Edit

Azure Active Directory (Azure AD) and hybrid identity

  • Article

A critical design decision for enterprise organizations adopting Azure is whether to extend current on-premises identity domains into Azure or to create new identity domains.

Most Azure environments use Azure Active Directory (Azure AD) for Azure fabric authentication. On-premises environments use Active Directory Domain Services (AD DS) local host authentication and group policy management.

Azure AD, Azure AD DS, and AD DS on Windows Server

When evaluating which type of Active Directory solution to adopt, understand the capabilities and differences of Azure AD, Azure AD Domain Services (Azure AD DS), and AD DS on Windows Server.

Design considerations

Design recommendations

  • Use centralized and delegated responsibilities based on role and security requirements to manage resources inside the landing zone. For more information, see Establish operational management practices in the cloud.

  • The following types of privileged operations require special permissions. Consider which users will be handling such requests, and how to adequately secure and monitor their accounts.

    • Creating service principal objects.
    • Registering applications in Azure AD.
    • Procuring and handling certificates or wildcard certificates.

  • To access applications that use on-premises authentication remotely through Azure AD, use Azure AD Application Proxy.

  • Evaluate the compatibility of workloads for Azure AD DS and for AD DS on Windows Server.

  • Make sure to design your network so resources that require AD DS on Windows Server for local authentication and management can access their domain controllers. For AD DS on Windows Server, consider shared service environments that offer local authentication and host management in a larger enterprise-wide network context.

  • When you deploy Azure AD DS or integrate on-premises environments into Azure, use locations with Availability Zones for increased availability.

  • Deploy Azure AD DS within the primary region, because you can only project this service into one subscription. You can expand Azure AD DS to further regions with replica sets.

  • Use managed identities instead of service principals for authentication to Azure services. This approach reduces exposure to credential theft. For more information, see Managed identities for Azure resources.

Azure and on-premises hybrid identity

For hosting infrastructure as a service (IaaS) hybrid identity solutions, evaluate the following considerations and recommendations:

Design considerations

  • For options to meet organizational requirements when integrating on-premises Active Directory with Azure, see Integrate on-premises AD with Azure.

  • Authentication can occur in the cloud and on-premises, or on-premises only. As part of your identity planning, explore the authentication methods Azure AD offers. For more information, see Authentication for Azure AD hybrid identity solutions.

  • If you have Active Directory Federation Services (AD FS) federation with Azure AD, you can use password hash synchronization as a backup. AD FS doesn't support seamless single sign-on (SSO).

  • Determine the right synchronization tool for your cloud identity. For more information, see Determine directory synchronization requirements.

Design recommendations

  • For applications that are hosted partly on-premises and partly in Azure, verify which integration makes sense based on your scenario. For more information, see Deploy AD DS in an Azure virtual network.

  • If you have AD FS, move to the cloud to centralize identity and reduce operational effort. If AD FS is still part of your identity solution, install and use Azure AD Connect.

Next steps

Identity for Azure platform resources