What is Azure Active Directory (Azure AD) and how does it differ from on-premises Active Directory?

Azure Active Directory (Azure AD, now rebranded as Microsoft Entra ID) is Microsoft’s cloud-based identity and access management service. It handles authentication and authorization for Azure resources, Microsoft 365, and thousands of third-party SaaS applications.

Azure AD vs On-Premises Active Directory

On-premises AD DS uses Kerberos and NTLM protocols, is structured around OUs, domains, and forests, and uses LDAP for querying and Group Policy for management. It is designed for traditional Windows environments.

Azure AD uses OAuth2, OpenID Connect, and SAML. There are no OUs, forests, or Kerberos by default. It provides SSO across cloud apps and supports modern identity scenarios like MFA, Conditional Access, and Identity Protection.

Key Azure AD Concepts

Tenants: An isolated instance of Azure AD representing an organization. Each Azure subscription is associated with one tenant.

App Registrations: Applications register with Azure AD to get credentials for OAuth2 authentication flows.

Service Principals: Identities for applications and automation to authenticate with Azure resources.

Managed Identities: Azure-managed identities for Azure resources like VMs, App Service, and AKS that eliminate the need for storing credentials in code. System-assigned identities follow resource lifecycle; user-assigned identities have independent lifecycle.

Conditional Access: Policy-based access controls evaluating sign-in risk, device compliance, location, and other signals to grant or block access.

Azure AD Connect: Synchronizes on-premises AD DS identities to Azure AD for hybrid identity scenarios.