Active Directory, Azure Active Directory and Azure Active Directory Domain Services

Three similarly named services, with some differences and a lot of confusion. I’ll try to alleviate some of the confusion around Active Directory Domain Services, Azure Active Directory & Azure Active Directory Domain Services. I’ll try to simplify the difference & follow it up later with some screenshots when my lab deployment finishes.

Let’s start with the one that everybody is familiar with. Active Directory Domain Services (ADDS) which is more commonly known as Active Directory. This is your on-premise service that requires servers like Domain Controllers.

Typically, you create a domain, authenticate using Kerberos or NTLM. You can extend it, create groups, users, OUs, GPOs etc. And you can be a domain admin, enterprise admin and so on.

The similarly named Azure Active Directory (Azure AD) is NOT similar to the on-premise AD. Simply put, Azure AD, is a cloud based identity solution. In other words, you create a user on AAD and you can login to cloud-based apps using modern authentication protocols like SAML 2.0, OAuth 2.0 and Open ID.

But what if you want to use the same username/password from the on-premise ADDS on the cloud?

Can you sync your users with AAD? Yes, with a small tool called Azure AD Connect.

So that means you’ll be using Kerberos and NTLM on Azure AD? No.

If you really want to use Kerberos and NTLM on the cloud, Azure AD DS comes in. Put simply, it’s like traditional, on-premise AD (with limited functionality), that is offered by Microsoft as a PaaS.

Azure ADDS is managed by Microsoft. And it’s a separate domain. So it’s NOT an extension of your on-prem domain. It’s flat, not extendable, there are no GPOs and you’re definitely not a domain admin.

But it allows for usage of protocols like Kerberos and NTLM. This is why when you enable it, you’ll see a consent request like this.

So what’s the point of having Azure AD DS? Imagine you have a server, say IIS, that only supports NTLM authentication. And you want to move it the the cloud. Azure AD doesn’t provide NTLM authentication. But Azure AD DS does. This allows you to “lift & shift” your server to the cloud.

I hope this helps clarify some of the difference between on-premise AD DS, Azure AD and Azure AD DS.