Active Directory (AD) is Microsoft’s directory service for Windows domain networks. Included as a set of processes in most Windows Server operating systems, AD has become an umbrella term for diverse identity-related services. As you can use it in different ways, here’s why a cloud-based version of Active Directory can be the best solution for your deployment.
Many apps migrated to the cloud continue using on-premise Active Directory as the source of truth for Identity and Access Management (IAM). AD enables performing both AuthN (Authentication) and AuthZ (Authorization). In some cases, legacy protocols such as LDAP and NTLM are in use.
Microsoft makes it possible to run Active Directory in several distinct ways. In this text, I will discuss the available approaches and outline why choosing AD’s cloud-based version can be a good choice for your team.
This is a part of CAST AI’s cloud migration series – feel welcome to check out our previous posts: Cloud Networking | Secure Cloud Migration | High Availability & Disaster Recovery |
Identity & Access Management | Cloud Backup Strategy
What is Identity and Access Management and why is it important?
Identity and Access Management is a security field that focuses on ensuring that only authorized users can use specific resources on their devices without interference.
IAM involves processes enabling administrators to assign a single identity to the user, authenticate them when they log in, and allow them to use the resources. It also includes monitoring and managing those identities throughout their lifecycle.
As an essential component of enterprise security, IAM helps to prevent compromising user credentials, which are common entry points for cyber attackers. Furthermore, when implemented properly, it enhances business productivity by allowing users to access the necessary assets seamlessly.
Here are five tips to help you guide your IAM efforts and streamline your cloud migration.
Why do you need Active Directory?
In a nutshell, by using AD, you provide your applications, services, or devices with access to a central identity.
Active Directory can also enhance your cloud deployment’s security by enabling a single point of user authentication and authorization and enforcing access policies across resources. This is particularly important in large organizations where managing user identities and permissions can be complex.
By integrating AD, cloud deployments can ensure consistency with existing on-prem systems, provide a seamless user experience and reduce the need for separate credentials. Additionally, AD simplifies access control by allowing administrators to assign permissions to groups rather than individual users.
The different Active Directory services give you the flexibility to use the most appropriate directory for your needs. Here’s what you need to know to make the right choice.
What are the available Active Directory solutions?
Despite sharing a common name and technology, the three types of AD-based services cater to very different demands. At a high level, these solutions include:
1. Active Directory Domain Services (AD DS)
AD DS is a lightweight directory access protocol (LDAP) server providing key features like identity and authentication, computer object management, group policy, and more.
Serving as a central component in organizations with on-prem IT environments, AD DS provides core user authentication and computer management features.
2. Azure Active Directory (Azure AD)
Azure AD is a cloud-based identity and mobile device management solution delivering user account and authentication services for Microsoft 365, Azure portal, and SaaS apps.
You can ensure a single identity that works natively in the cloud by synchronizing Azure AD with an on-prem AD DS environment.
3. Azure Active Directory Domain Services (Azure AD DS)
Azure AD DS provides managed domain services with a subset of fully compatible traditional AD DS features like domain join, group policy, LDAP, and NTLM authentication.
Azure AD DS integrates with Azure AD and on-prem AD DS, extending central identity use cases to traditional web apps running in Azure as part of lift-and-shift strategies.
How to choose the right version of Active Directory for your needs
When deploying AD DS – a self-managed Active Directory solution – you need to take care of all its required infrastructure and directory-related components. In turn, you gain greater control and access to additional features such as Schema Extensions, LDAP Write, and ADMX file editing for advanced group policy configuration.
All these functionalities are missing in managed services Azure AD DS, which also has certain limitations around custom OUs and group policy. This is the price for the convenience of Microsoft managing all components for you so that you don’t have to deploy, patch, or manage IaaS infrastructure.
Therefore, the first key question is: Does your cloud migration require these features or is a simpler managed experience sufficient for your needs?
Another critical step is identifying if Virtual Machines created in Azure need to join your main Active Directory. If this is a hard requirement, VMs will need local AD controllers rather than going across the ExpressRoute link to authenticate against and join the domain.
Answering these questions becomes easier when you go through the 6R application review process, focusing on discovering AD dependencies. Once you understand your app requirements better, you can revisit the question of which AD approach best suits your needs.
The following table outlines some of the features you may need for your organization, and the differences between different types of AD solutions:
| AD Domain Services | Azure AD Domain Services | Azure AD | |
| Platform | Windows Server | Azure | Azure |
| Managed service | ✖ | ✅ | ✅ |
| Secured and locked down deployment | Administrator secures deployment | ✅ | ✅ |
| DNS | ✅ | ✅ Managed service | ✅ Managed service |
| Domain or enterprise administrator privileges | ✅ | ✖ | ✖ |
| Domain join | ✅ | ✅ | ✖ |
| Domain authentication using NTLM and Kerberos | ✅ | ✅ | ✖ |
| Kerberos-constrained delegation | ✅ Resource-based & account-based | ✅ Resource-based | ✖ |
| Custom OU structure | ✅ | ✅ | ✖ |
| Schema extensions | ✅ | ✖ | ✖ |
| AD domain/forest trusts | ✅ | ✅ One-way outbound forest trusts only | ✖ |
| LDAP-read | ✅ | ✅ | ✖ |
| Secure LDAP | ✅ | ✅ | ✖ |
| LDAP-write | ✅ | ✅ Within the managed domain | ✖ |
| Group policy | ✅ | ✅ | ✖ |
| Geo-dispersed deployments | ✅ | ✅ | ✅ |
How about a managed PaaS offering for AD DS?
Let’s not forget about a managed PaaS offering for AD DS.
Azure takes care of the management overhead by using both Azure AD and Azure AD DS. As a result, your deployment gets access to legacy authentication services necessary for apps that can’t support modern SSO approaches like OAuth or OIDC.
If you choose this approach, you will need a synchronization strategy. The following image from Microsoft proposes the use of Azure AD and related services to synchronize user and authentication data from on-prem to the cloud:
Once you establish Azure AD and Azure AD DS, you need to synchronize data. Azure gives you two service options here:
- Azure AD Connect Sync is Microsoft’s original synchronization option, offered as an on-prem software package for synchronization.
- Azure AD Connect Cloud Sync is Microsoft’s newer offering that supports a lightweight agent and less management overhead.
As a rule of thumb, the cloud sync version is preferred unless you require any specific feature enabled by the legacy service. This choice will make its implementation more accessible and faster.
Summary
Active Directory is Microsoft’s flagship directory service, offering identity and access management. In cloud deployments, an AD integration can provide a centralized identity source and enhance security through unified authentication and authorization.
The three AD-based identity solutions include Active Directory Domain Services (AD DS), Azure Active Directory (Azure AD), and Azure Active Directory Domain Services (Azure AD DS).
Choosing the right version of AD services is vital for smooth cloud migration, so hopefully, the points raised above will support you in this process.
Leave a reply