You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -17,7 +17,7 @@ ms.author: martinco
17
17
18
18
Azure Active Directory is the next evolution of identity and access management solutions for the cloud. Microsoft introduced Active Directory Domain Services in Windows 2000 to give organizations the ability to manage multiple on-premises infrastructure components and systems using a single identity per user.
19
19
20
-
Azure AD takes this approach to the next level by providing organizations with a new identity access solution for all their apps across cloud and on-premises.
20
+
Azure AD takes this approach to the next level by providing organizations with an Identity as a Service (IDaaS) solution for all their apps across cloud and on-premises.
21
21
22
22
Most IT administrators are familiar with Active Directory Domain Services concepts. The following table outlines the differences and similarities between Active Directory concepts and Azure Active Directory.
23
23
@@ -31,15 +31,15 @@ Most IT administrators are familiar with Active Directory Domain Services concep
31
31
| Credential management| Credentials in Active Directory is based on passwords, certificate authentication, and smartcard authentication. Passwords are managed using password policies that are based on password length, expiry, and complexity.|Azure AD uses intelligent [password protection](https://docs.microsoft.com/azure/active-directory/authentication/concept-password-ban-bad) for cloud and on-premises. Protection includes smart lockout plus blocking common and custom password phrases and substitutions. </br>Azure AD significantly boosts security [through Multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/concept-mfa-howitworks) and [passwordless](https://docs.microsoft.com/azure/active-directory/authentication/concept-authentication-passwordless) technologies, like FIDO2. </br>Azure AD reduces support costs by providing users a [self-service password reset](https://docs.microsoft.com/azure/active-directory/authentication/concept-sspr-howitworks) system. |
32
32
|**Apps**|||
33
33
| Infrastructure apps|Active Directory forms the basis for many infrastructure on-premises components, for example, DNS, DHCP, IPSec, WiFi, NPS, and VPN access|In a new cloud world, Azure AD, is the new control plane for accessing apps versus relying on networking controls. When users authenticate[, Conditional access (CA)](https://docs.microsoft.com/azure/active-directory/conditional-access/overview), will control which users, will have access to which apps under required conditions.|
34
-
| Traditional and legacy apps| Most on-premises apps use LDAP, Windows-Integrated Authentication (NTLM and Kerberos), or Header-based authentication to control access to users.| Azure AD can provide access to these types of on-premises apps using [Azure AD application proxy](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy) agents running on-premises. Using this method Azure AD can authenticate users using Kerberos while you migrate or need to coexist with legacy apps. |
34
+
| Traditional and legacy apps| Most on-premises apps use LDAP, Windows-Integrated Authentication (NTLM and Kerberos), or Header-based authentication to control access to users.| Azure AD can provide access to these types of on-premises apps using [Azure AD application proxy](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy) agents running on-premises. Using this method Azure AD can authenticate Active Directory users on-premises using Kerberos while you migrate or need to coexist with legacy apps. |
35
35
| SaaS apps|Active Directory doesn't support SaaS apps natively and requires federation system, such as AD FS.|SaaS apps supporting OAuth2, SAML, and WS-\* authentication can be integrated to use Azure AD for authentication. |
36
36
| Line of business (LOB) apps with modern authentication|Organizations can use AD FS with Active Directory to support LOB apps requiring modern authentication.| LOB apps requiring modern authentication can be configured to use Azure AD for authentication. |
37
-
| Mid-tier/Daemon services|Services running in on-premises environments normally use AD service accounts to run. These apps will then inherit the permissions of the service account.| Azure AD provides [managed identities](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/index) to run other workloads in the cloud. The lifecycle of these identities is managed by Azure AD and is tied to the resource provider can't be used for other purposes to gain backdoor access.|
37
+
| Mid-tier/Daemon services|Services running in on-premises environments normally use AD service accounts or group Managed Service Accounts (gMSA) to run. These apps will then inherit the permissions of the service account.| Azure AD provides [managed identities](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/index) to run other workloads in the cloud. The lifecycle of these identities is managed by Azure AD and is tied to the resource provider can't be used for other purposes to gain backdoor access.|
38
38
|**Devices**|||
39
39
| Mobile|Active Directory doesn't natively support mobile devices without third-party solutions.| Microsoft’s mobile device management solution, Microsoft Intune, is integrated with Azure AD. Microsoft Intune provides device state information to the identity system to evaluate during authentication. |
40
40
| Windows desktops|Active Directory provides the ability to domain join Windows devices to manage them using Group Policy, System Center Configuration Manager, or other third-party solutions.|Windows devices can be [joined to Azure AD](https://docs.microsoft.com/azure/active-directory/devices/). Conditional access can check if a device is Azure AD joined as part of the authentication process. Windows devices can also be managed with [Microsoft Intune](https://docs.microsoft.com/intune/what-is-intune). In this case, conditional access, will consider whether a device is complaint (for example, up-to-date security patches and virus signatures) before allowing access to the apps.|
41
41
| Windows servers| Active Directory provides strong management capabilities for on-premises Windows servers using Group Policy or other management solutions.| Windows servers virtual machines in Azure can be managed with [Azure AD Domain Services](https://docs.microsoft.com/azure/active-directory-domain-services/). [Managed identities](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/index) can be used when VMs need access to the identity system directory or resources.|
42
-
| Linux/Unix workloads|Active Directory doesn't natively support non-Windows without third-party solutions.|Linux/Unix VMs can use [managed identities](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/index) to access the identity system or resources. Some organizations, migrate these workloads to cloud container technologies, which can also use managed identities.|
42
+
| Linux/Unix workloads|Active Directory doesn't natively support non-Windows without third-party solutions, although Linux machines can be configured to authenticate with Active Directory as a Kerberos realm.|Linux/Unix VMs can use [managed identities](https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/index) to access the identity system or resources. Some organizations, migrate these workloads to cloud container technologies, which can also use managed identities.|
0 commit comments