Azure AD vs ADFS: What You Should Know
Azure AD vs ADFS
ADFS works with both cloud-based and on-premises deployments. It is a self-managed solution that can be deployed on-premises or in Azure VMs. ADFS can operate without Azure identity management services. It creates endpoints with unique IDs for authentication, which can work across a hybrid environment.
Azure Active Directory is a centralized, cloud-based identity as a service (IDaaS) solution which creates multiple directories for each directory service. It can operate purely on the cloud without an on-premises deployment. Azure AD creates users, groups, and other entities.
A key difference between the two technologies is that Azure AD creates a Security Token Service (STS) instance that binds every Azure Active Directory to its users. An endpoint provided by Microsoft decides how to route requests between Azure Active Directory instances—this process is known as home realm discovery. The multi-tenancy of Azure AD makes it a more popular solution.
The main advantage of Azure AD vs ADFS is that it works to connect company-hosted resources to Azure AD, even when those on-premises infrastructures cannot access the cloud at all.
What Are the Primary Use Cases for ADFS?
Currently, the main use cases for using ADFS with Office 365 and Azure AD are:
- Using ADFS to enable SSO for third-party applications managed by other organizations.
- Using ADFS for on-premise applications when the organization does not use the cloud.
- Using ADFS with Windows Server to support OAuth 2.0 profiles and OpenID Connect (OIDC).
Related content: Read our guide to Azure AD SSO
What Are the Advantages of Deploying ADFS with Azure?
ADFS works better with Azure for several reasons:
- You can use Azure Availability Sets to increase the availability of your on-premises infrastructure.
- You can migrate ADFS to more powerful Azure Machines and scale your operations faster and easier.
- You can leverage Azure geo-redundancy to make ADFS globally available and highly performant.
- You can leverage simplified management options in the Azure portal to make ADFS easier to manage.
If You Don’t Rely on ADFS, How Can You Achieve SSO?
Microsoft provides an alternative SSO solution called Seamless SSO, which is part of Azure AD Connect (explained in more detail below). This solution automatically logs users in when they use a corporate device connected to the corporate network. When Seamless SSO is enabled, users can log in to Azure AD without entering a password. Sometimes users can even log in without a username.
What Is Azure AD Connect?
Azure AD Connect provides a connection between on-prem identity systems and Azure AD. It allows you to manage identities using a hybrid public cloud and on-premise infrastructure. When you integrate the on-premise directories with Azure AD, the service offers features that help you manage identity more easily, allowing the users of your on-premise systems to access cloud resources.
Azure AD Connect provides the following features:
- Seamless Single Sign On (SSO)—automatically signs in users from workstations connected to your corporate network, providing easy access to cloud-based applications without additional on-premises components.
- Synchronization—creates objects such as users and groups and ensures your on-prem identity information matches the cloud.
- Password hash synchronization—allows users to sign in by synchronizing a hash of their on-premise password with Azure AD.
- Pass-through authentication—allows users to sign in with a single password for both cloud and on-premise service without requiring additional federated environment infrastructure.
- Federation—allows you to integrate federation to configure hybrid environments using your on-premise ADFS infrastructure. It provides capabilities that help you manage ADFS, including certificate renewal and deployment of additional ADFS servers.
- Health monitoring—monitors activity and allows you to view health status in a single place via the Azure portal.
One advantage of integrating on-premises directories with Azure AD is its contribution to productivity. Integration ensures that users have a common identity to access cloud and on-premise resources. For example, it makes it easier for users to access cloud services like Microsoft 365.
Azure AD Connect allows you to leverage the latest capabilities for your hybrid environment. It replaces older identity integration solutions like Azure AD Sync and DirSync.
Azure AD Connect uses the following architecture to integrate between on-premise AD forests and Azure AD:
Forests are the largest units in Active Directory, containing one or more AD trees. The Azure AD Connect provisioning engine establishes a connection between Azure AD on one end and the forests on the other. It then imports (i.e., reads) the information from the directories. Exports initiate updates to the provisioning engine. Sync operations evaluate the rules governing how objects travel through the engine.
Azure AD Connect enables synchronization between Azure AD and the on-premise Active Directory using several rules, processes, and staging areas:
- Metaverse (MV)—this is where you create objects requiring synchronization based on your synchronization rules. An object cannot be populated with additional directories if it does not exist in the metaverse.
- Connector space (CS)—the provisioning engine prepares and processes the objects from all connection directories (CDs). A CD is a physical directory. There is a dedicated connector space in each forest and Azure AD.
- Synchronization rules—you set these rules to establish which objects Azure AD should create or connect to objects in the metaverse. They also determine the properties and values converted or copied between the directory and Azure AD.
- Run profiles—copy object properties and values based on synchronization rules between the directory and staging area.
Learn more in our detailed guide to Azure AD connect
Extend Azure AD to Business Critical Applications with Pathlock
Pathlock is the leader in Access Governance for business-critical applications. Staying compliant with Sarbanes-Oxley is a critical business requirement, and Pathlock Control helps to automate the compliance process. As a MISA member, Pathlock can bring these capabilities to users of Azure Active Directory, with tight integration between the solutions.
Customers rely on Pathlock to streamline critical processes like fine-grained provisioning, separation of duties, and detailed user access reviews. With Pathlock’s out-of-the-box integration to Azure Active Directory, customers can enjoy the best of both worlds, including:
- Coverage for 140+ applications and counting, with support for key applications like SAP, Oracle, Workday, Dynamics365, Salesforce, and more
- Perform compliant provisioning at a transaction code or function level into both cloud and on-premise applications
- Define Separation of Duties (SOD) rules, both within an application and across them, and enforce them to prevent access risks and stay compliant
- Enrich User Access Reviews (UARs) with fine-grained entitlement details and usage about transactions performed with specific access combinations
Interested to learn more about the winning combination of Pathlock and Azure Active Directory? Request a demo today to see the solution in action!