Difference Between Azure AD vs Active

Directory (AD) and AWS Directory Service

AZURE AD

Azure AD is multi-tenant cloud-based identity and access management solution for the Azure
platform. You can use it to provide secure access for organizations and individuals. You can
use Azure AD to:

1.Configure access to applications.

2.Configure SSO to cloud-based SaaS applications.

3.Manage users and groups.

4.Provision users.

5.Enable federation between organizations.

6.Provide an identity management solution.

7.Identify irregular sign-in activity.

8.Configure multi-factor authentication.

9.Extend existing on-premises Active Directory implementations to Azure AD.

10.The directory component of Azure AD is, by design, multi-tenant, and it provides a highly
scalable cloud-based directory service:

Multi-tenant: Microsoft hosts millions of users and directories within Azure AD. However,
because each Azure AD directory is distinct and separate from other Azure AD directories,
customer data and identity information is completely isolated from other tenants to prevent
users and administrators of one Azure AD directory from accidentally or maliciously
accessing data in another directory.

Scalable: The directory technologies that Azure AD uses are also used by Microsoft Office
365 and Microsoft Intune to support millions of users. The flexible, extensible data model of
Azure AD uses the REST-based Graph API, not Lightweight Directory Access Protocol
(LDAP).
Azure AD editions

To meet customers different needs and expectations, Azure AD comes in three editions:

The Free edition provides user and group management, device registration, self-service
password change, and synchronization with on-premises directories. It is limited to 10
applications per user configured for SSO.

The Basic edition extends the free edition’s capabilities by combining group-based access
management, self-service password reset for cloud applications, and usage of application
proxy. Additionally, this edition has a Microsoft high availability service level agreement
(SLA) uptime of 99.9%.

The Premium edition is designed to accommodate organizations with more demanding

identity and access management needs. It supports dynamic groups and self-service group
management, self-service password reset with password write back, self-service identity and
access management (IAM), identity protection and security in the cloud, It includes Microsoft
Identity Manager and provides cloud write-back capabilities, Cloud App Discovery, Azure
Active Directory Connect Health, and advanced reports for security and usage information.

AD DS

AD DS is the traditional deployment of Windows Server based Active Directory on a

physical or virtual server. Although AD DS is commonly considered to be primarily a
directory service, it is only one component of the Windows Active Directory suite of
technologies, which also includes Active Directory Certificate Services (AD CS), Active
Directory Lightweight Directory Services (AD LDS), Active Directory Federation Services
(AD FS), and Active Directory Rights Management Services (AD RMS).

When comparing AD DS with Azure AD, it is important to note the following characteristics
of AD DS:

You can deploy AD DS on an Azure virtual machine to enable scalability and availability for
an on-premises AD DS. However, deploying AD DS on an Azure virtual machine does not
make any use of Azure AD. Note that deploying AD DS on an Azure virtual machine
requires one or more additional Azure data disks because you should not use the C drive for
AD DS storage. These disks are needed to store the AD DS database, logs, and SYSVOL.
The Host Cache Preference setting for these disks must be set to None.

You can also use Managed Domain Services on Azure which is similar to AWS Directory
Service for Microsoft Active Directory.

Azure Active Directory Domain Services lets you join Azure virtual machines to a domain
without the need to deploy domain controllers. Users sign in to these virtual machines using
their corporate Active Directory credentials and access resources seamlessly. To more
securely administer domain-joined virtual machines, use Group Policy an easy, familiar way
to apply and enforce security baselines on all of your Azure virtual machines.

Azure AD Domain Services provide managed domain services such as domain join, group
policy, LDAP, Kerberos/NTLM authentication etc. that are fully compatible with Windows
Server Active Directory. Azure AD Domain Services enable you to consume these domain
services, without the need for you to deploy, manage and patch domain controllers in the
cloud. Azure AD Domain Services integrate with your existing Azure AD tenant, thus
making it possible for users to login using their corporate credentials. Additionally, you can
use existing groups and user accounts to secure access to resources, thus ensuring a smoother
‘lift-and-shift’ of on-premises resources to Azure Infrastructure Services.

Azure AD Domain Services work seamlessly regardless of whether your Azure AD tenant is
cloud-only or synced with your on-premises Active Directory.

Azure AD

Although Azure AD has many similarities to AD DS, there are also many differences. It is
important to realize that using Azure AD is not the same as deploying an Active Directory
domain controller on an Azure virtual machine and adding it to your on-premises domain.

When comparing Azure AD with AD DS, it is important to note the following characteristics
of Azure AD:

Azure AD is primarily an identity solution, and it is designed for Internet-based applications

by using HTTP (port 80) and HTTPS (port 443) communications.

Azure AD users and groups are created in a flat structure, and there are no OUs or GPOs.

Azure AD cannot be queried through LDAP; instead, Azure AD uses the REST API over
HTTP and HTTPS.

Azure AD does not use Kerberos authentication; instead, it uses HTTP and HTTPS protocols
such as SAML, WS-Federation, and OpenID Connect for authentication (and OAuth for
authorization).

Azure AD includes federation services, and many third-party services (such as Facebook) are
federated with and trust Azure AD.

AWS Directory Service

AWS Directory Service is a managed service that makes it easy to connect AWS services to
your existing on-premises Microsoft Active Directory (AD Connector), or to set up and
operate a new directory in the AWS cloud (Simple AD and AWS Directory Service for
Microsoft Active Directory). Your directory users and groups can access the AWS
Management Console and AWS applications, such as Amazon WorkSpaces and Amazon
WorkDocs, using their existing credentials or join EC2 instances and AWS RDS SQL
instances to a domain.

AWS Directory Service provides 3 choices to use AWS Directory Services with other AWS
services. You can choose the directory service with the features you need at a cost that fits
your budget.

Use Simple AD if you need an inexpensive Active Directory–compatible service with the
common directory features. (Simple AD is a standalone managed directory that is powered by
Samba 4 Active Directory Compatible Server.) Simple AD does not support features such as
trust relationships with other domains, Active Directory Administrative Center, PowerShell
support, Active Directory recycle bin, group managed service accounts, and schema
extensions for POSIX and Microsoft applications.

Select AWS Directory Service for Microsoft Active Directory (Enterprise Edition) for a
feature-rich managed Microsoft Active Directory hosted on the AWS cloud. (AD on
Windows 2012 R2 Enterprise Edition)

Our third option, AD Connector proxy service, lets you simply connect your existing on-
premises Active Directory to AWS.

AWS AD Connector is a directory gateway with which you can redirect directory requests to
your on-premises Microsoft Active Directory without caching any information in the cloud.
AD Connector comes in two sizes, small and large. A small AD Connector is designed for
smaller organizations of up to 500 users. A large AD Connector can support larger
organizations of up to 5,000 users.

With AD Connector you can connect AWS Directory Service to your existing enterprise
directory. When connected to your on-premises directory, all of your directory data remains
on your directory servers. AWS Directory Service does not replicate any of your directory
data.

In addition to available options you can simply create your own Windows EC2 instance
install Active Directory Role and manage your Microsoft Active Directory or extend your on-
premise Active Directory. Difference will be you will have to deal with high availability,
connection to your VPC, host monitoring and recovery, data replication, snapshots, and
software updates.