileged roles.
Credential management
Windows Server Active Directory
Active Directory credentials rely on methods such as passwords, certificate authentication, and smart card authentication. Passwords are governed by policies that define requirements for length, expiration, and complexity.
Microsoft Entra ID
Microsoft Entra ID incorporates advanced password protection for both cloud and on-premises environments. Features include smart lockout and the ability to block commonly used or customized password phrases and variations.
Security is further enhanced with multifactor authentication and passwordless options such as FIDO2. Additionally, Microsoft Entra ID helps lower support costs by offering a self-service password reset feature for users.
Infrastructure apps
Windows Server Active Directory
Active Directory serves as the foundation for various on-premises infrastructure components, including DNS, Dynamic Host Configuration Protocol (DHCP), Internet Protocol Security (IPSec), WiFi, Network Policy Server (NPS), and VPN access.
Microsoft Entra ID
In the modern cloud environment, Microsoft Entra ID serves as the central control plane for app access, shifting away from traditional network-based controls. Through Conditional Access, user authentication determines which users can access specific applications based on defined conditions.
Traditional and legacy apps
Windows Server Active Directory
Legacy on-premises applications commonly utilize LDAP, Windows Integrated Authentication (NTLM and Kerberos), or header-based authentication to manage user access.
Microsoft Entra ID
Microsoft Entra ID enables access to on-premises applications through Microsoft Entra application proxy agents deployed within the on-premises environment. This approach allows Microsoft Entra ID to authenticate Active Directory users via Kerberos, supporting scenarios where legacy applications need to coexist or be migrated.
SaaS apps
Windows Server Active Directory
Active Directory does not have native support for SaaS applications and requires a federation system like AD FS to enable integration.
Microsoft Entra ID
SaaS applications that support OAuth2, Security Assertion Markup Language (SAML), or WS-* authentication protocols can be integrated with Microsoft Entra ID for authentication purposes.
Line of business (LOB) apps with modern authentication
Windows Server Active Directory
Organizations can utilize AD FS in conjunction with Active Directory to enable modern authentication for line-of-business (LOB) applications.
Microsoft Entra ID
Line-of-business (LOB) applications that require modern authentication can be set up to use Microsoft Entra ID for authentication.
Mid-tier/Daemon services
Windows Server Active Directory
On-premises services typically operate using service accounts or group Managed Service Accounts (gMSA) provided by Microsoft Windows Server Active Directory. These applications then assume the permissions associated with the service account.
Microsoft Entra ID
Microsoft Entra ID offers managed identities to support cloud workloads. These identities are automatically managed by Microsoft Entra ID, with their lifecycle linked to the associated resource provider. They are purpose-specific and cannot be repurposed for unauthorized access or backdoor entry.
Mobile Devices
Windows Server Active Directory
Active Directory lacks native support for mobile devices and requires third-party solutions to enable this functionality.
Microsoft Entra ID
Microsoft Intune, Microsoft’s mobile device management solution, integrates seamlessly with Microsoft Entra ID. Intune supplies device state information to the identity system, which is used during the authentication process.
Windows desktops
Windows Server Active Directory
Active Directory allows Windows devices to be domain-joined, enabling management through Group Policy, System Center Configuration Manager, or other third-party tools.
Microsoft Entra ID
Windows devices can be joined to Microsoft Entra ID, enabling Conditional Access to verify their enrollment as part of the authentication process. These devices can also be managed through Microsoft Intune, where Conditional Access evaluates compliance factors, such as up-to-date security patches and antivirus definitions, before granting access to applications.
Windows servers
Windows Server Active Directory
Active Directory offers robust management tools for on-premises Windows servers, utilizing Group Policy and other management solutions.
Microsoft Entra ID
Windows server virtual machines in Azure can be managed using Microsoft Entra Domain Services. When these VMs require access to the identity system or other resources, managed identities can be utilized.
Linux/Unix workloads
Windows Server Active Directory
Active Directory lacks native support for non-Windows systems without third-party tools. However, Linux machines can be configured to authenticate with Active Directory by treating it as a Kerberos realm.
Microsoft Entra ID
Linux/Unix virtual machines can utilize managed identities to access the identity system or other resources. Many organizations also migrate these workloads to cloud container technologies, which similarly support the use of managed identities.