AD FS vs Azure AD
As the complexity of IT infrastructure increases, organizations have had to adopt newer technologies for security and IT management. Microsoft is one of the leading players in both spaces. As one of the pioneers of the IT revolution, Microsoft has a range of products and services that cater to the requirements of different environments. Unsurprisingly, many of their solutions have intersections confusing customers who need to choose between two or more seemingly similar products or services or their combinations. In this blog on Active Directory Federation Services (AD FS) vs Azure Active Directory (Azure AD), we will compare and contrast the two Microsoft offerings and explore how AD FS can work with Azure.
What is Active Directory Federated Services?
Before we can differentiate the two offerings let us understand what Active Directory Federated Services and Azure Active Directory are. The answer to what is Azure AD? has been elaborated in a previous article. To summarize, it is an identity and access management solution built on the cloud computing technology to enable users to sign in and access internal resources applications on the corporate network, intranet, and the cloud, as well as external resources such as Office 365 applications and services.
AD FS, on the other hand, is a service that simplifies identity federation and introduces Web single sign-on (SSO) capabilities to enable users to access disparate systems using a single set of credentials. In other words, organizations can extend their existing identity management capabilities to the internet with Azure Active Directory Connect and federation server farms and proxies.
How Azure AD is Different from AD FS?
Azure AD and AD FS are fundamentally different from each other in terms of architecture. AD FS is built to work in tandem with on-premises deployments. It can work even without Azure services for identity management. AD FS creates dedicated endpoints with unique IDs for authentication.
Azure Active Directory is a multi-tenant cloud-based identity as a service (IDaaS) solution in which multiple directories are created for each directory service. It does not require on-premises infrastructure to work. Apart from identity management, Azure AD can be used to create objects for users, groups, and other entities. Unlike AD FS, there is a dedicated Security Token Service (STS) instance that binds every Azure Active Directory. A common endpoint provided by Microsoft decides where the request has to be routed to the appropriate instance of Azure Active Directory for multi-tenant applications by a process called home realm discovery. This capability is the reason why Azure AD is the more widely used solution. However, AD FS has its advantages especially when an identity management solution is required for on-premises infrastructure that for some reason cannot leverage cloud capabilities.
Advantages of Deploying AD FS in Azure
AD FS can even be deployed with Azure if required. Here are some advantages of doing that.
- You can enhance the availability of on-premises infrastructure with Azure Availability Sets.
- You can migrate to more powerful Azure machines for scaling operations faster and with greater ease.
- You can ensure that your infrastructure is available across the globe with Azure Geo Redundancy.
- You can manage your infrastructure with greater ease with simplified management options on the Azure portal.
How to Deploy AD FS with Azure?
Here is a summary of the steps for deploying AD FS on Azure.
- Deploy either a single virtual network and divide it into two subnets or create two different virtual networks (VNet).
- Create two separate storage accounts and assign machines to two groups to avoid dependence on a single storage account and maintain high availability.
- Create availability sets with at least 2 machines for each role. Ensure that there are at least 2 fault domains and 2 update domains.
- Deploy an appropriate number of virtual machines for hosting different roles in the infrastructure.
- Configure domain servers and AD FS servers.
- Configure the Internal Load Balancer (ILB) and Internet Facing (Public) Load Balancer on the Azure portal.
- Setup the Web Application Proxy server to reach AD FS servers.
- Ensure that the network has been secured.
- Test if AD FS sign-in works.
Apps4Rent Can Help You Implement the Right Identity Management Solution
If you found the last section to be too technical, we understand. Unfortunately, implementing these solutions is a challenging task. As a Tier 1 Microsoft Cloud Solution Provider, Apps4Rent supports customers 24/7 via phone, chat, and email for implementing Azure solutions. Contact us today for promotional prices on Azure solutions.