There is some belief amongst those in the IT industry that Azure® Active Directory® is a replacement to the on-prem, legacy identity provider Active Directory®. Confusion surrounding the Active Directory (AD) family of products makes sense, given they share the same Active Directory namesake. So, let’s make this simple: if you actually replace on-prem AD with Azure AD you won’t be getting the same functionality from the cloud. Or, a bit more precisely, Azure AD DS is not a replacement for AD DS.
Extend or Replace On-Prem AD with Azure AD?
Azure Active Directory is not an outright replacement for Active Directory. Rather, it is a complement to the legacy AD. Think of Azure AD as an extension of your on-prem identities out to the Azure cloud.
For more on this, you can read about the perspective on Spiceworks, where Microsoft representatives share further details about the AD and Azure AD strategy (emphasis ours):
“Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the exact same capabilities with AD. It actually provides many more capabilities in a different way.
“That’s why there is no actual “migration” path from Active Directory to Azure Active Directory. You can synchronize your on-premises directories (Active Directory or other) to Azure Active Directory but not migrate your computer accounts, group policies, OU etc.
“As you can see here Azure Active Directory is an identity and access management solution for hybrid or cloud-only implementations. It can extend the reach of your on-premises identities to any SaaS application hosted in any cloud. It can provide secure remote access to on-premises applications that you want to publish to external users. It can be the center of your cross-organization collaboration by providing access for your partners to your resources. It provides identity management to your consumer-facing application by using social identity providers. Cloud app discovery, Multi-Factor Authentication, protection of your identities in the cloud, reporting of Sign-ins from possibly infected devices, leaked credentials report, user behavioral analysis are a few additional things that we couldn’t even imagine with the traditional Active Directory on-premises.
“Even the recently announced Azure Active Directory Domain Services are not a usual DC as a service that you could use to replicate your existing Active Directory implementation to the cloud. It is a stand-alone service that can offer domain services to your Azure VMs and your directory-aware applications if you decide to move them to Azure infrastructure services. But with no replication to any other on-premises or cloud (in a VM) domain controller.
“If you want to migrate your domain controllers in the cloud to use them for traditional task you could deploy domain controllers in Azure Virtual Machines and replicate via VPN.
“So to conclude, if you would like to extend the reach of your identities to the cloud you can start by synchronizing your Active Directory to Azure AD.”
Azure AD’s True Role
As you can see, the Azure AD platform is effectively a user management platform for Azure itself. It provides access control to Azure cloud servers as well as helping you to control user access to Office 365™.
Another critical capability of Azure AD is that it is a web application single sign-on solution. That puts Azure in competition with major web single sign-on (SSO) players like Okta® and Ping Identity®. This too is a curious move.
Like those SSO providers, Azure AD isn’t able to authenticate on-prem devices such as Windows® desktops and laptops (sans Win10 Pro). And, of course, macOS® and Linux® systems hosted on-prem or elsewhere are out of bounds as well. In addition, on-prem applications will need to be managed by your on-prem AD instance, as would your WiFi network if you wanted single sign-on to your domain. If you’re looking to go all cloud, this clearly is not the method to pursue. Clearly, any strategy with Azure AD also needs to include AD and integration through Azure AD Connect.
JumpCloud Provides the Alternative to AD and Azure AD
If you are a cloud-forward organization trying to shift as much of your infrastructure to the cloud as you can, this Azure AD plus AD approach is clearly not what you’ve been looking for.
A better path forward may be to leverage a next generation Identity-as-a-Service (IDaaS) platform that is exclusively from the cloud and for both cloud and on-prem resources. Called Directory-as-a-Service®, this virtual identity provider is the core, authoritative identity provider that securely manages and connects user identities to the IT resources they need including systems, applications, files, and networks.
As an independent provider, a wide variety of IT resources can be integrated together. We’re talking Windows, Linux, G Suite™, Office 365™, AWS® and much more. Further, IT admins can leverage cross-platform, GPO-like capabilities to manage policies on Mac® and Linux systems as well as Windows®.
Replace AD and Azure AD
Ready to learn more about how to replace on-premise AD with Azure AD? Drop us a line. We’d be happy to walk you through the capabilities of each of those solutions as well as give you an introduction to Directory-as-a-Service, which is an alternative to both Active Directory and Azure Active Directory. Or, check out our in-depth Active Directory FAQ. Also, you can sign up for a JumpCloud account today and get to work managing up to 10 users for free. Once you’ve signed up, if you need some technical information, be sure to check out our Knowledge Base.