The world of access management has changed in leaps and bounds in recent years. Novel solutions, new best practices, changing business models and the rise of hybrid working have upended what was once a relatively stable aspect of business information services.
Two of the most popular access management services have been Microsoft’s Active Directory Federation Services (ADFS) and Azure Active Directory (Azure AD). On the surface, they sound similar and can fill overlapping access management roles, but there are significant differences between the two.
If you’re a Microsoft partner or managed service provider (MSP) working with Microsoft Azure, you need to know which makes the most sense for your customers’ needs. The wrong choice will drag down performance for the customer and MSP alike. With that said, let’s explore ADFS vs. Azure AD and review the key differences between the two services.
What is ADFS?
Active Directory Federation Services is a feature of Windows servers that allows users to use their local network credentials to authenticate themselves to trusted resources—federates—on other networks. This is typically called single sign-on (SSO) service. Many third-party SSO solutions exist, but if you’re a Microsoft-based organization, ADFS is the natural choice to run SSO on native infrastructure.
ADFS is an add-on that extends your Active Directory service from managing purely on-premises identities to those in compatible cloud applications. It functions similarly to other SSO services, but instead of leveraging a third-party SSO tool, you’re using your own local Active Directory instance.
ADFS is especially well-suited for helping organizations manage access and identities for non-Windows systems, networks or applications using Windows credentials ↗. It can authenticate using SAML XML certificates, cookies, OAuth and other security tokens.
ADFS use case
Access management was simple before the advent of cloud technology. All business services were either on your network or discrete web applications accessed over the internet. Now, many business applications are hosted in the cloud natively. However, without federated credentials or some other SSO scheme, users are left memorizing long lists of passwords. This can lead to lost productivity and compromises, as users were incentivized to use simple, easy-to-remember passwords.
ADFS slots in perfectly into our current mode of hybrid working. Employees can use their AD credentials to authenticate to any federated service from your network or home. One set of credentials gets them access to all the business services they need no matter where they are in the world.
What is Azure AD?
Azure Active Directory is an AD access management service done natively in the cloud. It allows you to manage customers’ user accounts and their access to essential business services, including Microsoft 365, the Azure admin interface and many different cloud-based apps hosted in Azure tenants through an SSO portal.
It is important to stress that Azure AD is cloud-native and designed to manage access for other cloud services. It is not a replacement for Windows Active Directory and, on its own, cannot manage on-premises Windows services, like local file servers, Windows PCs or other legacy Microsoft network services. However, an add-on called Azure AD Connect ↗ can bridge this gap in many environments.
Deploying Azure AD has had proven advantages for many service providers and the clients they serve. Forrester Research found that switching to Azure AD generates an ROI of 123% ↗ over a rolling three-year period. Companies recouped labor costs through more streamlined operations.
Azure AD use cases
Like ADFS, Azure AD also offers SSO service for many different Azure-based cloud applications. In addition, it also works with popular affiliated business applications, like Dropbox and Salesforce.
Azure AD is also commonly used to provide multi-factor authentication (MFA), both directly to your Azure portal to protect critical MSP resources and for your customers to access different apps through SSO. Common MFA credentials include passwords, one-time codes sent via SMS or email and app authentication, such as in the Microsoft Authenticator app.
You can also configure self-service password reset portals using Azure AD. You’ll cut down on service requests for simple password resets, and your users will get back to work faster. They’re a win-win.
Finally, Azure AD also offers live application use monitoring. You can track problem trends, like failed sign-ins and application errors across your IT ecosystem. If Azure AD manages access to something, it can generate business insights about it.
ADFS vs. Azure AD: Which one should you use?
Let’s start by reiterating that ADFS is an on-premises service for managing access for credentials housed in your on-premises infrastructure. It’s designed to work in and alongside on-premises Windows deployments. Azure AD, meanwhile, is cloud native.
They fill overlapping roles in access management services, but each has been designed to work in a different network environment. For example, all Azure AD deployments connect to a dedicated security token service (STS), which is a common endpoint for all authentication requests. Requests go there and are then routed to the appropriate Azure AD instance. That capability is incredibly powerful, although obviously relies on a cloud-native environment to function. ADFS lacks this capability, but can still be the best solution for access management in environments where on-premises hosted AD service is required.
Since ADFS and Azure AD fill overlapping roles, deciding which makes the most sense for you and your customers frequently depends on the edge cases. Azure AD has a wider range of use cases beyond simply application access control; for multi-factor authentication and self-service resets, for example, as discussed above. It can also restrict legacy authentication methods that might be more vulnerable in a modern, cloud-centric business environment.
ADFS, on the other hand, has a more streamlined set of features for managing in-house applications that your customers host on their own on-premises infrastructure. Azure AD requires add-ons to have similar capabilities.
Looking for guidance on Microsoft Azure?
If you still have questions about ADFS vs. Azure AD, Sherweb can help! Our cloud experts help IT service providers and resellers navigate the Microsoft ecosystem and deliver maximum value for their clients. We also have resources and sales enablement tools available to support our MSP partners in deploying Microsoft Azure according to their customers’ specific needs.