Azure Active Directory (AD) is a cloud-based identity and access management service. Azure Active Directory comprises a database (directory) that records things like what users there are and who’s allowed to do what, and set of services that enable your employees to sign in (authentication) and access only the IT resources they’re allowed to (authorization). That includes both internal resources, such as data and tools on your corporate intranet, and external resources like Microsoft 365 and SaaS applications.It’s equally important to understand what Azure Active Directory is not. It is not simply Active Directory running on Microsoft’s servers instead of servers in your own on-premises datacenter; it is a separate solution that is part of the Microsoft Azure public cloud computing platform.. However, on-prem Active Directory and Azure AD can — and often do — work together, in what’s known as a hybrid AD environment.
If your organization subscribes to any Microsoft Online business service such as Office 365, it has Azure Active Directory.
However, only some Azure Active Directory features are included for free. To get capabilities like self service, enhanced monitoring, security reporting and mobile device security, you need to upgrade to an Azure AD Basic, Premium P1 or Premium P2 license.
Three types of users interact with Azure Active Directory:
The basic building block of Azure AD is the tenant. An Azure AD tenant is just a dedicated instance of Azure AD for a particular company. To create a tenant, your organization simply signs up for a Microsoft cloud service like Office 365 and provides some details like your organization’s name and location. Your initial domain name will be the name you specify plus “.onmicrosoft.com” (domainname.onmicrosoft.com). You can't change or delete your initial domain name, but you can add custom domain names, such companyname.com, to your tenant.
Each Azure tenant has a dedicated and trusted Azure AD directory, which includes the tenant's users, groups and apps, and performs identity and access management functions for the tenant’s resources.
It’s vital to understand that here we’re using the word “domain” in the internet sense (a website domain name). It has nothing to do with an on-prem AD domain, which is a group of related users, computers and other AD objects that are managed together. Similarly, Azure AD does not have other AD structures like forests and organizational units (OUs).
Even though on-prem AD and Azure AD have similar names and share a common core purpose, they are quite different solutions. Here are the key facts to keep in mind:
Azure AD handles authorization very differently. The main components include:
While it’s possible to have a purely cloud-based environment, most organizations today have a hybrid AD environment. They use the free Microsoft tool Azure AD Connect to sync identity data from their on-prem AD to Azure AD; then users can use their on-premises credentials to authenticate to cloud resources such as SharePoint Online, Teams, and SaaS apps like Dropbox, Google apps and Amazon Web Services (AWS).
Behind the scenes, IT pros manage users, groups and permissions (primarily) in the on-prem AD, and any changes are automatically synced up to the cloud. This alleviates the need to try to manage two completely separate sets of identities and permissions, which would be very difficult and highly prone to error.
However, not everything can be stored and managed in the on-premises AD. You will also have cloud-only objects and attributes, such as these:
Check out these pages to learn more about Azure Active Directory and hybrid AD: