Image for post
Image for post


Azure AD is multi-tenant cloud based identity and access management solution for the Azure platform. You can use it to provide secure access for organizations and individuals. You can use Azure AD to:

Configure access to applications.

Configure SSO to cloud-based SaaS applications.

Manage users and groups.

Provision users.

Enable federation between organizations.

Provide an identity management solution.

Identify irregular sign-in activity.

Configure multi-factor authentication.

Extend existing on-premises Active Directory implementations to Azure AD.

The directory component of Azure AD is, by design, multi tenant, and it provides a highly scalable cloud-based directory service:

Multi-tenant: Microsoft hosts millions of users and directories within Azure AD. However, because each Azure AD directory is distinct and separate from other Azure AD directories, customer data and identity information is completely isolated from other tenants to prevent users and administrators of one Azure AD directory from accidentally or maliciously accessing data in another directory.

Scalable: The directory technologies that Azure AD uses are also used by Microsoft Office 365 and Microsoft Intune to support millions of users. The flexible, extensible data model of Azure AD uses the REST-based Graph API, not Lightweight Directory Access Protocol (LDAP).

Azure AD editions

To meet customers different needs and expectations, Azure AD comes in three editions:

The Free edition provides user and group management, device registration, self-service password change, and synchronization with on-premises directories. It is limited to 10 applications per user configured for SSO.

The Basic edition extends the free edition’s capabilities by combining group-based access management, self-service password reset for cloud applications, and usage of application proxy. Additionally, this edition has a Microsoft high availability service level agreement (SLA) uptime of 99.9%.

The Premium edition is designed to accommodate organizations with more demanding identity and access management needs. It supports dynamic groups and self-service group management, self-service password reset with password write back, self-service identity and access management (IAM), identity protection and security in the cloud, It includes Microsoft Identity Manager and provides cloud write-back capabilities, Cloud App Discovery, Azure Active Directory Connect Health, and advanced reports for security and usage information.


AD DS is the traditional deployment of Windows Server based Active Directory on a physical or virtual server. Although AD DS is commonly considered to be primarily a directory service, it is only one component of the Windows Active Directory suite of technologies, which also includes Active Directory Certificate Services (AD CS), Active Directory Lightweight Directory Services (AD LDS), Active Directory Federation Services (AD FS), and Active Directory Rights Management Services (AD RMS).

When comparing AD DS with Azure AD, it is important to note the following characteristics of AD DS:

You can deploy AD DS on an Azure virtual machine to enable scalability and availability for an on-premises AD DS. However, deploying AD DS on an Azure virtual machine does not make any use of Azure AD. Note that deploying AD DS on an Azure virtual machine requires one or more additional Azure data disks because you should not use the C drive for AD DS storage. These disks are needed to store the AD DS database, logs, and SYSVOL. The Host Cache Preference setting for these disks must be set to None.

You can also use Managed Domain Services on Azure which is similar to AWS Directory Service for Microsoft Active Directory.

Azure Active Directory Domain Services lets you join Azure virtual machines to a domain without the need to deploy domain controllers. Users sign in to these virtual machines using their corporate Active Directory credentials and access resources seamlessly. To more securely administer domain-joined virtual machines, use Group Policy an easy, familiar way to apply and enforce security baselines on all of your Azure virtual machines.

Azure AD Domain Services provide managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication etc. that are fully compatible with Windows Server Active Directory. Azure AD Domain Services enable you to consume these domain services, without the need for you to deploy, manage and patch domain controllers in the cloud. Azure AD Domain Services integrate with your existing Azure AD tenant, thus making it possible for users to login using their corporate credentials. Additionally, you can use existing groups and user accounts to secure access to resources, thus ensuring a smoother ‘lift-and-shift’ of on-premises resources to Azure Infrastructure Services.

Azure AD Domain Services work seamlessly regardless of whether your Azure AD tenant is cloud-only or synced with your on-premises Active Directory.

Azure AD

Although Azure AD has many similarities to AD DS, there are also many differences. It is important to realize that using Azure AD is not the same as deploying an Active Directory domain controller on an Azure virtual machine and adding it to your on-premises domain.

When comparing Azure AD with AD DS, it is important to note the following characteristics of Azure AD:

Azure AD is primarily an identity solution, and it is designed for Internet-based applications by using HTTP (port 80) and HTTPS (port 443) communications.

Azure AD users and groups are created in a flat structure, and there are no OUs or GPOs.

Azure AD cannot be queried through LDAP; instead, Azure AD uses the REST API over HTTP and HTTPS.

Azure AD does not use Kerberos authentication; instead, it uses HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID Connect for authentication (and OAuth for authorization).

Azure AD includes federation services, and many third-party services (such as Facebook) are federated with and trust Azure AD.

AWS Directory Service

AWS Directory Service is a managed service that makes it easy to connect AWS services to your existing on-premises Microsoft Active Directory (AD Connector), or to set up and operate a new directory in the AWS cloud (Simple AD and AWS Directory Service for Microsoft Active Directory). Your directory users and groups can access the AWS Management Console and AWS applications, such as Amazon WorkSpaces and Amazon WorkDocs, using their existing credentials or join EC2 instances and AWS RDS SQL instances to a domain.

If you want to know more about Active Directory on AWS I have written Deep Dive on Active Directory on AWS.

AWS Directory Service provides 3 choices to use AWS Directory Services with other AWS services. You can choose the directory service with the features you need at a cost that fits your budget.

Use Simple AD if you need an inexpensive Active Directory–compatible service with the common directory features. (Simple AD is a standalone managed directory that is powered by Samba 4 Active Directory Compatible Server.) Simple AD does not support features such as trust relationships with other domains, Active Directory Administrative Center, PowerShell support, Active Directory recycle bin, group managed service accounts, and schema extensions for POSIX and Microsoft applications.

Select AWS Directory Service for Microsoft Active Directory (Enterprise Edition) for a feature-rich managed Microsoft Active Directory hosted on the AWS cloud. (AD on Windows 2012 R2 Enterprise Edition)

Our third option, AD Connector proxy service, lets you simply connect your existing on-premises Active Directory to AWS.

AWS AD Connector is a directory gateway with which you can redirect directory requests to your on-premises Microsoft Active Directory without caching any information in the cloud. AD Connector comes in two sizes, small and large. A small AD Connector is designed for smaller organizations of up to 500 users. A large AD Connector can support larger organizations of up to 5,000 users.

With AD Connector you can connect AWS Directory Service to your existing enterprise directory. When connected to your on-premises directory, all of your directory data remains on your directory servers. AWS Directory Service does not replicate any of your directory data.

In addition to available options you can simply create your own Windows EC2 instance install Active Directory Role and manage your Microsoft Active Directory or extend your on-premise Active Directory. Difference will be you will have to deal with high availability, connection to your VPC, host monitoring and recovery, data replication, snapshots, and software updates.

Originally published at on June 24, 2016.

Written by

I am passionate about Technology, Cloud Computing, Machine Learning and Blockchain

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store