Active Directory (AD) is well understood. It\u2019s been around for decades and Microsoft shops know what it does and how to work with it. A Windows admin who\u2019s not familiar with cloud directory functions will naturally be hesitant to change. This \u201ctranslation\u201d guide is a resource for comparing familiar AD terminology with the cloud equivalents.<\/p>\n\n\n\n
It\u2019s not always a direct<\/em> comparison. Cloud architecture, device, and resource management also solve modern problems. A Microsoft shop may feel as if the cloud is Venus and AD is Mars, but that\u2019s because the terminology is different and a few of the concepts might be less familiar.<\/p>\n\n\n\n
This guide is a Rosetta stone to help you understand the concepts and terms that are specific to AD and the cloud. The platforms aren\u2019t as different as they might seem, and they\u2019re interoperable. They fall under the umbrella of identity and access management (IAM), for both users and devices, which provides access control and management for your resources using trusted industry standards.<\/p>\n\n\n\n
A cloud directory is based on LDAP<\/a>, but also utilizes web protocols including OIDC<\/a>, SAML<\/a>, and modern authentication for secure single sign-on<\/a> (SSO) across domains. A cloud directory also centrally manages IAM by extending to your complete infrastructure. This section illustrates the fundamental concepts for authentication and how cloud directories strengthen it.<\/p>\n\n\n\n
Kerberos (ports 88, 464) is the primary authentication protocol for hosts to prove their identities in AD. Add-on components are necessary for web SSO. It\u2019s vulnerable to several known methods of attack<\/a>, including Kerberoasting, Golden Tickets, Pass the Ticket, et al.<\/p>\n\n\n\n
Cloud directories frequently utilize HTTPS\/TLS (port 443), OpenID Connect (OIDC), and Security Assertion Markup Language (SAML). These provide SSO for web apps and more. Vendors may support networking protocols including LDAP, RADIUS, and SSH.<\/p>\n<\/div><\/div><\/div>\n\n\n\n
Windows New Technology LAN Manager (NTLM) protocols remain in use to provide authentication, integrity, and confidentiality to Windows users. Microsoft recommends using Kerberos but it still supports NTLM.<\/p>\n\n\n\n
NTLM authentication is possible through managed local users via a cloud directory. A cloud directory layers additional security onto authentications through managed devices and multi-factor authentication (MFA).<\/p>\n<\/div><\/div><\/div>\n\n\n\n
AD utilizes a proprietary implementation of LDAP (ports 389, 636) to store data about devices, users, and other objects for AD. LDAP can authenticate and authorize user access to IT resources.<\/p>\n\n\n\n
LDAP is an important component of a cloud directory, and it\u2019s read-only for added security. A cloud directory may more closely mirror RFC specifications for LDAP using the currently supported OpenLDAP schema (version 3.0). LDAP bind DN may be used to authenticate users to applications\/devices when LDAP is enabled for a group of users. The key difference to AD is that MFA may also be configured for LDAP authentications as a conditional access policy for a single app or as a global policy for all LDAP apps.<\/p>\n<\/div><\/div><\/div>\n\n\n\n
Active Directory Certificate Services (AD CS) is a Windows Server role that must be set up and supported in order to issue and manage public key infrastructure (PKI) certificates (ports 2560, 9389).<\/p>\n\n\n\n
A cloud directory may include its own certificate authority, available without the requirement to manage additional infrastructure. This enables certificate-based authentication for RADIUS. Device trust certificates are used with conditional access.<\/p>\n<\/div><\/div><\/div>\n\n\n\n
SAML is not supported natively. AD FS or integration with web services are required.<\/p>\n\n\n\n
The SAML protocol authenticates users to web-based applications and is typically a standard capability in a cloud directory.<\/p>\n<\/div><\/div><\/div>\n\n\n\n
OIDC is not supported natively. AD FS or integration with web services are required.<\/p>\n\n\n\n
OIDC extends the OAuth protocol so that client services (your applications) verify user identities and exchange profile information through OpenID providers via RESTful APIs that dispatch JSON Web Tokens (JWTs) to share information during the authentication process. Not all cloud directories support OIDC for SSO.<\/p>\n<\/div><\/div><\/div>\n\n\n\n
AD can store public keys, but it\u2019s necessary to create a Certificate Snap-in in Microsoft Management Console (MMC), port 9389.<\/p>\n\n\n\n
SSH key management is cloud native.<\/p>\n<\/div><\/div><\/div>\n\n\n\n
There is no native equivalent for WebAuthn. Add-on services and software components are required. Supply chain assurance is an important factor to consider when third-party software is installed on domain controllers.<\/p>\n\n\n\n
WebAuthn is a core component of the FIDO2 Project, which enables hardware security keys. It\u2019s supported by some, but not all, cloud directories.<\/p>\n<\/div><\/div><\/div>\n\n\n\n
There is no native equivalent for device biometrics. Add-on services and software components are required. Supply chain assurance is an important factor to consider when third-party software is installed on domain controllers.<\/p>\n\n\n\n
Out-of-the-box support for device biometrics can secure logins into sensitive resources.<\/p>\n<\/div><\/div><\/div>\n\n\n\n
There is no native equivalent for phishing-resistant and passwordless authentication flows. Add-on services and software components are required. Supply chain assurance is an important factor to consider when third-party software is installed on domain controllers.<\/p>\n\n\n\n
Cloud directories may incorporate phishing-resistant modern authentication and more passwordless workflows.<\/p>\n<\/div><\/div><\/div>\n\n\n\n
There is no native equivalent to conditional access. Add-on services and software components are required. Supply chain assurance is an important factor to consider when third-party software is installed on domain controllers. This impedes Zero Trust security strategies.<\/p>\n\n\n\n
Conditional access uses signals and telemetry to restrict access control to users that are located in a specific place, are within a defined IP range, and that devices are within a trusted state to access sources. They can also be used to create global MFA policies.<\/p>\n<\/div><\/div><\/div>\n\n\n\n