Microsoft® dominated the IT identity management space for decades, so it’s no surprise that some of their solutions intersect. Below, we’ll compare Azure® Active Directory® (AD) vs. Active Directory Federation Services (AD FS) to see how these Microsoft offerings overlap and where they differ.
What is Azure AD?
Azure is Microsoft’s cloud computing offering, akin to AWS® or GCP™. Azure AD is the cloud identity management solution for managing users in the Azure Cloud. IT admins use Azure AD to authenticate access to Azure, Office 365™, and a select group of other cloud applications through limited SAML single sign-on (SSO). At its most basic level, Azure AD is free, included with a subscription to Office 365. In order to fully leverage its capabilities, however, IT admins need to purchase higher tiers of the product.
It’s important to note that Azure AD is primarily a user management tool for Azure and O365, and doesn’t really focus on the on-prem IT infrastructure, which often includes systems, networks, file servers, and other resources. As such, it is not a cloud-based replacement for the on-prem Microsoft directory service, Active Directory. Regardless, many Microsoft-centric organizations rely on Azure AD in tandem with on-prem AD to manage the entirety of their environment. There are, of course, other tools that could be used to do so. AD FS is one such tool.
What is AD FS?
Since the SaaS boom of the early 2000s, IT organizations leveraging Active Directory often need a tool that federates their on-prem identities to cloud applications. While a number of dedicated third-party SSO solutions exist to fill this void, Microsoft also offers their own tool: Active Directory Federation Services (AD FS), which has traditionally been an add-on charge to Windows Server purchases.
AD FS is a companion tool to Active Directory that extends on-prem identities to cloud applications. It’s akin to a web application SSO tool, but it’s leveraged on-prem rather than in the cloud. AD FS uses SAML XML certificates like web app SSO services, except it can also authenticate using cookies or other security tokens.