none
what are the difference of all the directory services offering in Azure?

    Question

  • It is quite confusing for the term:

    1. Azure Active Directory
    2. Azure Directory Service
    3. Azure Active Directory Domain Service
    4. Any others that I am missing?

    Can you help me understand all those use cases?

    I know one of those is for the cloud application identity and the other one is for the good old on-premise AD migrated/sync to Azure and managed by Azure.  But... I am still kind of confused for the term.

    Also for the on-premise directory sync, is that sync to  Azure Active Directory or Azure Active Directory Domain Service?



    Thanks.

    woohooter

    Thursday, April 20, 2017 8:27 PM

Answers

  • Good question and let me do short explanations for each of these and then point you to where you can go to learn more. 

    1. Azure AD is an Identity as a Service offering that is the core directory for all of Microsoft cloud services such as Office 365 and Azure. This is a multi tenant service where each organization has one or more tenants. User is Azure AD can be cloud only or synchronized with on premises AD. Authentication can be done with cloud based credentials for cloud users or synchronized users can have prem password hashed and synchronized to Azure AD alternatively you can delegate authentication to on prem AD. 

    This is the main offering and gives users self service password reset, mfa , identity protection, conditional access and sso to thousands of SaaS and apps integrated with Azure AD.

    Read more: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-whatis

    2. Azure Directory Service - this is not a term that we use. Would think that you can find this in blog posts or descriptions but most likely this is just referring to Azure AD.

    3. Azure AD Domain Services - Azure AD is a service that talks "modern" open standards such as OAuth, OpenIDConnect, SAML but organizations told us that they would like to have a way to lift their on premises applications that rely on Kerberos and LDAP to be hosted in the cloud, in an IaaS service. Options for that would be for you to deploy a new normal AD Domain Controller in Azure IaaS but with Azure AD DS you can leverage the directory/tenant that you have synchronized to Azure AD instead. When you turn on Azure AD DS you will get a managed DC in your IaaS environment that allows apps to authenticate with LDAP, Kerberos. Azure AD DS allows Kerberos and ldap to work with Azure AD.  

    Read more: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/

    This is link to guidance on running your own internal WIndows Server AD inside of Azure IaaS - https://docs.microsoft.com/en-us/azure/active-directory/virtual-networks-windows-server-active-directory-virtual-machines  

    4. You might want to look at Azure AD B2C (Business to Consumer identities) as well if you are interested in building, offering consumer, citizen facing services. 

    Read More: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview 

    Good overall starting point is http://microsoft.com/identity

    Brjann Brekkan

    Identity Division Customer Success team


    Twitter: @BBrekkan_MSFT This posting is provided AS IS with no warranties, and confers no rights

    Friday, April 21, 2017 5:28 PM

All replies

  • Good question and let me do short explanations for each of these and then point you to where you can go to learn more. 

    1. Azure AD is an Identity as a Service offering that is the core directory for all of Microsoft cloud services such as Office 365 and Azure. This is a multi tenant service where each organization has one or more tenants. User is Azure AD can be cloud only or synchronized with on premises AD. Authentication can be done with cloud based credentials for cloud users or synchronized users can have prem password hashed and synchronized to Azure AD alternatively you can delegate authentication to on prem AD. 

    This is the main offering and gives users self service password reset, mfa , identity protection, conditional access and sso to thousands of SaaS and apps integrated with Azure AD.

    Read more: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-whatis

    2. Azure Directory Service - this is not a term that we use. Would think that you can find this in blog posts or descriptions but most likely this is just referring to Azure AD.

    3. Azure AD Domain Services - Azure AD is a service that talks "modern" open standards such as OAuth, OpenIDConnect, SAML but organizations told us that they would like to have a way to lift their on premises applications that rely on Kerberos and LDAP to be hosted in the cloud, in an IaaS service. Options for that would be for you to deploy a new normal AD Domain Controller in Azure IaaS but with Azure AD DS you can leverage the directory/tenant that you have synchronized to Azure AD instead. When you turn on Azure AD DS you will get a managed DC in your IaaS environment that allows apps to authenticate with LDAP, Kerberos. Azure AD DS allows Kerberos and ldap to work with Azure AD.  

    Read more: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/

    This is link to guidance on running your own internal WIndows Server AD inside of Azure IaaS - https://docs.microsoft.com/en-us/azure/active-directory/virtual-networks-windows-server-active-directory-virtual-machines  

    4. You might want to look at Azure AD B2C (Business to Consumer identities) as well if you are interested in building, offering consumer, citizen facing services. 

    Read More: https://docs.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-overview 

    Good overall starting point is http://microsoft.com/identity

    Brjann Brekkan

    Identity Division Customer Success team


    Twitter: @BBrekkan_MSFT This posting is provided AS IS with no warranties, and confers no rights

    Friday, April 21, 2017 5:28 PM
  • Thanks Brjann!  

    These are very thorough answers. 


    woohooter

    Saturday, April 22, 2017 11:53 PM