Ø
Active Directory capabilities that are part of
Windows Server actually include several different roles,
o Active
Directory Certificate Services (AD CS),
o Active
Directory Lightweight Directory Services (AD LDS),
o Active
Directory Federation Services (AD FS),
o and
Active Directory Rights Management Services (AD RMS)
When you think about Active Directory you're talking about a
true directory service that has a hierarchical structure (based on X.500) that
uses DNS as its locator mechanism and can be interacted with via LDAP. In
addition, Active Directory primarily uses Kerberos for authentication. Active
Directory enables organizational units (OUs) and Group Policy Objects (GPOs) in
addition to actually joining machines to the domain, and trusts are created
between domains.
Azure AD, while having some aspects of a directory service,
is really an identity solution and allows users and groups to be created but in
a flat structure without OUs or GPOs. You can't join a machine to Azure AD.
Azure AD is focused around identity throughout the Internet,
where the types of communication are typically limited to HTTP (port 80) and
HTTPS (port 443) and are used by all types of devices—not just corporate
assets.
Authentication is performed through a number of protocols
such as SAML, WS-Federation, and OAuth. It's possible to query Azure AD but
instead of using LDAP you use a REST API called AD Graph API. These all work
over HTTP and HTTPS.
No comments:
Post a Comment