Users |
|
|
Provisioning: users |
Organizations create internal users manually or use an in-house or automated provisioning system, such as the Microsoft Identity Manager, to integrate with an HR system. |
Existing Microsoft Windows Server Active Directory organizations use Microsoft Entra Connect to sync identities to the cloud. Microsoft Entra ID adds support to automatically create users from cloud HR systems. Microsoft Entra ID can provision identities in System for Cross-Domain Identity Management (SCIM) enabled software as a service (SaaS) apps to automatically provide apps with the necessary details to allow access for users. |
Provisioning: external identities |
Organizations create external users manually as regular users in a dedicated external Microsoft Windows Server Active Directory forest, resulting in administration overhead to manage the lifecycle of external identities (guest users) |
Microsoft Entra ID provides a special class of identity to support external identities. Microsoft Entra B2B will manage the link to the external user identity to make sure they are valid. |
Entitlement management and groups |
Administrators make users members of groups. App and resource owners then give groups access to apps or resources. |
Groups are also available in Microsoft Entra ID and administrators can also use groups to grant permissions to resources. In Microsoft Entra ID, administrators can assign membership to groups manually or use a query to dynamically include users to a group. Administrators can use Entitlement management in Microsoft Entra ID to give users access to a collection of apps and resources using workflows and, if necessary, time-based criteria. |
Admin management |
Organizations will use a combination of domains, organizational units, and groups in Microsoft Windows Server Active Directory to delegate administrative rights to manage the directory and resources it controls. |
Microsoft Entra ID provides built-in roles with its Microsoft Entra role-based access control (RBAC) system, with limited support for creating custom roles to delegate privileged access to the identity system, the apps, and resources it controls. Managing roles can be enhanced with Privileged Identity Management (PIM) to provide just-in-time, time-restricted, or workflow-based access to privileged roles. |
Credential management |
Credentials in Active Directory are based on passwords, certificate authentication, and smart card authentication. Passwords are managed using password policies that are based on password length, expiry, and complexity. |
Microsoft Entra ID uses intelligent password protection for cloud and on-premises. Protection includes smart lockout plus blocking common and custom password phrases and substitutions. Microsoft Entra ID significantly boosts security through multifactor authentication and passwordless technologies, like FIDO2. Microsoft Entra ID reduces support costs by providing users a self-service password reset system. |
Apps |
|
|
Infrastructure apps |
Active Directory forms the basis for many infrastructure on-premises components, for example, DNS, Dynamic Host Configuration Protocol (DHCP), Internet Protocol Security (IPSec), WiFi, NPS, and VPN access |
In a new cloud world, Microsoft Entra ID, is the new control plane for accessing apps versus relying on networking controls. When users authenticate, Conditional Access controls which users have access to which apps under required conditions. |
Traditional and legacy apps |
Most on-premises apps use LDAP, Windows-Integrated Authentication (NTLM and Kerberos), or Header-based authentication to control access to users. |
Microsoft Entra ID can provide access to these types of on-premises apps using Microsoft Entra application proxy agents running on-premises. Using this method Microsoft Entra ID can authenticate Active Directory users on-premises using Kerberos while you migrate or need to coexist with legacy apps. |
SaaS apps |
Active Directory doesn't support SaaS apps natively and requires federation system, such as AD FS. |
SaaS apps supporting OAuth2, Security Assertion Markup Language (SAML), and WS-* authentication can be integrated to use Microsoft Entra ID for authentication. |
Line of business (LOB) apps with modern authentication |
Organizations can use AD FS with Active Directory to support LOB apps requiring modern authentication. |
LOB apps requiring modern authentication can be configured to use Microsoft Entra ID for authentication. |
Mid-tier/Daemon services |
Services running in on-premises environments normally use Microsoft Windows Server Active Directory service accounts or group Managed Service Accounts (gMSA) to run. These apps will then inherit the permissions of the service account. |
Microsoft Entra ID provides managed identities to run other workloads in the cloud. The lifecycle of these identities is managed by Microsoft Entra ID and is tied to the resource provider and it can't be used for other purposes to gain backdoor access. |
Devices |
|
|
Mobile |
Active Directory doesn't natively support mobile devices without third-party solutions. |
Microsoft's mobile device management solution, Microsoft Intune, is integrated with Microsoft Entra ID. Microsoft Intune provides device state information to the identity system to evaluate during authentication. |
Windows desktops |
Active Directory provides the ability to domain join Windows devices to manage them using Group Policy, System Center Configuration Manager, or other third-party solutions. |
Windows devices can be joined to Microsoft Entra ID. Conditional Access can check if a device is Microsoft Entra joined as part of the authentication process. Windows devices can also be managed with Microsoft Intune. In this case, Conditional Access, will consider whether a device is compliant (for example, up-to-date security patches and virus signatures) before allowing access to the apps. |
Windows servers |
Active Directory provides strong management capabilities for on-premises Windows servers using Group Policy or other management solutions. |
Windows servers virtual machines in Azure can be managed with Microsoft Entra Domain Services. Managed identities can be used when VMs need access to the identity system directory or resources. |
Linux/Unix workloads |
Active Directory doesn't natively support non-Windows without third-party solutions, although Linux machines can be configured to authenticate with Active Directory as a Kerberos realm. |
Linux/Unix VMs can use managed identities to access the identity system or resources. Some organizations, migrate these workloads to cloud container technologies, which can also use managed identities. |