Azure Active Directory (Azure AD) is Microsoft’s enterprise cloud-based identity and access management (IAM) solution. Azure AD is the backbone of the Office 365 system, and it can sync with on-premise Active Directory and provide authentication to other cloud-based systems via OAuth.
What is Windows Active Directory?
Windows Active Directory (AD) is Microsoft’s predecessor to Azure AD. Microsoft released Active Directory in Windows 2000 server, and it became a standard for enterprise identity management.
Active Directory lives on-premise in servers called Domain Controllers (DC). Each DC contains a catalog of users and computers that are authorized to access resources on the network. Users authenticate to DCs via Kerberos or NTLM authentication.
AD security is one of our favorite topics because many attacks the Varonis Incident Response team researches involve AD at some point in the cyber kill chain. It could be a simple brute force attack to crack an old NTLM password or a privilege escalation attempt to take over an administrator account. AD security has been the topic of many conference talks and we even wrote a comprehensive guide to pen testing your AD environment to ensure its resilience to common off-the-shelf attacks.
Difference Between Windows and Azure AD
Azure AD and Windows AD are both created by Microsoft, and they are both IAM systems, but that’s pretty much where the comparisons stop. They are fundamentally different systems that exist in an interconnected enterprise environment.
Azure Active Directory
- REST APIs: Azure AD uses Representational State Transfer (REST) APIs to support communication to other web-based services
Authentication: Azure AD uses cloud-based authentication protocols like OAuth2, SAML, and WS-Security for user authentication
Network Organization: Each Azure AD instance is called a “tenant” which is a flat structure of users and groups
Entitlement Management: Admins organize users into groups, and then give groups access to apps and resources
Devices: Azure AD provides mobile device management with Microsoft Intune
Desktops: Windows desktops can join Azure AD with Microsoft Intune
Servers: Azure AD uses Azure AD Domain Services to manage servers that live in the Azure cloud virtual machine environment
Windows Active Directory
- LDAP: Windows AD uses Lightweight Directory Access Protocol (LDAP) to pass data between clients and servers and DCs.
Authentication: Windows AD uses Kerberos and NTLM to validate user credentials
Network Organization: Windows AD is organized into Organizational Units, Domains, and Forests
Entitlement Management: Admins or data owners assign users to groups, and those groups have access to resources on the network
Devices: Windows AD does not manage mobile devices
Desktops: Desktops joined to Windows AD are governed by Group Policy (GPOs)
Servers: Servers in Windows AD are managed and governed by GPOs or other on-premise server management system
Comments
Post a Comment