Azure AD is not AD, Azure AD versus AD Domain Services

Anuj Varma — Fri, 02 Mar 2018 01:13:23 +0000

Azure AD is a Web based identity management system, not a directory services instance.

Azure AD Domain Services provides a full fledged Active Directory domain INSIDE an Azure VNET!

You can join machines to this managed domain using traditional domain-join mechanisms. Windows client (Windows 7, Windows 10) and Windows Server machines can be joined to the managed domain. Users can sign in to the machine using their corporate credentials.
Therefore, the domain joined machine needs to be on the same virtual network as the managed domain.
Alternately, the domain joined machine needs to be connected to the managed domain over a peered virtual network or over a site-to-site VPN/ExpressRoute connection. Thus, this mechanism isn’t a great fit for devices that are mobile or connect to resources from outside the corporate network.

Aspect	Azure AD Join	Azure AD Domain Services
Device controlled by	Azure AD	Azure AD Domain Services managed domain
Representation in the directory	Device objects in the Azure AD directory.	Computer objects in the AAD-DS managed domain.
Authentication	OAuth/OpenID Connect based protocols	Kerberos, NTLM protocols
Management	Mobile Device Management (MDM) software like Intune	Group Policy
Networking	Works over the internet	Requires machines to be on the same virtual network as the managed domain.
Great for …	End-user mobile or desktop devices	Server virtual machines deployed in Azure

Azure AD and Kerberos

Active Directory synchronization mechanisms (AAD Connect)

Azure AD and certificates

Azure AD and Forms-based

Azure AD and Multi-Factor authentication etc.

Azure AD Archives - Anuj Varma, Hands-On Technology Architect, Clean Air Activist