Admins have been looking for a cloud version of Active Directory® for a while. Many think of Azure® as just that. But is a virtual Azure Active Directory instance really a cloud-based version of AD? The short answer is no, a virtual AAD isn’t a replacement for Active Directory. In fact, Azure AD is really just an extension of the on-prem AD.
What Does AAD Actually Do?
Azure Active Directory is really meant to be a user management system for Azure, and to be a web application single sign-on solution. Identities are populated into the cloud version of Active Directory from the legacy Active Directory instance on-prem. The on-prem identities can then be leveraged for Office 365, Azure compute services, and web applications. However, it does not act as a replacement to AD. In fact, one of Microsoft’s representatives confirmed this himself in a Spiceworks post.
“Even the “Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide exactly the same capabilities with AD. It actually provides many more capabilities in a different way.
“That’s why there is no actual “migration” path from Active Directory to Azure Active Directory. You can synchronize your on-premises directories (Active Directory or other) to Azure Active Directory but not migrate your computer accounts, group policies, OU, etc.
“As you can see here, Azure Active Directory is an identity and access management solution for hybrid or cloud-only implementations. It can extend the reach of your on-premises identities to any SaaS application hosted in any cloud. Azure AD can provide secure remote access to on-premises applications that you want to publish to external users. It can be the center of your cross-organization collaboration by providing your partners access to your resources. And it provides identity management to your consumer-facing application by using social identity providers. Cloud app discovery, multi-factor authentication, protection of your identities in the cloud, reporting of sign-ins from possibly infected devices, leaked credentials report, and user behavioral analysis are a few additional things that we couldn’t even imagine with the traditional Active Directory on-premises.
Recently announced Azure Active Directory Domain Services are not a usual DC-as-a-service that you could use to replicate your existing Active Directory implementation to the cloud. It is a stand-alone service that can offer domain services to your Azure VMs and your directory-aware applications if you decide to move them to Azure infrastructure services but with no replication to any other on-premises or cloud (in a VM) domain controller.
“If you want to migrate your domain controllers in the cloud to use them for traditional tasks, you could deploy domain controllers in Azure Virtual Machines and replicate via VPN.
“So to conclude, if you would like to extend the reach of your identities to the cloud, you can start by synchronizing your Active Directory to Azure AD.”
So as you can see, AAD really functions as an extension instead of a replacement. In many ways, Azure Active Directory is really not all that different from Google’s Cloud Identity approach with G Suite directory and Google Cloud platform. A Google Cloud Identity is really focused on being a way to access Google Apps and a few, select web applications. In both cases, their cloud identity management strategy is really to control user access to only their set of services.
Is there a True Cloud Replacement to AD?
While the virtual Azure Active Directory and GCP approach can help many IT organizations, it actually doesn’t solve the problem of shifting core IT services and management infrastructure to the cloud. The on-prem user management system for most organizations is Active Directory, so the real challenge we need to solve is figuring out how to shift it to the cloud. If a virtual Azure Active Directory isn’t a replacement to AD, then what is?
A new generation of IDaaS platforms is emerging, and the cloud-based directory called Directory-as-a-Service is leading the way. As a cloud alternative to Active Directory, this virtual identity provider is securely managing and connecting user identities to the IT resources they need including access to systems (Windows, Mac, Linux), cloud and on-prem servers (AWS, GCP, Azure, on-prem), physical and virtual storage platforms (Samba file servers, NAS appliances, Dropbox, etc.), web and on-prem applications (via LDAP and SAML), and wired and WiFi networks through RADIUS.
If you would like to learn more about how JumpCloud’s Directory-as-a-Service platform works, reach out to us. We would be happy to answer any questions you might have. Alternatively, you can also sign up for a free account of the virtual directory if you would like to see it for yourself. Your first 10 users are free forever, with no credit card required, so there’s no reason not to give it a shot. You don’t need to settle for a virtual Azure Active Directory that forces you to keep on-prem infrastructure. Check out JumpCloud today.
This is a Security Bloggers Network syndicated blog post authored by Jon Griffin. Read the original post at: JumpCloud