Azure Active Directory a replacement for AD?

bigbear

I am curious as to whether or not you can deploy a domain using Azure Active Directory. Is it just a cloud version of ADAM (Active Directory Application Mode) which was more for apps/development or can it be used as a sort of "domain controller in the cloud".

We have lots of field computers deployed and I have used DirectConnect for AD authentication to get rid of the VPN. That has been much more reliable but it requires more licensing cost that I care for.

The deployed machines in question are in the field merely to control and monitor wireless equipment thatstay at sea for months. I would love to create a "cloud domain" for authentication (and group policies?) but I am about to setup a separate domain server on the cloud to move this off our network.

Its something I long assumed would happen but I am not sure that is its real purpose of the Azure AD service.

scottalanmiller

Azure AD is definitely a competitor to AD. The free version is limited, the paid for version has more options. It's not 100% AD yet, but in many ways it is so much better. We were on Azure AD before phasing out AD completely here.

bigbear

If you start from scratch with a new domain what are you missing vs migrating a domain? Are there group policies?

This is pretty exciting then. I believe I saw a cost of $1 or $2 per month per user or object, can't remember.

scottalanmiller

@bigbear said in Azure Active Directory a replacement for AD?:

If you start from scratch with a new domain what are you missing vs migrating a domain? Are there group policies?

This is pretty exciting then. I believe I saw a cost of $1 or $2 per month per user or object, can't remember.

No GP in the free version. GP is, I believe, available in the paid version.

JackCPickup

Been a few months since I was looking at this but it seemed like a hybrid setup with on-premises doing GP stuff was still ideal. Not sure how far the Azure GPO side has come yet.

scottalanmiller

@JackCPickup said in Azure Active Directory a replacement for AD?:

Been a few months since I was looking at this but it seemed like a hybrid setup with on-premises doing GP stuff was still ideal. Not sure how far the Azure GPO side has come yet.

What's the advantage of hybrid? Once you have on-premises, you normally want to avoid Azure AD completely . It's only value is in eliminating the on premises portion.

JackCPickup

I think it was more managing group policies still while being able to log into Azure AD from anywhere. Seeing as there wasn't (dunno about now) proper GPOs in a pure Azure AD setup.

scottalanmiller

@JackCPickup said in Azure Active Directory a replacement for AD?:

I think it was more managing group policies still while being able to log into Azure AD from anywhere. Seeing as there wasn't (dunno about now) proper GPOs in a pure Azure AD setup.

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-admin-guide-administer-group-policy

JackCPickup

Oh nice one. Can you have heirarchical OUs now too? I think initially you could only have flat OUs? Could be completely wrong and outdated info!

At the start of a project to convert 50-something school's on-premises to cloud so thanks for that link.

scottalanmiller

Don't know about that, have not played with it recently. It didn't have GP support yet when we were using it. It's growing fast, though.

Obsolesce

The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.

JackCPickup

They'd be connected to Azure domain instead of a local one, so they log in to that.

coliver

@Tim_G said in Azure Active Directory a replacement for AD?:

The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.

I don't think so. They join to an Azure domain which is available on the public internet.

scottalanmiller

@Tim_G said in Azure Active Directory a replacement for AD?:

The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.

No VPN option even exists for Azure AD.

bigbear

@coliver said in Azure Active Directory a replacement for AD?:

@Tim_G said in Azure Active Directory a replacement for AD?:

The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.

I don't think so. They join to an Azure domain which is available on the public internet.

I've tried this with Azure Connect but it was for a VPS running a domain controller. This Azure AD looks promising.

Obsolesce

@coliver said in Azure Active Directory a replacement for AD?:

@Tim_G said in Azure Active Directory a replacement for AD?:

The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.

I don't think so. They join to an Azure domain which is available on the public internet.

Ah I see. That makes perfect sense.

I was thinking SSO from on-prem to Azure, got mixed up.

bigbear

@Tim_G said in Azure Active Directory a replacement for AD?:

@coliver said in Azure Active Directory a replacement for AD?:

@Tim_G said in Azure Active Directory a replacement for AD?:

The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.

I don't think so. They join to an Azure domain which is available on the public internet.

Ah I see. That makes perfect sense.

I was thinking SSO from on-prem to Azure, got mixed up.

That is exactly how Microsoft pitched it a couple years ago. I thought maybe Azure AD would sync to my AD and Office 365 then desktops would login with 365 ID. This looks way better.

That is if it works well.

scottalanmiller

@Tim_G said in Azure Active Directory a replacement for AD?:

@coliver said in Azure Active Directory a replacement for AD?:

@Tim_G said in Azure Active Directory a replacement for AD?:

The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.

I don't think so. They join to an Azure domain which is available on the public internet.

Ah I see. That makes perfect sense.

I was thinking SSO from on-prem to Azure, got mixed up.

That's AD Federation and still exists, but we've been warning people to run away from that for a long time.

JackCPickup

@scottalanmiller said in Azure Active Directory a replacement for AD?:

@Tim_G said in Azure Active Directory a replacement for AD?:

@coliver said in Azure Active Directory a replacement for AD?:

@Tim_G said in Azure Active Directory a replacement for AD?:

The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.

I don't think so. They join to an Azure domain which is available on the public internet.

Ah I see. That makes perfect sense.

I was thinking SSO from on-prem to Azure, got mixed up.

That's AD Federation and still exists, but we've been warning people to run away from that for a long time.

Why do you warn against ADFS?

scottalanmiller

@JackCPickup said in Azure Active Directory a replacement for AD?:

@scottalanmiller said in Azure Active Directory a replacement for AD?:

@Tim_G said in Azure Active Directory a replacement for AD?:

@coliver said in Azure Active Directory a replacement for AD?:

@Tim_G said in Azure Active Directory a replacement for AD?:

The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.

I don't think so. They join to an Azure domain which is available on the public internet.

Ah I see. That makes perfect sense.

I was thinking SSO from on-prem to Azure, got mixed up.

That's AD Federation and still exists, but we've been warning people to run away from that for a long time.

Why do you warn against ADFS?

Risks and cost. It means you have all of the cost of both systems and the cost of keeping them working (which is rather fragile) and risk that they depend on each other and either outage can cause the other to fail. It's an unnecessary coupling that should be avoided when possible. It really doesn't add value, but takes a lot away.