In my previous post, I’ve made a subjective comparison between
AWS Cognito and Azure AD. I took into consideration only the features that I
was directly interested in.
In this post, I want to summarise what are the main
differences between Azure AD and AWS Managed Microsoft AD. Why? Because on AWS, the
documentation related to what are features of AD available inside AWS Managed
Microsoft AD is limited, and you cannot find a clear statement. Some of the cases
I had to spin-up a service instance and check manually if a feature is
available or not.
First of all remember that the Azure AD is the last version
of AD that Microsoft has, full-featured. In comparison, AWS is offering a ‘legacy’
instance, with features that are available inside the on-premises AD deployments.
Because of this, the features available inside AWS Managed Microsoft AD is just a subset of the ones available inside Azure AD.
The question that we need to answer is WHICH ARE THE ONES…
The below tables covers the most important features of AD
and some differences between them. You might notice that in some cases Azure AD
does not support the full features. This happens because some legacy part of
on-premises AD versions were removed or are not suitable for an IAM solution
hosted inside the cloud.
Item
|
Azure AD
|
AWS Managed
Microsoft AD
|
Price model
|
No. of DO
(Directory Objects)
|
No. of DC
(Domain Controllers)
|
Custom DNS
|
Yes
|
Yes
|
Snapshots
|
No, because
it is a SaaS
|
Yes
|
No of managed
forests
|
1 for each Azure
AD tenant
|
10 for each
account
|
Trusts
|
No
|
Limited
|
Schema
extensions
|
No
|
Limited
|
Log access to
DC
|
No (because
it is a SaaS)
|
Yes
|
Max no. of DC
|
SaaS – not relevant
|
20 for each
directory
|
Connection with
on-premises
|
VNET only
|
Direct
Connect or VPN
|
LDAPS support
|
Yes
|
Yes
|
Kerberos
support
|
Yes
|
Yes
|
LDAPS
|
Read-only,
Write available only for managed domain
|
Read and Write
(~not easy)
|
LDAP CS
|
All (AES 128
& 265, RC4, 3DES)
|
All (AES 128
& 265, RC4, 3DES)
|
Kerberos Encryption
|
All (AES 128
& 265, RC4, 3DES)
|
All (AES 128
& 265, RC4, 3DES)
|
LDAP Protocol
|
TLS 1.0, TLS
1.2 (SSLv3 not supported anymore)
|
SSLv3, TLS
1.0, TLS 1.2
|
Smart Card
|
No, because
of SaaS and limitation of integration with on-premises solutions
|
RADIUS only
|
Directory Synchronization
|
Yes
|
No
|
Password policies
|
Yes
|
Yes
|
NTLM
|
Yes, NTLM v1
and v2
|
Yes, NTLM v1
and v2
|
Kerberos Delegation
|
Resource-based
|
Resource and
Account-based
|
Managed Service
|
Yes
|
No
|
Secure
deployments
|
Yes
|
Partial
|
Domain administrator
privileges
|
No
|
Partial
|
Domain join
|
No
|
Yes
|
Schema
extensions
|
Not directly
|
Yes
|
Group policy
|
Yes
|
Yes
|
Graph API
|
Yes
|
No
|
What is important to remember is that when you use Azure AD,
you are using managed services, full-featured. In comparison when using the
AWS Managed Microsoft AD you receive a service that has behind a scene EC2s
with Windows Server AD configured on them. The services is managed as a set of
VMs, not as a fully managed service. Based on the documentation that I was able
to find, it seems that AWS is deploying the service using Microsoft Windows
Server 2016.
AWS Managed Microsoft AD is a good option when your solution
is running inside AWS, and you don’t have in plans to migrate to Office365 or to
use Azure. Even so, once you start to use the AWS Managed Microsoft AD, you can migrate to Azure AD or do a federation with it.
Comments
Post a Comment