Understanding Microsoft Entra ID
Microsoft Entra ID
Microsoft Entra ID is a cloud-based directory service managed by Microsoft (PaaS) and is not part of the infrastructure owned and managed by customers.
Microsoft Entra ID Features:
- Supports multi-factor authentication (MFA), identity protection, and self-service password reset.
- Used to configure access to applications, single sign-on (SSO), and Conditional Access.
- Can be used to manage users and groups, user provisioning, and cross-organization management.
AD DS (Active Directory Domain Services) is a directory service that provides methods to store directory data such as user accounts and passwords, and allows this data to be accessed by network users and administrators.
Unlike AD DS, Microsoft Entra ID is designed as multi-tenant and specifically implemented to ensure isolation between organizational/tenant directories.
Microsoft Entra Tenant:
- Created for multi-tenancy and provides isolation between tenant directories.
- Each Azure subscription can only be associated with one Microsoft Entra tenant.
- Tenants can be used to manage resources using RBAC.
Each Microsoft Entra tenant is assigned a default Domain Name System (DNS) domain name, which consists of a prefix derived from the Microsoft account name used to create the Azure subscription or explicitly provided when creating the Microsoft Entra tenant, followed by the suffix onmicrosoft.com.
Microsoft Entra Schema:
- The Microsoft Entra schema is simpler compared to AD DS and does not include computer class.
- Does not support Group Policy Objects (GPOs) or organizational units (OUs).
- Microsoft Entra ID focuses more on identity management for web-based applications compared to AD DS which focuses on on-premises applications.
Comparison Between Microsoft Entra ID and Active Directory Domain Services
| Characteristic | Active Directory Domain Services (AD DS) | Microsoft Entra ID |
|---|---|---|
| Main Function | Traditional directory service for on-premises applications | Identity solution for cloud-based applications |
| Directory Structure | Hierarchical with X.500 | Flat structure (no OUs or GPOs) |
| Authentication Protocol | Uses Kerberos | Uses protocols like SAML, WS-Federation, OpenID Connect |
| Access Protocol | Uses LDAP for queries and management | Uses REST API via HTTP/HTTPS |
| Domain Management | Uses OUs and GPOs for management | No OUs or GPOs |
| Directory Type | Single-tenant, each domain has its own directory | Multi-tenant, multiple organizations can share one directory |
| Authentication | Uses Kerberos protocol for authentication | Uses OAuth for authorization and supports various authentication protocols |
| Federation Services | Does not support Federation Services directly | Supports Federation Services (e.g., Facebook, third-party identity providers) |
| Computer Objects | Joins computer objects to the domain | Does not support computer management or domain join |
| Deployment | Can be deployed on Azure VM for scalability and availability | Cloud-based, no need for local VMs |
| DNS | Uses DNS to locate resources like domain controllers | Provides default DNS for the tenant, but custom domains can be added |
- AD DS focuses on identity management for on-premises applications, while Microsoft Entra ID is designed for cloud applications.
- AD DS uses Kerberos and LDAP, whereas Microsoft Entra ID uses HTTP-based protocols like SAML, OAuth, and OpenID Connect.
- Microsoft Entra ID is better suited for internet-based applications, while AD DS is more for on-premises applications.
Comparison of Microsoft Entra ID P1 and P2
| Feature | Microsoft Entra ID P1 | Microsoft Entra ID P2 |
|---|---|---|
| Self-Service Group Management | Users can create & manage groups. | Same as P1, with additional advanced security. |
| Advanced Security Reports & Alerts | Detects anomalies and suspicious access. | Same as P1, with deeper analysis. |
| Multi-Factor Authentication (MFA) | Supports on-premises & cloud applications. | Same as P1, plus advanced policies. |
| Microsoft Identity Manager (MIM) License | Hybrid identity integration. | Same as P1. |
| SLA 99.9% | Guaranteed service availability. | Same as P1. |
| Password Reset with Writeback | According to on-premises AD policies. | Same as P1. |
| Cloud App Discovery | Discover popular cloud apps. | Same as P1, with enhanced features. |
| Conditional Access | Based on device, group, or location. | Same as P1, with more granular controls. |
| Entra Connect Health | Operational insights and sync performance. | Same as P1. |
| Entra ID Protection | - | User account monitoring and protection. |
| Privileged Identity Management | - | Dynamic and policy-based admin access control. |
Microsoft Entra Domain Services
Microsoft offers Microsoft Entra Domain Services as an alternative. Domain services such as Group Policy management, domain join, and Kerberos authentication are provided to Microsoft Entra tenants and are fully compatible with on-premises AD DS, without having to deploy and manage additional domain controllers in the cloud.
It can be deployed with Microsoft Entra Connect, allowing users to use their organizational credentials in both AD DS and Microsoft Entra Domain Services.
Integration with On-Premises AD DS
- Uses Microsoft Entra Connect.
- Users can use the same organizational credentials on-premises and in the cloud.
- Can be used without on-premises AD DS (cloud-only service).
Benefits of Microsoft Entra Domain Services
- No need to manage domain controllers.
- No need to manage AD replication.
- No need for Domain Admins/Enterprise Admins groups.
- Can migrate LDAP, NTLM, and Kerberos applications to the cloud.
- Can run SQL Server / SharePoint Server on Azure VMs without domain controllers or VPN.
Cost
- Charged hourly based on directory size.
- Enabled via the Azure Portal.