Azure Active Directory a replacement for AD?
-
@bigbear said in Azure Active Directory a replacement for AD?:
If you start from scratch with a new domain what are you missing vs migrating a domain? Are there group policies?
This is pretty exciting then. I believe I saw a cost of $1 or $2 per month per user or object, can't remember.
No GP in the free version. GP is, I believe, available in the paid version.
-
Been a few months since I was looking at this but it seemed like a hybrid setup with on-premises doing GP stuff was still ideal. Not sure how far the Azure GPO side has come yet.
-
@JackCPickup said in Azure Active Directory a replacement for AD?:
Been a few months since I was looking at this but it seemed like a hybrid setup with on-premises doing GP stuff was still ideal. Not sure how far the Azure GPO side has come yet.
What's the advantage of hybrid? Once you have on-premises, you normally want to avoid Azure AD completely . It's only value is in eliminating the on premises portion.
-
I think it was more managing group policies still while being able to log into Azure AD from anywhere. Seeing as there wasn't (dunno about now) proper GPOs in a pure Azure AD setup.
-
@JackCPickup said in Azure Active Directory a replacement for AD?:
I think it was more managing group policies still while being able to log into Azure AD from anywhere. Seeing as there wasn't (dunno about now) proper GPOs in a pure Azure AD setup.
-
Oh nice one. Can you have heirarchical OUs now too? I think initially you could only have flat OUs? Could be completely wrong and outdated info!
At the start of a project to convert 50-something school's on-premises to cloud so thanks for that link.
-
Don't know about that, have not played with it recently. It didn't have GP support yet when we were using it. It's growing fast, though.
-
The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.
-
They'd be connected to Azure domain instead of a local one, so they log in to that.
-
@Tim_G said in Azure Active Directory a replacement for AD?:
The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.
I don't think so. They join to an Azure domain which is available on the public internet.
-
@Tim_G said in Azure Active Directory a replacement for AD?:
The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.
No VPN option even exists for Azure AD.
-
@coliver said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.
I don't think so. They join to an Azure domain which is available on the public internet.
I've tried this with Azure Connect but it was for a VPS running a domain controller. This Azure AD looks promising.
-
@coliver said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.
I don't think so. They join to an Azure domain which is available on the public internet.
Ah I see. That makes perfect sense.
I was thinking SSO from on-prem to Azure, got mixed up.
-
@Tim_G said in Azure Active Directory a replacement for AD?:
@coliver said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.
I don't think so. They join to an Azure domain which is available on the public internet.
Ah I see. That makes perfect sense.
I was thinking SSO from on-prem to Azure, got mixed up.
That is exactly how Microsoft pitched it a couple years ago. I thought maybe Azure AD would sync to my AD and Office 365 then desktops would login with 365 ID. This looks way better.
That is if it works well.
-
@Tim_G said in Azure Active Directory a replacement for AD?:
@coliver said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.
I don't think so. They join to an Azure domain which is available on the public internet.
Ah I see. That makes perfect sense.
I was thinking SSO from on-prem to Azure, got mixed up.
That's AD Federation and still exists, but we've been warning people to run away from that for a long time.
-
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
@coliver said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.
I don't think so. They join to an Azure domain which is available on the public internet.
Ah I see. That makes perfect sense.
I was thinking SSO from on-prem to Azure, got mixed up.
That's AD Federation and still exists, but we've been warning people to run away from that for a long time.
Why do you warn against ADFS?
-
@JackCPickup said in Azure Active Directory a replacement for AD?:
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
@coliver said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.
I don't think so. They join to an Azure domain which is available on the public internet.
Ah I see. That makes perfect sense.
I was thinking SSO from on-prem to Azure, got mixed up.
That's AD Federation and still exists, but we've been warning people to run away from that for a long time.
Why do you warn against ADFS?
Risks and cost. It means you have all of the cost of both systems and the cost of keeping them working (which is rather fragile) and risk that they depend on each other and either outage can cause the other to fail. It's an unnecessary coupling that should be avoided when possible. It really doesn't add value, but takes a lot away.
-
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@JackCPickup said in Azure Active Directory a replacement for AD?:
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
@coliver said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.
I don't think so. They join to an Azure domain which is available on the public internet.
Ah I see. That makes perfect sense.
I was thinking SSO from on-prem to Azure, got mixed up.
That's AD Federation and still exists, but we've been warning people to run away from that for a long time.
Why do you warn against ADFS?
Risks and cost. It means you have all of the cost of both systems and the cost of keeping them working (which is rather fragile) and risk that they depend on each other and either outage can cause the other to fail. It's an unnecessary coupling that should be avoided when possible. It really doesn't add value, but takes a lot away.
Is that just in the context given above? Using it for SSO to an Azure VPS DC, or ADFS altogether?
-
@JackCPickup said in Azure Active Directory a replacement for AD?:
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@JackCPickup said in Azure Active Directory a replacement for AD?:
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
@coliver said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.
I don't think so. They join to an Azure domain which is available on the public internet.
Ah I see. That makes perfect sense.
I was thinking SSO from on-prem to Azure, got mixed up.
That's AD Federation and still exists, but we've been warning people to run away from that for a long time.
Why do you warn against ADFS?
Risks and cost. It means you have all of the cost of both systems and the cost of keeping them working (which is rather fragile) and risk that they depend on each other and either outage can cause the other to fail. It's an unnecessary coupling that should be avoided when possible. It really doesn't add value, but takes a lot away.
Is that just in the context given above? Using it for SSO to an Azure VPS DC, or ADFS altogether?
ADFS in the context of Azure AD altogether. And I'm not saying not to have AD and Azure AD, just not to federate them. Microsoft has a simpler, safer method for keeping them in sync that doesn't involve federation.
-
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@JackCPickup said in Azure Active Directory a replacement for AD?:
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
@coliver said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.
I don't think so. They join to an Azure domain which is available on the public internet.
Ah I see. That makes perfect sense.
I was thinking SSO from on-prem to Azure, got mixed up.
That's AD Federation and still exists, but we've been warning people to run away from that for a long time.
Why do you warn against ADFS?
Risks and cost. It means you have all of the cost of both systems and the cost of keeping them working (which is rather fragile) and risk that they depend on each other and either outage can cause the other to fail. It's an unnecessary coupling that should be avoided when possible. It really doesn't add value, but takes a lot away.
Yeah, this is true.
SSO between on-prem AD and Azure AD (Office 365 for example) is great, works great, and is super convenient. (when it works)
But as you said, there's a cost.
When dealing with O365 + On-prem AD, I prefer just the regular User/password/group sync over full SSO + all the infrastructure required for that.
SSO is nice, though.
