In today’s digital landscape, it’s crucial to comprehend the various directory services Microsoft offers. These services are pivotal in managing user identities, securing data, and enabling seamless access to resources. In this blog post, we’ll dive into Microsoft directory services, shedding light on Entra ID (formerly known as Azure AD), Windows AD, and Entra Domain Services. By the end, you’ll better understand these services and their significance in the modern IT environment.
Azure AD to Microsoft Entra ID
We will start by addressing a recent change. Microsoft rebranded Azure AD as Microsoft Entra ID. This name change was implemented to reflect the product’s functionality better, reduce confusion with Windows AD, and align it with the broader Microsoft Entra product line. It’s important to note that this change is primarily cosmetic, and it doesn’t impact the features or functionality of the service in any way.
Understanding Microsoft’s Cloud Services
To put Microsoft directory services into context, it’s essential to grasp the larger Microsoft cloud ecosystem. Microsoft offers three primary categories of cloud services:
Software as a Service (SaaS): This category encompasses Microsoft 365 products like Teams, SharePoint, Power Platform, and Exchange Online. These services are licensed per user, making it cost-effective and user-centric.
Azure Services: Azure provides a platform for Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) products. These services are billed based on consumption, meaning you pay for what you use, regardless of the number of users.
Identity Service: The common thread between the SaaS Microsoft 365 and Azure IaaS and PaaS services is the identity service that manages users, groups, devices, and other security principles. Microsoft Entra ID (formerly Azure AD) is the service responsible for managing access to Microsoft 365 SaaS and Azure PaaS and IaaS services.
An Entra ID Tenant represents an organization in Azure. Every organization using Microsoft’s cloud services has at least one Entra ID tenant. For example, an organization can have multiple Entra ID Tenants through mergers and acquisitions. The recent name change does not affect the functionality, and there are no service interruptions. APIs, URLs, and PowerShell commands remain the same.
Name Changes Across Azure AD
The name change isn’t limited to Azure AD but extends to other identity services. Azure AD Domain Services is now Microsoft Entra Domain Services, Azure AD Connect Sync is Microsoft Entra Connect Sync, and Azure AD Conditional Access is Microsoft Entra Conditional Access. This renaming ensures consistency across Microsoft’s directory services. Below is an example of several Entra ID name changes.
Exploring Microsoft Directory Services
With the name change clarified, let’s explore the three primary directory services offered by Microsoft.
1. Windows Server Active Directory (Windows AD): Windows AD is a well-established directory service with over 20 years of history. It features a hierarchical directory, an extendable schema, and stores security principles such as user and computer. It also has Group Policies and high availability in a multi-master configuration. However, Windows AD requires dedicated domain controllers. Windows AD uses standards like LDAP and DNS, along with authentication protocols like Kerberos and NTLM.
2. Entra ID: Formerly known as Azure AD, Entra ID is a cloud-based directory service hosted by Microsoft. It features a flat architecture and does not support group policies. Entra ID operates in three tiers (Free, P1, and P2) and uses modern authentication protocols like OAuth 2, SAML, and OpenID Connect, making it compatible with the zero trust framework.
3. Entra Domain Services: Entra Domain Services is a Windows AD-compatible service managed by Microsoft. It eliminates the need for domain controllers, offers a unique namespace separate from Entra ID, and supports Kerberos, LDAP, and NTLM. While it integrates with Entra ID and allows for the application of group policies, it has some limitations to consider. You can learn more about these limitations here.
Protocol support for authentication is essential. Entra ID supports a modern set of protocols built to securely access public internet resources. OAuth 2, SAML, and OpenID Connect support the zero-trust authentication model and do not rely on a private network.
Windows AD and Entra Domain Services use Kerberos and NTLM. These are legacy protocols introduced over 20 years ago. They depend on a private network and are not exposed to the internet. These protocols were not designed to meet the demands of highly mobile users accessing cloud-based resources from various company- and employee-owned devices.
Hybrid Identities with Entra Connect Sync
To bridge the gap between Windows AD and Entra ID, organizations can use Entra Connect Sync. This service synchronizes identities from Windows AD to Entra ID and enables single sign-on, simplifying access to on-premises and cloud resources.
Likewise, identities can replicate from Entra ID to Entra Domain Services. Users, groups, and other security objects can be created in each directory service as well. Replication only happens in one direction, however.
Directory Services Feature Comparison
The choice between these directory services depends on your organization’s specific needs. Windows AD can be extended to Azure using IaaS servers, or a new domain could be created in Azure. The choice is influenced by the required authentication protocols, with Windows AD and Entra Domain Services primarily suited for legacy protocols (Kerberos and NTLM) and Entra ID supporting modern authentication protocols (OAuth 2, SAML, and OpenID Connect).
Many organizations want to move from Windows AD to a cloud-native Entra ID service to modernize their directory service and remove the need to deploy and manage domain controllers. Many applications are dependent on legacy authentication. Windows AD has a long history with most organizations; removing it would remove support for Kerberos and NTLM. Applications must be updated to modern authentication before an organization can remove Windows AD.
In conclusion, understanding Microsoft’s directory services is crucial for modern IT management. Entra ID, Windows AD, and Entra Domain Services each serve specific purposes within the broader Microsoft ecosystem. By comprehending their differences and capabilities, organizations can make informed decisions about how to manage user identities, secure resources, and embrace the evolving landscape of cloud and hybrid environments.