Azure AD vs. ADFS

Written by David Worthington on February 14, 2023

Share This Article

Microsoft has had a strong presence in the IT identity management space for decades by virtue of Active Directory (AD). It extended AD with local and hybrid cloud solutions in response to the growing popularity of web apps and remote work. However, those solutions intersect and serve different requirements. Below, we’ll compare Azure® Active Directory® (AD) versus Active Directory Federation Services (AD FS) to see how these Microsoft offerings overlap and where they differ.

What Is Azure AD?

Azure is Microsoft’s cloud computing offering, akin to AWS® or GCP™. Azure AD is the cloud identity management solution for managing users in the Azure Cloud. IT admins use Azure AD (AAD) to authenticate access to Azure, Microsoft 365™ (M365), and a select group of other cloud applications through single sign-on (SSO). At its most basic level, Azure AD is free, included with a subscription to M365. However, IT admins need to purchase “Premium” higher tiers of the product (as well as additional add-ons) in order to fully leverage its capabilities.

Add-on services may include:

  • Intune to manage Android, Apple, Linux, and Windows devices. Microsoft has also partitioned remote assist off as a premium add-on to Intune.
  • Entra to consume, authenticate, and govern external (non-Microsoft) identities

AAD is primarily a user management tool for Azure and M365, and doesn’t manage on-prem IT infrastructure such as Windows PCs, networks, file servers, and other resources. Microsoft Intune partially serves that function for cloud-first organizations; otherwise, AD is usually needed to complete the solution.That’s accomplished through middleware called Azure AD Connect. Standalone AAD is not a cloud-based replacement for AD and exclusively serves Microsoft systems. Deployments can be complex and often involve setting aside a budget for consultants.

Microsoft-centric organizations rely on AAD in tandem with on-prem AD to manage their environment. It offers Active Directory Federation Services (AD FS) as an alternative approach that’s not cloud-native; IT organizations must be capable of setting up and managing a server farm for a successful deployment. This increases management overhead, potential attack surface, and may increase your licensing costs as sizing and specification requirements rise.


Breaking Up with Active Directory

Don’t let your directory hold you back. Learn why it’s time to break up with AD.

What Is AD FS?

IT organizations leveraging Active Directory often need a tool that federates their on-prem identities to cloud applications. While a number of dedicated third-party SSO solutions exist to fill this void, Microsoft also offers their own tool: AD FS. AD FS is an add-on charge to Windows Server purchases and has dependencies on multiple standalone Windows Server Roles.

AD FS is a companion tool to Active Directory that extends on-prem identities to cloud applications. It’s akin to a web application SSO tool, but it’s leveraged on-prem rather than in the cloud. AD FS uses SAML XML certificates like web app SSO services, except it can also authenticate using cookies or other security tokens. It also supports OpenID Connect/OAuth flows and application scenarios for internal applications that aren’t intended for cloud hosting.

Ultimately, this means that AD FS is focused on web applications, and organizations that need identity management for non-Windows systems, networks, and domain-bound applications elsewhere will have to turn to Active Directory or other options. Knowing that, let’s compare Azure AD with AD FS and see which is the best fit for your organization’s unique requirements.

Azure AD vs. AD FS

Azure AD and AD FS share similar roles in an IT environment. Both Microsoft tools share SSO-like properties, and they each need to work in tandem with on-prem Active Directory (although Azure AD could possibly be used without). The key difference is that AAD is an identity and access management (IAM) solution while AD FS is a security token service (STS).

As such, they each have their own distinctions. Azure AD has wider control over user identities outside of applications than AD FS, which makes it a widely used solution for IT organizations. It also has advanced access control and identity management capabilities.

For example:

  • AAD provides multi-factor authentication (MFA) at all its tiers from AAD’s Security Defaults to more granular options conditional access rules for privileged users.
  • AAD has options to restrict legacy authentication methods and can enforce password health and quality. 
  • AAD’s Premium tiers also offer a range of risk-based rules/conditions and behavioral monitoring to protect identities. It’s dependent upon which tier you’re using.
  • AAD’s Premium tiers include self-service password reset and more.
  • AAD’s Premium tiers include Azure Active Directory (Azure AD) Connect Health to monitor on-premises identity infrastructure.
  • AAD has role-based access controls but dynamic groups that make and suggest user lifecycle changes via attributes are available for an extra cost.
  • AAD integrates with Intune for device management and application protection rules.
  • AAD can scale out and provide geo-redundancy.

AD FS is better suited to manage access to in-house applications or to extend AD to your third-party applications. For example, it offers more robust support for SAML’s claims-based authentication workflow (token claims) than AAD. It also has the capacity to consume eternal identities and can federate with SAML or WS-Fed identity providers using in-house IT infrastructure. AAD requires Entra to achieve similar functionality. The determination comes down to your level of in-house resources, cloud adoption, compliance needs, and budgeting.

As noted above, neither are true directory services nor standalone services. That means that IT organizations using Azure AD or AD FS usually require a directory service like Active Directory, as well as any other add-on solutions AD requires. For instance, Network Policy Server (NPS) is necessary for RADIUS authentication into network resources. Intune and Entra are necessary for interoperability outside of the Microsoft ecosystem to manage your entire IT infrastructure.

IT organizations that need the adaptability to support any resources their end users require, regardless of their protocol, platform, provider, or location may benefit from evaluating non-Microsoft alternatives before settling onto either of Microsoft’s SSO solutions. Cost and complexity may also be considerations: Microsoft is focused on delivering solutions that fit the requirements of large enterprises, not small- to medium-sized enterprises (SMEs).

Holistic Identity Management from the Cloud

JumpCloud is an open directory platform that unifies identity, access, and device management capabilities, regardless of the underlying authentication method or device ecosystem. It can extend both AD and the free tier of AAD to accomplish more, with a lower TCO. JumpCloud authenticates users whether they use biometrics, digital certificates, passwords, or SSH keys. JumpCloud ensures that every resource has a “best method” to connect to it. For example, LDAP, OIDC, RADIUS, or SAML. The result is that users can employ a single set of credentials to access systems, applications, networks, infrastructure, file servers, and more. 

Access is secure by environment-wide MFA with optional conditional rules for privileges users. A password manager is available to support non-SSO applications. Your users receive secure, frictionless access, from managed (or trusted) devices running any platform. JumpCloud treats identities as the new perimeter. This is made possible through positioning every device as a gateway to your resources through identities. There are no add-ons for device management or consuming external identities: JumpCloud produces value lock-in versus vendor lock-in.

Cloud-delivery reduces infrastructure costs, simplifies deployment, and maximizes what you already have. Additionally, attribute-based access control and HR system integrations can enable advanced user lifecycle management scenarios to lower overall management overhead. These capabilities are driven by your workflows versus being parceled off as premium features.

Learn More

Interested in unifying your resources and identity management in the cloud? You can start a trial of JumpCloud today.

David Worthington

I'm the JumpCloud Champion for Product, Security. JumpCloud and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.

Continue Learning with our Newsletter