In today’s modern era where everything is being digitised, cloud technology is playing a huge role in our everyday tech life. People want to use lesser physical resources, want easier management and trouble-shooting of their digital assets, hence increasing the usage of cloud technology.
Since cloud technology has provided an alternative to almost every physical or digital solution, the topic of discussion here will be a comparative analysis between a physical asset and its cloud alternative, more specifically an on-site Active Directory and Azure Active Directory.
But first, most importantly, let us have a brief look at what Active Directory actually is, security of active directory and then explore what this identity solution has on offer.
Microsoft Active Directory
Active Directory is a directory service developed by Microsoft that allows organisations to manage networks in Windows environments, although support for Linux machines has now been included.
A directory service, in the language of computers, is a service to organise, allocate and manage network resources, devices, users, verifies user authentication requests and defines access controls etc. This section covers the main elements of an Active Directory structure.
Active Directory is a directory service that stores and retrieves information about network resources including user accounts, groups, computers, servers etc. These resources are stored in the form of objects or containers known as organizational units (OU). Active Directory provides security by only enabling access to authorised users and their respective permissions. The structure can be complex for an organization with many OUs but it is important to make sure you understand how your system works before making any changes.
Active Directory Domain Services: The domain services are a set of software and hardware that support user authentication, authorization, or other operations. Domain controllers provide the service for their domain in an organization, which is called “the forest”. The controller communicates with Windows Server workstations to authenticate users logging into domains within its administrative control. This communication occurs through three security principals: user account credentials (username), password hash and NTLM hash (password).
Active Directory Certificate Services: Active Directory Certificate Services is a service in the Windows Server operating systems that issues and manages X.509 certificates for use with TLS/SSL, S/MIME, IPSec and other protocols to secure communications between network applications and services. The AD CS role can be managed from both within PowerShell or using the Active Directory Administrative Center on your domain controller.
The Active Directory Federation Services, or AD FS for short, are a set of standards introduced by Microsoft in order to make it easier and more secure to access data across different networks. Active Directory Lightweight Directory Service and Active Directory Rights Management Services are the other important AD components.
What are Windows Server Active Directory Domain Services?
Now that we know what Microsoft Active Directory is and what its structure is, let’s move towards our comparison between a physical and a cloud Active Directory Domain Services.
The on-premises solution that Microsoft provides for Active Directory is the Windows Server Active Directory, or simply just Active Directory. It provides an effective way of managing on-premises user accounts, devices, shared network resources and applications, etc. and almost has the same structure as described above.
What is Azure Active Directory Domain Services?
The cloud solution that Microsoft provides for its cloud services is Azure, and hence the cloud alternative for Windows Server Active Directory is the Azure Active Directory (Azure AD), though Azure AD is not a complete replacement for Microsoft Active Directory as it still works on top of Active Directory, it still provides some of the same functionality.
Azure Active Directory Domain Services, also known as Azure AD DS is basically a cloud-based entity (identity solution) that provides Identity and Access Management (IAM) which allows employees of an organisation to provide:
- Single Sign-On (SSO) access to a variety of Software as a Service (SaaS) applications like Office 365, Dropbox, Salesforce etc.
- Access to internal resources, corporate applications and any cloud applications that have been developed by the organisation.
Azure AD DS (active directory domain services) provides managed domain services that provide one-way synchronization from Azure AD to provide access to central set of users and groups. Applications, systems, VMs in Azure that uses managed domain use common Azure AD DS features such as domain join, group policy, LDAP and NTLM/Kerberos authentication. Only a single managed domain can be created that is serviced by Azure AD DS for an Azure AD. You cannot make Azure AD DS in multiple virtual networks, your managed domain will be available in one virtual network at a time.
While premises AD DS provides on-site ability to manage multiple on-premises infrastructure components and systems using a single identity per user, Azure AD takes this feature of AD to a next level by providing the organisation with an Identity-as-a-Service (IDaaS) solution to organisations to manage all their applications on the cloud and on-site as well.
What is the difference between Azure Active Directory and Active Directory?
Azure Active Directory vs Active Directory
The main difference between an on-site AD and Azure AD is that Azure AD provides web-based services through Microsoft Graph REpresentational State Transfer (REST) APIs. The following table shows Azure active directory vs active directory analysis:
| Class | Azure Active Directory (Azure AD DS) | Windows Active Directory (AD DS) |
|---|---|---|
| Communication | Uses REST-API to communicate with web-based services. | Uses LDAP to communicate with clients and servers. |
| Network organisation | Each Azure Active Directory instance is called a tenant, which is a flat structure of users and groups. | Forests, Domains, OUs, and Objects. |
| Authentication | Cloud-based protocols like OpenID Connect, SAML, OAuth. | Default Windows Integrated Authentication Protocols – Kerberos and NTLM. |
| Credential Management | Uses intelligent password protection like account lockouts blocking common password phrases and substitutions. Improves security by implementing MFA and passwordless technologies like FIDO2, and provides users with a self-service password reset functionality. | Based on passwords, certificate authentication and smart card authentication. Passwords are managed by password policies which are based on password expiry, length and complexity. |
| Entitlement Management | Admins organize users into groups. | Admins or data owners assign users to groups. |
| Admin Management | Azure AD DS provides built-in roles with the Azure AD Role-Based-Access-Control (RBAC) system with limited support for creating custom roles. | Organisations use domains, OUs and groups to delegate administrative rights. |
| Software as a Service (SaaS) Apps | SaaS apps supporting SAML, OAuth etc. can be integrated into Azure AD. | Does not support SaaS apps, and requires a federation system like the AD FS. |
| Line Of Business (LOB) Applications | LoB applications requiring modern authentication can be configured to use Azure Active Directory. | Organisations can use AD FS with Active Directory DS to support LoB applications requiring modern authentication. |
| Mid-tier/Daemon Services | Provides managed identities to run other workloads in the cloud. | Normally use AD DS Service accounts or Group Managed Service Accounts to run. |
| Mobile Devices | Supports mobile device management via Microsoft InTune. | No mobile device management except with third-party solutions. |
| Windows Desktops | Windows devices can be joined to Azure AD and can also be managed by Microsoft InTune. | Windows desktops are governed by GPOs. |
| Windows Servers | Uses Azure AD Domain Services to manage servers. | Provides strong management capabilities for servers using GPOs or other on-premises management solutions. |
| Linux/Unix Devices | Linux/Unix VMs can use managed identities to access the identity system or resources. | Does not support Linux/Unix systems without third-party solutions, although Linux systems can be configured to authenticate with AD as a Kerberos realm. |
What are the benefits of Azure Active Directory (Azure AD) over an On-Premises Active Directory (AD)?
Reducing Administrative Overhead: The first and foremost benefit of using Azure AD over an on-premises AD is that it reduces administrative overhead to some extent as organisations adopt cloud applications like Office365.
Security: Azure Active Directory provides an insight to admins for unauthorised access and account hijacking by working with an Identity Protection tool. An on-premises AD DS would require a third-party tool for this.
Seamless Single Sign-On: Azure AD offers Seamless Sign-On functionality to access a large number of SaaS applications, and Azure AD joined devices performing user authentication with OpenID connect/OAuth protocols.
Enhanced Self-Service for Group Memberships: Azure AD provides enhanced self-service for group memberships, meaning that business users don’t have to rely on IT support to update Active Directory; a change is made in the group memberships. Everything in Azure AD can be done through the Azure AD admin portal.
Easy License Management: Azure AD provides easy license management for several Microsoft services through the Azure AD admin portal.
Guest Collaboration: Azure AD allows you to invite guest users into your directory to assign access while their organisation manages their credentials.
Other Features: Additional features in Azure AD, like Privileged Identity Management, Tenant Restriction Capability, Identity Secure Scores based on Microsoft’s security recommendations and best practices, make it an important tool to use alongside an on-prem AD.
Limitations of Azure AD: When compared to an on-premises Active Directory, Azure Active Directory has the following limitations:
Security: To ensure secure access to services, a Security Mobility and Security E3 is required as a minimum licensing purchase, as you cannot put a firewall around web applications.
No Support for Integrated Windows Authentication Protocols: Azure AD DS does not support Kerberos/NTLM authentication, so any native/local applications or services using these as their authentication mechanisms will cease to function.
LoB Applications as a SaaS Model: An organisation’s Line Of Business applications will have to be delivered as a SaaS model.
No Support for Active Directory Certificate Services: Azure AD does not support AD Certificate Services like the on-prem AD. If the organisation uses client-authentication certificates to access an organisational wireless network, it will consider other authentication options.
Flat Structure: Azure Active Directory Domain Services (Azure AD DS) has a flat structure, no Organisational Units or Forests.
Integrating Azure Active Directory with on On-Premises Active Directory
There are three ways of integrating an On-Prem AD with an Azure AD:
- Password Hash Synchronization (PHS): This is conceptually similar to AD Replication, as the passwords are sent to the cloud from the on-premises AD DS. This is made possible via a service account created through the installation of AD Connect.
- Pass-Through Authentication (PTA): PTA keeps the credentials on-premises but allows users to have the same password for Azure AD and on-premises AD. For example, when a user authenticates into the OWA, they enter their credentials into the web portal of Azure AD; Azure then encrypts this set of credentials using the PKI and sends it to the on-premise domain controller, which verifies these credentials and sends an all-good status back to Azure AD.
- Active Directory Federated Services (AD FS): Azure AD can connect back to the local, on-premise AD DS via the AD FS. With AD FS, Azure AD is set as a trusted agent for federation and allows for authentication with on-premises credentials. Although Microsoft released an update to Azure AD Connect back in 2017 called the Seamless Single Sign-On that offers a simpler solution to Single Sign-On than AD FS.
What is ADFS in Azure AD?
ADFS in Azure AD provides simplified, secure identity federation and Web Single Sign-On capabilities, providing users to authenticate using on-premises AD DS credentials and access all the resources in the cloud.
Is Azure AD the same as AD FS?
Azure Active Directory uses Active Directory Federation Services (AD FS) to integrate the cloud-based domain services (Azure AD) with the on-premises Active Directory Domain Services (on-premises AD DS).
Does Azure AD use ADFS?
Azure AD Domain Services may use Active Directory Federation Services (AD FS) if the organisation requires the cloud-based identity management services (Azure AD DS) to be integrated with the local, on-premises Domain Services (AD DS), enabling the users to use web-based and cloud-based resources, like Office365 and Outlook for Web.
Migration from an On-Premises Active Directory to Azure Active Directory
When a project involves migrating an on-prem AD to the Azure active directory domain, special considerations should be given to the authentication mechanisms being used in the local AD, as discussed above, which has no support for Integrated Windows Authentication protocols.
Another point that needs attention while migrating to Azure AD is handling the LoB applications. There is also a question on how to handle the business applications. Many legacy business applications and infrastructure replace and file archives to Azure Files and move active files to Microsoft Teams and SharePoint servers.
If you can’t get all your applications as SaaS apps and resources and have some that still need to run on your own servers, then you can migrate these to VMs (virtual machines) in Azure. If those VMs need to be domain joined, you can either deploy a Domain Controller on another VM in Azure or use Azure AD Domain Services, a PaaS service (you don’t have to manage it) for domain joining Azure VMs. Azure AD DS automatically synchronises with Azure AD, so all your users get the application access you want.
While a Lift and Shift is also possible for applications, the local on-prem AD must still be dealt with.
Does Azure AD replace Active Directory?
You can not replace an on-premises Active Directory installation with Azure AD. Azure AD is not an actual replacement of AD DS. According to a Microsoft’s representative:
“Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the same AD capabilities. It actually provides many more capabilities differently.
That’s why there is no actual “migration” path from Active Directory to Azure Active Directory. You can synchronize your on-premises directories (Active Directory or other) to Azure Active Directory but not migrate your computer accounts, group policies, OU etc.
Azure Active Directory is an identity and access management solution for hybrid or cloud-only implementations. It can extend the reach of your on-premises identities to any SaaS application hosted in any cloud. It can provide secure remote access to on-premises applications that you want to publish to external users. It can be the center of your cross-organization collaboration by providing access for your partners to your resources. It provides identity management to your consumer-facing application by using social identity providers. Cloud app discovery, Multi-Factor Authentication, protection of your identities in the cloud, reporting of Sign-ins from possibly infected devices such as Windows 10, leaked credentials report, user behavioural analysis are a few additional things that we couldn’t even imagine with the traditional Active Directory on-premises.
Even the recently announced Azure Active Directory Domain Services are not a usual DC service that you could use to replicate your existing Active Directory implementation to the cloud. It is a stand-alone service that can offer domain services to your Azure VMs and your directory-aware applications if you decide to move them to Azure infrastructure services. But with no replication to any other on-premises or cloud (in a Virtual Machine) domain controller.
If you want to migrate your domain controllers in the cloud to use them for traditional tasks, you could deploy domain controllers in Azure VMs (virtual machines) and replicate via VPN.
So to conclude, if you would like to extend the reach of your identities to the cloud, you can start by synchronizing your Active Directory to Azure AD.”
Common Attacks against Azure AD
- Password attacks (Credential stuffing and brute-forcing): Attackers love to collect many usernames and passwords from data dumps as a result of breaches and then try to brute-force their way into Azure AD Accounts. Good and complex password policies coupled with multi-factor authentication are good mitigation against Azure AD or AD attacks.
- Phishing Attacks: Phishing is the most common attack in the corporate world, which may lead to credential theft or malware infection, allowing an attacker to gain an initial foothold in the corporate environment and then compromise the entire infrastructure or exfiltrate data out of the organisation. Azure AD gives you a warning when an email is received from someone outside the organisation.
- Azure AD Skeleton Key Attack: This attack is possible with Azure AD Connect when integrating Azure AD with the on-prem AD using the Pass-Through Authentication (PTA) method. With this method, a server called the “Azure Agent” is deployed in the on-premise AD, which, if compromised, can create a backdoored access as any synchronized user.
Conclusion
AD DS is essentially LDAP that provides identity and authentication, group policy, trusts and security settings with on-premises IT environments. Azure AD is cloud-based identity and mobile device management providing authentication and authorisation services for multiple resources such as Office 365, Azure portal, or any SaaS applications. This is all under cloud Azure AD.
Azure AD DS provide managed domain services with traditional AD DS features. This allows domain join, group policy, LDAP and Kerberos and NTLM authentication and makes it easier for businesses to utilise the traditional web applications without additional requirements (as part of lift and shift strategy).
Get in touch to discuss your Microsoft security concerns.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.
