Azure AD is not AD, Azure AD versus AD Domain Services

Azure AD is a Web based identity management system, not a directory services instance.

Azure AD provides Identity for APPS – Claims Based Authentication

• SAML Token for WS Federation
• JWT Token for OAuth

Azure AD Domain Services provides a full fledged Active Directory domain  INSIDE an Azure VNET!

• You can join machines to this managed domain using traditional domain-join mechanisms.  Windows client (Windows 7, Windows 10) and Windows Server machines can be joined to the managed domain.  Users can sign in to the machine using their corporate credentials.
• Therefore, the domain joined machine needs to be on the same virtual network as the managed domain.
• Alternately, the domain joined machine needs to be connected to the managed domain over a peered virtual network or over a site-to-site VPN/ExpressRoute connection. Thus, this mechanism isn’t a great fit for devices that are mobile or connect to resources from outside the corporate network.

Identity for Devices

Device Joining – Mobile and Desktop – Azure AD versus AD Domain Services – Key differences

Aspect	Azure AD Join	Azure AD Domain Services
Device controlled by	Azure AD	Azure AD Domain Services managed domain
Representation in the directory	Device objects in the Azure AD directory.	Computer objects in the AAD-DS managed domain.
Authentication	OAuth/OpenID Connect based protocols	Kerberos, NTLM protocols
Management	Mobile Device Management (MDM) software like Intune	Group Policy
Networking	Works over the internet	Requires machines to be on the same virtual network as the managed domain.
Great for …	End-user mobile or desktop devices	Server virtual machines deployed in Azure

 

Azure AD and Kerberos

Active Directory synchronization mechanisms (AAD Connect)

Azure AD and certificates

Azure AD and Forms-based

Azure AD and Multi-Factor authentication etc.