Azure vs. Uplevel Active Directory
Portions of this article are from the Blog post on our website - https://www.uplevelsystems.com/blog/uplevel-ad-vs-azure-ad-whats-the-difference
Introduction
On-premises Microsoft Active Directory, Uplevel Active Directory compatible Directory Services, and cloud-based Azure Active Directory ( rebranded Microsoft Entra ID), all provide a central identity that can be used to manage user access to applications, services, or devices. They allow system administrators and Managed Service Providers the ability to centrally control large collections of user devices.
This choice in identity solutions offers the flexibility to use the most appropriate directory service for your organization's needs. For example, if you mostly manage cloud-only users that run tablets or other mobile devices, Azure Active Directory (Microsoft Entra ID) might be sufficient. However, if your user population requires workstations or laptops with centrally administered policies, audited access to resources, and high security levels, on-premises Active Directory (AD) will most likely be required. This document describes the use cases for each of these solutions.
High-Level Capabilities
Active Directory-based identity management from Microsoft and Uplevel share some common technologies; however, the various solutions serve different purposes and therefore offer different capabilities.
Microsoft Active Directory Compatible Domain Services (AD)
Traditional Microsoft Active Directory Compatible Domain Services (AD) is built around an on-premises enterprise-class LDAP server. LDAP provides key features such as identity verification (with authentication via Kerberos), computer object management, group policy administration (via GPOs and sysvol), and trust maintenance. AD is widely used in a huge range of organizations to provide core user authentication and computer management, as well as to provide audited and controlled access to critical resources such as company data storage and applications.
Azure Active Directory (Microsoft Entra ID)
Azure Active Directory (Microsoft Entra ID) is not merely a cloud-based implementation of AD. It is primarily aimed at user account and authentication services for mobile devices, and for mediating access to resources such as Office 365 and other SaaS applications. Microsoft Entra ID can be synchronized with an on-premises AD environment to provide a single identity to users that works for both cloud and on-premises situations. Microsoft provides a software add-on called Azure AD Connect to help perform this integration.
Core Functionalities of Azure AD (Microsoft Entra ID):
Azure Active Directory Domain Services (AADDS).
A third alternative exists: Azure Active Directory Domain Services (AADDS). This mixes the functions of an on-premises AD service with a cloud-based AAD (Microsoft Entra ID) service. It provides a subset of traditional AD features such as domain join, group policy, and Kerberos authentication, while still residing in the cloud. It can integrate and synchronize with Microsoft Entra ID (which itself can replicate passwords with on-premises AD!). However, configuring and managing such a complex environment is technically challenging.
Note that AADDS, once set up, is a continuously billable service (i.e., it cannot be turned off without destroying the setup).
Uplevel Active Directory compatible Domain Services behaves very similarly to traditional Microsoft on-premises Active Directory (AD). It uses Kerberos as its authentication protocol, LDAP for directory services, and supports the traditional GPOs and sysvol for policy management. It gives small and midsize organizations most of the key capabilities of Microsoft Active Directory: the ability to gain control over their on-premises devices and applications by authentication, company-wide policy management, and mediating access to company resources. At the same time, it avoids the need to install and maintain a heavyweight enterprise-class server, and greatly simplifies management.
Differences Between Azure AD (Microsoft Entra ID) and Traditional AD
Unlike traditional AD, AAD (Microsoft Entra ID) uses an entirely different software stack and an entirely different set of protocols. Rather than Kerberos/NTLM and LDAP, AAD (Microsoft Entra ID) uses OAuth2 over HTTPS to support web-based APIs and cloud applications. OAuth2 can be used to perform authentication and authorization in most application types, but is mainly used by web apps and modern REST API equipped applications. Traditional applications do not use OAuth2 flows or HTTPS transports.
Unlike Uplevel Active Directory, AAD (Microsoft Entra ID) is not Active Directory as we traditionally know it.
For example AAD (Microsoft Entra ID) :
- does not have the user and computer management functions expected from traditional AD.
- cannot enforce group policies, it cannot push GPOs to computers joining a domain.
- does not support OUs. Thus granular access controls cannot be supported.
- is not intended to control and audit access to on-premises storage, or control access to resources such as printers.
- does not support replication, and cannot be set up as a trusted domain to other domains.
- does not have Domain/Enterprise admin privilege, and does not support managed service accounts.
While AAD (Microsoft Entra ID) is great for virtual machines hosted in Azure - it is simple to set up and works well with your Azure domain - it does not replace a proper domain controller. AAD (Microsoft Entra ID) is mainly intended to support a cloud-only strategy where Single Sign On (SSO) is the key focus.
Compliances
HIPAA
AAD (Microsoft Entra ID) cannot control what devices (workstations, servers) are permitted to join the network. This is essential for HIPAA compliance.
NOTE: Information about Azure Active Directory is drawn from: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/compare-identity-solutions This is a useful reference document.
Related Articles
Domain Controller (Active Directory) Setup
Introduction There aren't any guidelines or instructions on the functioning of the Uplevel Domain Controller because it acts essentially identically to a conventional Microsoft Domain Controller from the standpoint of workstations. Microsoft offers a ...Active Directory GPO - Folder Redirection
Microsoft Documentation https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/folder-redirection-rup-overview If you deploy roaming user profiles with folder redirection in an environment with existing local user profiles, ...Active Directory GPO - Folder Redirection
Microsoft Documentation https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/folder-redirection-rup-overview Introduction When a user with the folder redirection GPO logs into a Domain joined host, a copy of their directories ...Active Directory GPO - Roaming Profiles
Microsoft Documentation https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles Introduction A roaming user profile is a file synchronization concept in the Windows operating system that allows users ...Active Directory - Export Microsoft Domain to CSV File
How to Export User Accounts Using Active Directory Users and Computers You'll be happy to know you can easily export all Active Directory information through the GUI ADUC or with a Powershell script. You only need to open ADUC, navigate to your ...