Azure Active Directory Domain Services (AAD DS) is a cloud directory service offering from Microsoft Technologies. A Directory Service is a database that stores object information used for Identity and Access Management (IAM). Administrators and Users use this information to verify identity and access level to resources within the organization. IAM sources integrate with other applications and services, providing things like Single-Sign-On (SSO). In this article, we will discuss the Identity and Access Management Solutions from Microsoft and how these new solutions can help an organization:
- Cut Costs, manage less infrastructure, and decrease overall footprint
- Increase Efficiency
- Run legacy applications in the Azure Cloud that can’t use modern authentication methods
- So much more!
Active Directory
Active Directory Domain Services (AD DS) was released in 1999 alongside the Windows Server 2000 Edition and changed the Identity and Access Management Landscape for decades to come. The service is deployed by creating a Domain Namespace and promoting servers to be Domain Controllers. These Domain Controllers (DCs) replicate the Directory of objects, within the domain, between each device. Active Directory uses DNS/DHCP and Lightweight Directory Access Protocol (LDAP/LDAPS) to provide authentication and hostname resolution. It’s possible to run these Domain Controllers as either physical or virtualized servers. Group Policy manages servers and users by applying rules directly to users, security groups, or computers. Here is a typical reference architecture for Active Directory Domain Services (AD DS):
We can see from the diagram that Active Directory Domain Services requires a lot of infrastructure to run effectively. System Administrators must manually manage the Domain Controllers themselves and perform updates. Active Directory does not provide services like SAML or OAuth out of the box; it requires Active Directory Federated Services (ADFS) to achieve Single-Sign-on (SSO) and these other features. ADFS also requires additional server overhead and manual federation with applications and external services.
Here is An Active Directory Domain Services Deployment with Active Directory Federated Services:
For more detailed information on Active Directory Domain Services, check out Active Directory Domain Services Overview
–
Azure Active Directory and Microsoft 365
A little less than a decade later, Microsoft released the Azure Cloud and Azure Active Directory on October 27th, 2008. Azure Active Directory (AAD) is a Cloud-Based identity and mobile device management service that provides user account and authentication services for applications and external services. Azure Active Directory can also provide SAML and Oauth authentication capabilities for an organization from the Azure Identity Provider (IDP). Though no servers are required to run Azure AD, it does have limitations such as no Lightweight Directory Access Protocol (LDAP/LDAPS) and no traditional group policy with conditional access in place. Manage machines and users with Conditional Access Policies in the Azure Portal.
Here is a reference diagram on Azure Active Directory:
But would this mean an organization with Active Directory would have to start from scratch in Azure Active Directory?!
Of course not!!
–
Hybrid Identity with Azure Ad Connect
With the popularity of cloud computing, most organizations find themselves in a situation where they have applications both on-premises and in the cloud. Managing users in multiple areas is very complicated and could easily cause many issues. Hybrid Identity is the solution developed by Microsoft to handle these challenges; this creates a common user identity for authentication to all resources, regardless of location.
It is possible to utilize the current Active Directory; sync it to Azure Ad using Azure Ad Connect. Azure Ad Connect is an application that runs on-premises on a server that provides synchronization to Azure AD. This application also monitors the health of the synchronization through Azure Ad Connect Health monitoring.
There are three main types of Hybrid Identity between Active Directory Domain Services and Azure Active Directory:
- Password Hash Synchronization: In this scenario, users’ password hashes are synced from Active Directory to Azure Active Directory as in the example:
- Pass-Through Authentication: In this model, users authenticate with the use of a Pass-Through Authentication Agent in Azure, which then authenticates them to On-Premises Active Directory Domain Services as in this example:
- Federation with Azure Active Directory: Federation is a collection of domains that have established trust, in this case, establishing trust with Azure Active Directory. This method involves using Active Directory Federated Services (ADFS), and all user authentication occurs on-premises.
Azure Active Directory Domain Services:
Azure Active Directory Domain Services is a cloud-based Identity and Access Management solution from Microsoft. In this solution, the Domain Controllers are created, patched, etc., by Microsoft as part of a managed domain experience. Azure Active Directory is synced one way from Azure Active Directory. Azure Active Directory Domain Services provides a subset of Active Directory features for organizations, which lowers management and design complexity.
These features include:
- LDAP/LDAPS Endpoint
- Domain Join
- Group Policy
- Kerberos/NTLM Authentication
Here’s an example of a Cloud-Only Infrastructure:
And here is one for a hybrid deployment:
Azure Active Directory Domain Services Pricing:
Azure Active Directory Domain Services prices according to the table; for more information, browse to Pricing
Identity and Access Management in the Modern Age
In modern times, technology can provide an organization with the strategic advantages they need to be successful. There has been a recent shift to a more significant number of the workforce working remotely in recent years. Many organizations have expanded their resources to the cloud during this time and are looking for remote solutions that fit their use case. Users need essential features such as Single-Sign-On (SSO) for their applications to work efficiently. It’s also crucial to evaluate the management overhead of the Identity and Access Solution for Information Technology teams within an organization, especially with moving to the cloud. Microsoft’s suite of Identity and Access Solution tools can help an organization gain that competitive advantage in the marketplace in the Modern Age.
The Real Person!
The Real Person!
Awesome post! Thanks for sharing the knowledge and keeping up the good work.