Azure AD versus ADFS

Microsoft has had a strong presence in the IT identity management space for decades thanks to Active Directory (AD). It expanded AD to include local and hybrid cloud solutions in response to the growing popularity of Web apps and remote working. However, these solutions intersect and meet different requirements. Below, we compare ^Azure® Active ^Directory® (AD) with Active Directory Federation Services (AD FS) to see how these Microsoft offerings overlap and where they differ.

What is Azure AD?

Azure is Microsoft’s cloud computing offering, similar to ^AWS® or GCP™. Azure AD is the cloud identity management solution for managing users in the Azure Cloud. IT administrators use Azure AD (AAD) to authenticate access to Azure, Microsoft 365™ (M365) and a select group of other cloud applications via single sign-on (SSO).IT administrators use Azure AD (AAD) At the most basic level, Azure AD is free, included with a subscription to M365. However, IT administrators must purchase “Premium” higher levels of the product (as well as additional add-ons) to fully utilize its capabilities.

Add-on services may include the following:

• Intune for managing Android, Apple, Linux and Windows devices
• Entra for using, verifying and managing external (non-Microsoft) identities

AAD is primarily a user management utility for Azure and M365 and does not manage on-prem IT infrastructure such as Windows PCs, networks, file servers and other resources. Microsoft Intune serves that function in part for cloud-first organizations; otherwise, AD is usually required to complete the solution. This is done through middleware called Azure AD Connect. Standalone AAD is not a cloud-based replacement for AD and only serves Microsoft systems. Implementations can be complex and often require setting aside a budget for consultants.

Microsoft-centric organizations rely on AAD combined with on-prem AD to manage their environment. It offers Active Directory Federation Services (AD FS) as an alternative approach that is not cloud-native; IT organizations must be able to set up and manage a server farm for successful deployment. This increases management overhead, potential attack surface and can increase your licensing costs as size and specification requirements increase.

What is AD FS?

IT organizations using Active Directory often need a tool that bundles their on-prem identities with cloud applications. While there are a number of dedicated third-party SSO solutions to fill this void, Microsoft also offers their own tool: AD FS. AD FS is a surcharge for Windows Server purchases and depends on several standalone Windows Server functions.

AD FS is an Active Directory utility that extends on-prem identities to cloud applications. It is similar to an SSO tool for Web applications, but it is used on-prem rather than in the cloud. AD FS uses SAML XML certificates like Web app SSO services, but can also be authenticated using cookies or other security tokens. It also supports OpenID Connect/OAuth flows and application scenarios for internal applications not intended for cloud hosting.

Ultimately, this means that AD FS is focused on Web applications and organizations that need identity management for non-Windows systems, networks and domain-based applications elsewhere must turn to Active Directory or other options. Once you know that, let’s compare Azure AD to AD FS and see which one best fits your organization’s unique requirements.

Azure AD versus AD FS

Azure AD and AD FS share similar roles in an IT environment. Both Microsoft utilities share SSO-like features, and each must interoperate with on-prem Active Directory (although Azure AD can potentially be used without it). The main difference is that AAD is an identity and access management (IAM) solution, while AD FS is a security token service (STS).

As such, they each have their own distinctions. Azure AD has broader control over user identities outside of applications than AD FS, making it a widely used solution for IT organizations. It also has advanced access control and identity management capabilities.

For example:

• AAD provides multi-factor authentication (MFA) at all its layers, from AAD’s Security Standards to more detailed options conditional access rules for privileged users.

• AAD has options to limit obsolete authentication methods and can enforce password status and quality.
• AAD’s Premium layers also provide a set of risk-based rules/conditions and behavioral monitoring to protect identities. It depends on which layer you use.
• AAD’s Premium tiers include self-service for password reset and more.

• AAD’s Premium layers include Azure Active Directory (Azure AD) Connect Health to monitor on-premises identity infrastructure.
• AAD has role-based access controls, but dynamic groups that make and suggest user lifecycle changes via attributes are available at an additional cost.
• AAD integrates with Intune for device management and application security rules.
• AAD can scale out and provide geo-redundancy.

AD FS is better suited to manage access to internal applications or to extend AD to your third-party applications. For example, it provides more robust support for saml’s claims-based authentication workflow (token claims) than AAD. It also has the capacity to consume perpetual identities and can work federatively with SAML or WS-Fed identity providers using internal IT infrastructure. AAD requires Entra to achieve similar functionality. The determination comes down to your level of internal resources, cloud adoption, compliance needs and budgeting.

As mentioned above, are not true directory services or independent services. That means IT organizations using Azure AD or AD FS typically need a directory service such as Active Directory, as well as any other add-on solutions that AD requires. NPS (Network Policy Server), for example, is required for RADIUS authentication in network resources. Intune and Entra are necessary for interoperability outside the Microsoft ecosystem to manage your entire IT infrastructure.

IT organizations that need the adaptability to support all of the resources their end users need, regardless of protocol, platform, provider or location, may benefit from evaluating non-Microsoft alternatives before settling on one of Microsoft’s SSO solutions. Cost and complexity may also be considerations: Microsoft is focused on providing solutions that meet the requirements of large enterprises, not small to medium-sized businesses (SMEs).

Holistic identity management from the cloud

JumpCloud is an open directory platform that unifies identity, access and device management capabilities regardless of the underlying authentication method or device ecosystem. It can extend both AD and the free layer of AAD to achieve more, with a lower TCO. JumpCloud verifies users whether they are using biometrics, digital certificates, passwords or SSH keys. JumpCloud ensures that each resource has a “best method” to connect to it. For example, LDAP, OIDC, RADIUS or SAML. As a result, users can use one set of credentials to access systems, applications, networks, infrastructure, file servers and more.

Access is protected by countywide MFA with optional conditional rules for users with privileges. A password manager is available to support non-SSO applications. Your users get secure, hassle-free access from managed (or trusted) devices with any platform. JumpCloud treats identities as the new perimeter. This is made possible by positioning each device as a gateway to your resources through identities. There are no add-ons for device management or consuming external identities: JumpCloud produces value lock-in versus vendor lock-in.

Cloud delivery lowers infrastructure costs, simplifies deployment and maximizes what you already have. In addition, feature-based access control and HR system integrations can enable advanced user lifecycle management scenarios to reduce overall management overhead. These capabilities are driven by your workflows rather than parceled out as premium features.

Source: jumpcloud