Microsoft® Azure® Active Directory® (Azure AD or AAD) has become a useful tool for organizations looking to introduce cloud-based identity management to their current IT infrastructure. It has a variety of use cases, and can be combined with other Azure products to authenticate users to Windows® 10 Pro devices and certain web applications.
However, most organizations employ their AAD in conjunction with an existing on-prem Active Directory instance. Active directory comes with Active Directory Federation Services (AD FS) as an add-on component of the Windows server, which can be a powerful tool as well. As such, these organizations are struggling to decide which is better for authenticating to web applications: Azure AD or AD FS?
Below, we’ll discuss what each provides for Windows-centric organizations, as well as the environments they’re best suited for.
What is AD FS?
AD FS is a software component developed by Microsoft that can be installed on Windows Server operating systems. It extends on-prem identities managed within AD to cloud applications through both SAML and OAuth.
AD FS is meant for on-prem environments and does not authenticate through Azure infrastructure; it only authenticates against Active Directory. Ultimately, AD FS is an add-on tool that provides SSO access to systems and applications. Specifically, those located outside organizational boundaries (i.e. the ‘domain’) through a claims-based access control authorization model.
For organizations considering AD FS as their source of web application authentication, it would be best suited for strictly on-prem, AD environments. Organizations that solely utilize Active Directory as their core identity provider, yet have web applications would find value in AD FS.
What is Azure AD?
Azure Active Directory serves as the substrate identity management solution to control Azure access in the cloud. Organizations typically use AAD to extend their AD identities to Microsoft (Azure) cloud infrastructure and select web applications (like Office 365™).
A common misconception is that AAD is a cloud-based replacement for on-prem Active Directory. Although some may be led to believe this, it’s actually a complementary service. Organizations (Read more…)