You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad.md
+10-10Lines changed: 10 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
---
2
-
title: Compare Azure Active Directory to Active Directory
3
-
description: This document compares Active Directory to Azure Active Directory (AD). It compares the key concepts in both identity solutions and how it's different or similar.
2
+
title: Compare Active Directory to Azure Active Directory
3
+
description: This document compares Active Directory (AD) to Azure Active Directory. It outlines key concepts in both identity solutions and explains how it's different or similar.
4
4
services: active-directory
5
5
author: martincoetzer
6
6
manager: daveba
@@ -13,19 +13,19 @@ ms.date: 02/26/2020
13
13
ms.author: martinco
14
14
---
15
15
16
-
# Compare Azure Active Directory to Active Directory
16
+
# Compare Active Directory to Azure Active Directory
17
17
18
18
Azure Active Directory is the next evolution of identity and access management solutions for the cloud. Microsoft introduced Active Directory Domain Services in Windows 2000 to give organizations the ability to manage multiple on-premises infrastructure components and systems using a single identity per user.
19
19
20
-
Azure AD takes this approach to the next level by providing organizations with a new identity access solution to all their apps across cloud and on-premises offerings.
20
+
Azure AD takes this approach to the next level by providing organizations with a new identity access solution for all their apps across cloud and on-premises.
21
21
22
-
Most IT administrators are familiar with Active Directory concepts and the purpose of the following table is to explain the differences and similarities between Azure AD and Active Directory.
22
+
Most IT administrators are familiar with Active Directory concepts and the purpose of the following table is to explain the differences and similarities between it and Azure Active Directory.
23
23
24
-
|Concept|Active Directory (AD)|Azure Active Directory |
24
+
|Concept|Active Directory (AD)|Azure Active Directory |
25
25
|:-|:-|:-|
26
-
|**Users**|||
27
-
|Provisioning: users | Organizations create internal users manually or use an in-house or automated provisioning system, such as the Microsoft Identity Manager, to integrate with an HR system.|Existing AD organizations use [Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-whatis) to sync identities to the cloud.</br> Azure AD adds support to automatically create users from [cloud HR systems](https://docs.microsoft.com/azure/active-directory/saas-apps/workday-tutorial). </br>Azure AD can provision identities in [SCIM enabled](https://docs.microsoft.com/azure/active-directory/manage-apps/use-scim-to-provision-users-and-groups) SaaS apps to automatically provide apps with the necessary details to allow access for users. |
28
-
|Provisioning: external identities| Organizations create external users manually as regular users in a dedicated external AD forest, resulting in administration overhead to manage the lifecycle of external identities (guest users)| Azure AD provides a special class of identity to support external identities. [Azure AD B2B](https://docs.microsoft.com/azure/active-directory/b2b/) will manage the link to the external user identity to make sure they are valid. |
26
+
|**Users**|||
27
+
|Provisioning: users | Organizations create internal users manually or use an in-house or automated provisioning system, such as the Microsoft Identity Manager, to integrate with an HR system.|Existing AD organizations use [Azure AD Connect](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-sync-whatis) to sync identities to the cloud.</br> Azure AD adds support to automatically create users from [cloud HR systems](https://docs.microsoft.com/azure/active-directory/saas-apps/workday-tutorial). </br>Azure AD can provision identities in [SCIM enabled](https://docs.microsoft.com/azure/active-directory/manage-apps/use-scim-to-provision-users-and-groups) SaaS apps to automatically provide apps with the necessary details to allow access for users. |
28
+
|Provisioning: external identities| Organizations create external users manually as regular users in a dedicated external AD forest, resulting in administration overhead to manage the lifecycle of external identities (guest users)| Azure AD provides a special class of identity to support external identities. [Azure AD B2B](https://docs.microsoft.com/azure/active-directory/b2b/) will manage the link to the external user identity to make sure they are valid. |
29
29
| Entitlement management and groups| Administrators make users members of groups. App and resource owners then give groups access to apps or resources.|[Groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) are also available in Azure AD and administrators can also use groups to grant permissions to resources. In Azure AD, administrators can assign membership to groups manually or use a query to dynamically include users to a group. </br> Administrators can use [Entitlement management](https://docs.microsoft.com/azure/active-directory/governance/entitlement-management-overview) in Azure AD to give users access to a collection of apps and resources using workflows and, if necessary, time-based criteria. |
30
30
| Admin management|Organizations will use a combination of domains, organizational units, and groups in AD to delegate administrative rights to manage the directory and resources it controls.| Azure AD provides [built-in roles](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal) with its role-based access control (RBAC) system, as well as, the ability to [create custom roles](https://docs.microsoft.com/azure/active-directory/users-groups-roles/roles-custom-overview) to delegate privileged access to the identity system and the apps and resources it controls. </br>Managing roles can be enhanced with [Privileged Identity Management (PIM)](https://docs.microsoft.com/azure/active-directory/privileged-identity-management/pim-configure) to provide just-in-time, time-restricted, or workflow-based access to privileged roles. |
31
31
| Credential management| Credentials in Active Directory is based on passwords, certificate authentication, and smartcard authentication. Passwords are managed using password policies that are based on password length, expiry, and complexity.|Azure AD uses intelligent [password protection](https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad) for cloud and on-premises. Protection includes smart lockout plus blocking common and custom password phrases and substitutions. </br>Azure AD significantly boosts security [through Multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks) and [passwordless](https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless) technologies, like FIDO2. </br>Azure AD reduces support costs by providing users a [self-service password reset](https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-howitworks) system. |
@@ -34,7 +34,7 @@ Most IT administrators are familiar with Active Directory concepts and the purpo
34
34
| Traditional and legacy apps| Most on-premises apps use LDAP, Windows-Integrated Authentication (NTLM and Kerberos), or Header-based authentication to control access to users.| Azure AD can provide access to these types of on-premises apps using [Azure AD application proxy](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy) agents running on-premises. Using this method Azure AD can authenticate users using Kerberos while you migrate or need to coexist with legacy apps. |
35
35
| SaaS apps|Active Directory doesn't support SaaS apps natively and requires federation system, such as AD FS.|SaaS apps supporting OAuth2, SAML, and WS-\* authentication can be integrated to use Azure AD for authentication. |
36
36
| Line of business (LOB) apps with modern authentication|Organizations can use AD FS with Active Directory to support LOB apps requiring modern authentication.| LOB apps requiring modern authentication can be configured to use Azure AD for authentication. |
37
-
| Mid-tier/Daemon services|Services running in on-premises environments typically use AD service accounts to run. These apps will then inherit the permissions of the service account.| Azure AD provides [managed identities](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/index) to run other workloads in the cloud. The lifecycle of these identities is managed by Azure AD and is tied to the resource provider can't be used for other purposes to gain backdoor access.|
37
+
| Mid-tier/Daemon services|Services running in on-premises environments normally use AD service accounts to run. These apps will then inherit the permissions of the service account.| Azure AD provides [managed identities](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/index) to run other workloads in the cloud. The lifecycle of these identities is managed by Azure AD and is tied to the resource provider can't be used for other purposes to gain backdoor access.|
38
38
|**Devices**|||
39
39
| Mobile|Active Directory doesn't natively support mobile devices without third-party solutions.| Microsoft’s mobile device management solution, Microsoft Intune, is integrated with Azure AD. Microsoft Intune provides device state information to the identity system to evaluate during authentication. |
40
40
| Windows desktops|Active Directory provides the ability to domain join Windows devices to manage them using Group Policy, System Center Configuration Manager, or other third-party solutions.|Windows devices can be [joined to Azure AD](https://docs.microsoft.com/azure/active-directory/devices/). Conditional access can check if a device is Azure AD joined as part of the authentication process. Windows devices can also be managed with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune). In this case, conditional access, will consider whether a device is complaint (for example, up-to-date security patches and virus signatures) before allowing access to the apps.|
0 commit comments