In Active Directory, Azure, Blog

There is some belief that perhaps Microsoft Azure Active Directory® is a replacement to the on-premises, legacy Active Directory. It would make sense to most people since both names have AD in them and the cloud is the next-generation platform for Microsoft. However, if you actually replace on-premise AD with Azure AD you won’t be getting the same functionality in the cloud.

Extend or Replace On-Premise AD with Azure AD?

Azure Active Directory isn’t a replacement for Active Directory. Rather, it’s a complement to the legacy AD. Think of Azure AD as an extension of your on-prem identities out to the Azure cloud.

You can read more about the perspective on Spiceworks where Microsoft representatives share further details about the AD and Azure AD strategy:

“Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the exact same capabilities with AD. It actually provides many more capabilities in a different way.

“That’s why there is no actual “migration” path from Active Directory to Azure Active Directory. You can synchronize your on-premises directories (Active Directory or other) to Azure Active Directory but not migrate your computer accounts, group policies, OU etc.

“As you can see here Azure Active Directory is an identity and access management solution for hybrid or cloud-only implementations. It can extend the reach of your on-premises identities to any SaaS application hosted in any cloud. It can provide secure remote access to on-premises applications that you want to publish to external users. It can be the center of your cross-organization collaboration by providing access for your partners to your resources. It provides identity management to your consumer-facing application by using social identity providers. Cloud app discovery, Multi-Factor Authentication, protection of your identities in the cloud, reporting of Sign-ins from possibly infected devices, leaked credentials report, user behavioral analysis are a few additional things that we couldn’t even imagine with the traditional Active Directory on-premises.

“Even the recently announced Azure Active Directory Domain Services are not a usual DC as a service that you could use to replicate your existing Active Directory implementation to the cloud. It is a stand-alone service that can offer domain services to your Azure VMs and your directory-aware applications if you decide to move them to Azure infrastructure services. But with no replication to any other on-premises or cloud (in a VM) domain controller.  

“If you want to migrate your domain controllers in the cloud to use them for traditional task you could deploy domain controllers in Azure Virtual Machines and replicate via VPN.

“So to conclude, if you would like to extend the reach of your identities to the cloud you can start by synchronizing your Active Directory to Azure AD.” [Link]

The True Role of Azure AD

As you can see, the Azure AD platform is effectively a user management system for Azure. It provides access control to Azure cloud servers and ancillary services and can also help control user access to Office 365.

Another critical capability of Azure AD is that it is a web application single sign-on solution. That puts Azure in competition with major web SSO players Okta and Ping Identity. This too is a curious move.

Unfortunately, though, Azure AD isn’t able to authenticate on-prem devices and systems such as Windows desktops and laptops. And, of course, Mac and Linux machines hosted on-prem or elsewhere are out of bounds as well. On-prem applications will need to be managed by your on-prem AD, as would your WiFi network if you wanted single sign-on to the domain.

It’s all of these shortcomings that lead to one hard reality:  any strategy with Azure AD also needs to include AD.

JumpCloud® Provides the Alternative to AD and Azure AD

If you are a cloud-forward organization and trying to shift as much of your infrastructure to the cloud, this approach is clearly not what you’re looking for.

A better path may be to leverage a next-generation IDaaS platform that is exclusively from the cloud and for both cloud and on-prem resources. Called Directory-as-a-Service®, this virtual identity provider is the core, authoritative user database that securely manages and connects user identities to the IT resources they need, including systems, applications, and networks.

As an independent provider, a wide variety of IT resources can be integrated together. We’re talking Windows, Mac, Linux, G Suite, Office 365, AWS, and much more. IT admins can leverage cross-platform, GPO-like capabilities to manage policies on Mac and Linux systems as well as Windows.

Replace AD and Azure

If you would like to learn more about how to replace on premise AD with Azure AD, drop us a note. We’d be happy to walk you through the capabilities of each of those solutions as well as introduce you to Directory-as-a-Service, which is an alternative to both Active Directory and Azure Active Directory. You can also give our IDaaS platform a try for yourself. Your first 10 users are free forever.

Recent Posts