MicrosoftDocs
diff --git a/‎articles/active-directory/app-provisioning/provisioning-agent-release-version-history.md
Lines changed: 2 additions & 2 deletions b/‎articles/active-directory/app-provisioning/provisioning-agent-release-version-history.md
Lines changed: 2 additions & 2 deletions
diff --git a/‎articles/active-directory/cloud-provisioning/how-to-automatic-upgrade.md
Lines changed: 1 addition & 1 deletion b/‎articles/active-directory/cloud-provisioning/how-to-automatic-upgrade.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎articles/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad.md
Lines changed: 49 additions & 0 deletions b/‎articles/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad.md
Lines changed: 49 additions & 0 deletions
diff --git a/‎articles/active-directory/fundamentals/toc.yml
Lines changed: 2 additions & 0 deletions b/‎articles/active-directory/fundamentals/toc.yml
Lines changed: 2 additions & 0 deletions
diff --git a/‎articles/active-directory/hybrid/how-to-connect-install-prerequisites.md
Lines changed: 3 additions & 3 deletions b/‎articles/active-directory/hybrid/how-to-connect-install-prerequisites.md
Lines changed: 3 additions & 3 deletions
diff --git a/‎articles/active-directory/hybrid/how-to-connect-password-hash-synchronization.md
Lines changed: 3 additions & 3 deletions b/‎articles/active-directory/hybrid/how-to-connect-password-hash-synchronization.md
Lines changed: 3 additions & 3 deletions
@@ -12,7 +12,7 @@ ms.devlang: na
 ms.topic: reference
 ms.tgt_pltfrm: na
 ms.workload: identity
-ms.date: 02/04/2020
+ms.date: 02/26/2020
 ms.subservice: app-provisioning
 ms.author: chmutali
 
@@ -21,7 +21,7 @@ ms.collection: M365-identity-device-management
 # Azure AD Connect Provisioning Agent: Version release history
 This article lists the versions and features of Azure Active Directory Connect Provisioning Agent that have been released. The Azure AD team regularly updates the Provisioning Agent with new features and functionality. The Provisioning Agent is updated automatically when a new version is released. 
 
-We recommend enabling auto update for your agents to ensure that you have the latest features and bug fixes. Microsoft provides direct support for the latest agent version and one version before.
+Microsoft provides direct support for the latest agent version and one version before.
 
 ## 1.1.96.0
 
 
@@ -19,7 +19,7 @@ ms.collection: M365-identity-device-management
 ---
 # Azure AD Connect cloud provisioning agent: Automatic upgrade
 
-Making sure your Azure Active Directory (Azure AD) Connect cloud provisioning agent installation is always up to date is easy with the automatic upgrade feature. This feature is enabled by default and can't be disabled.
+Making sure your Azure Active Directory (Azure AD) Connect cloud provisioning agent installation is always up to date is easy with the automatic upgrade feature.
 
 The agent is installed here: "Program files\Azure AD Connect Provisioning Agent\AADConnectProvisioningAgent.exe"
 
 
@@ -0,0 +1,49 @@
+---
+title: Compare Active Directory to Azure Active Directory
+description: This document compares Active Directory Domain Services (ADDS) to Azure Active Directory (AD). It outlines key concepts in both identity solutions and explains how it's different or similar.
+services: active-directory
+author: martincoetzer
+manager: daveba
+tags: azuread
+ms.service: active-directory
+ms.topic: conceptual
+ms.workload: identity
+ms.subservice: fundamentals
+ms.date: 02/26/2020
+ms.author: martinco
+---
+
+# Compare Active Directory to Azure Active Directory
+
+Azure Active Directory is the next evolution of identity and access management solutions for the cloud. Microsoft introduced Active Directory Domain Services in Windows 2000 to give organizations the ability to manage multiple on-premises infrastructure components and systems using a single identity per user.
+
+Azure AD takes this approach to the next level by providing organizations with a new identity access solution for all their apps across cloud and on-premises.
+
+Most IT administrators are familiar with Active Directory Domain Services concepts. The following table outlines the differences and similarities between Active Directory concepts and Azure Active Directory.
+
+|Concept|Active Directory (AD)|Azure Active Directory |
+|:-|:-|:-|
+|**Users**|||
+|Provisioning: users | Organizations create internal users manually or use an in-house or automated provisioning system, such as the Microsoft Identity Manager, to integrate with an HR system.|Existing AD organizations use [Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-whatis) to sync identities to the cloud.</br> Azure AD adds support to automatically create users from [cloud HR systems](https://docs.microsoft.com/azure/active-directory/saas-apps/workday-tutorial). </br>Azure AD can provision identities in [SCIM enabled](https://docs.microsoft.com/azure/active-directory/manage-apps/use-scim-to-provision-users-and-groups) SaaS apps to automatically provide apps with the necessary details to allow access for users. |
+|Provisioning: external identities| Organizations create external users manually as regular users in a dedicated external AD forest, resulting in administration overhead to manage the lifecycle of external identities (guest users)| Azure AD provides a special class of identity to support external identities. [Azure AD B2B](https://docs.microsoft.com/azure/active-directory/b2b/) will manage the link to the external user identity to make sure they are valid. |
+| Entitlement management and groups| Administrators make users members of groups. App and resource owners then give groups access to apps or resources.| [Groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) are also available in Azure AD and administrators can also use groups to grant permissions to resources. In Azure AD, administrators can assign membership to groups manually or use a query to dynamically include users to a group. </br> Administrators can use [Entitlement management](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-overview) in Azure AD to give users access to a collection of apps and resources using workflows and, if necessary, time-based criteria. |
+| Admin management|Organizations will use a combination of domains, organizational units, and groups in AD to delegate administrative rights to manage the directory and resources it controls.| Azure AD provides [built-in roles](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal) with its role-based access control (RBAC) system, as well as, the ability to [create custom roles](https://docs.microsoft.com/azure/active-directory/users-groups-roles/roles-custom-overview) to delegate privileged access to the identity system and the apps and resources it controls. </br>Managing  roles can be enhanced with [Privileged Identity Management (PIM)](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure) to provide just-in-time, time-restricted, or workflow-based access to privileged roles. |
+| Credential management| Credentials in Active Directory is based on passwords, certificate authentication, and smartcard authentication. Passwords are managed using password policies that are based on password length, expiry, and complexity.|Azure AD uses intelligent [password protection](https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad) for cloud and on-premises. Protection includes smart lockout plus blocking common and custom password phrases and substitutions. </br>Azure AD significantly boosts security [through Multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks) and [passwordless](https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless) technologies, like FIDO2. </br>Azure AD reduces support costs by providing users a [self-service password reset](https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-howitworks) system. |
+| **Apps**|||
+| Infrastructure apps|Active Directory forms the basis for many infrastructure on-premises components, for example, DNS, DHCP, IPSec, WiFi, NPS, and VPN access|In a new cloud world, Azure AD, is the new control plane for accessing apps versus relying on networking controls. When users authenticate[, Conditional access (CA)](https://docs.microsoft.com/azure/active-directory/conditional-access/overview), will control which users, will have access to which apps under required conditions.|
+| Traditional and legacy apps| Most on-premises apps use LDAP, Windows-Integrated Authentication (NTLM and Kerberos), or Header-based authentication to control access to users.| Azure AD can provide access to these types of on-premises apps using [Azure AD application proxy](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy) agents running on-premises. Using this method Azure AD can authenticate users using Kerberos while you migrate or need to coexist with legacy apps. |
+| SaaS apps|Active Directory doesn't support SaaS apps natively and requires federation system, such as AD FS.|SaaS apps supporting OAuth2, SAML, and WS-\* authentication can be integrated to use Azure AD for authentication. |
+| Line of business (LOB) apps with modern authentication|Organizations can use AD FS with Active Directory to support LOB apps requiring modern authentication.| LOB apps requiring modern authentication can be configured to use Azure AD for authentication. |
+| Mid-tier/Daemon services|Services running in on-premises environments normally use AD service accounts to run. These apps will then inherit the permissions of the service account.| Azure AD provides [managed identities](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/index) to run other workloads in the cloud. The lifecycle of these identities is managed by Azure AD and is tied to the resource provider can't be used for other purposes to gain backdoor access.|
+| **Devices**|||
+| Mobile|Active Directory doesn't natively support mobile devices without third-party solutions.| Microsoft’s mobile device management solution, Microsoft Intune, is integrated with Azure AD. Microsoft Intune provides device state information to the identity system to evaluate during authentication. |
+| Windows desktops|Active Directory provides the ability to domain join Windows devices to manage them using Group Policy, System Center Configuration Manager, or other third-party solutions.|Windows devices can be [joined to Azure AD](https://docs.microsoft.com/azure/active-directory/devices/). Conditional access can check if a device is Azure AD joined as part of the authentication process. Windows devices can also be managed with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune). In this case, conditional access, will consider whether a device is complaint (for example, up-to-date security patches and virus signatures) before allowing access to the apps.|
+| Windows servers| Active Directory provides strong management capabilities for on-premises Windows servers using Group Policy or other management solutions.| Windows servers virtual machines in Azure can be managed with [Azure AD Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/). [Managed identities](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/index) can be used when VMs need access to the identity system directory or resources.|
+| Linux/Unix workloads|Active Directory doesn't natively support non-Windows without third-party solutions.|Linux/Unix VMs can use [managed identities](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/index) to access the identity system or resources. Some organizations, migrate these workloads to cloud container technologies, which can also use managed identities.|
+
+## Next steps
+
+- [What is Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)
+- [Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/compare-identity-solutions)
+- [Frequently asked questions about Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-faq)
+- [What's new in Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/fundamentals/whats-new)
@@ -43,6 +43,8 @@
     href: active-directory-data-storage-australia-newzealand.md
   - name: What's new in Microsoft 365 Government
     href: whats-new-microsoft-365-government.md
+  - name: Compare Azure AD with ADDS
+    href: active-directory-compare-azure-ad-to-ad.md
   - name: Azure AD Operations reference
     items:
     - name: Introduction
 
@@ -12,7 +12,7 @@ ms.workload: identity
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 05/08/2019
+ms.date: 02/27/2020
 ms.subservice: hybrid
 ms.author: billmath
 
@@ -81,8 +81,8 @@ To learn more, see:
 
 ### Accounts
 * An Azure AD Global Administrator account for the Azure AD tenant you wish to integrate with. This account must be a **school or organization account** and cannot be a **Microsoft account**.
-* If you use express settings or upgrade from DirSync, then you must have an Enterprise Administrator account for your on-premises Active Directory.
-* [Accounts in Active Directory](reference-connect-accounts-permissions.md) if you use the custom settings installation path or an Enterprise Administrator account for your on-premises Active Directory.
+* If you use [express settings](reference-connect-accounts-permissions.md#express-settings-installation) or upgrade from DirSync, then you must have an Enterprise Administrator account for your on-premises Active Directory.
+* If you use the custom settings installation path then you have more options see [Accounts in Active Directory](reference-connect-accounts-permissions.md#custom-installation-settings)
 
 ### Connectivity
 * The Azure AD Connect server needs DNS resolution for both intranet and internet. The DNS server must be able to resolve names both to your on-premises Active Directory and the Azure AD endpoints.
 
@@ -9,7 +9,7 @@ ms.assetid: 05f16c3e-9d23-45dc-afca-3d0fa9dbf501
 ms.service: active-directory
 ms.workload: identity
 ms.topic: conceptual
-ms.date: 04/02/2019
+ms.date: 02/26/2020
 ms.subservice: hybrid
 ms.author: billmath
 search.appverid:
@@ -131,10 +131,10 @@ To support temporary passwords in Azure AD for synchronized users, you can enabl
 `Set-ADSyncAADCompanyFeature  -ForcePasswordChangeOnLogOn $true`
 
 > [!NOTE]
-> Forcing a user to change their password on next logon requires a password change at the same time.  AD Connect will not pick up the force password change flag by itself; it is supplemental to the detected password change that occurs during password hash sync.
+> Forcing a user to change their password on next logon requires a password change at the same time.  Azure AD Connect will not pick up the force password change flag by itself; it is supplemental to the detected password change that occurs during password hash sync.
 
 > [!CAUTION]
-> If you do not enable Self-service Password Reset (SSPR) in Azure AD users will have a confusing experience when they reset their password in Azure AD and then attempt to sign in in Active Directory with the new password, as the new password isn’t valid in Active Directory. You should only use this feature when SSPR and Password Writeback is enabled on the tenant.
+> You should only use this feature when SSPR and Password Writeback are enabled on the tenant.  This is so that if a user changes their password via SSPR, it will be synchronized to Active Directory.
 
 > [!NOTE]
 > This feature is in public preview right now.