Introduction to Microsoft EntraEntra ID vs Active Directory Domain Services

Entra ID vs Active Directory Domain Services

20 mins

Understanding the Concept

Active Directory Domain Services (AD DS) is the traditional on-premises directory service that has been the backbone of Windows enterprise networks since Windows 2000. It uses LDAP, Kerberos, and Group Policy for authentication and management.

Microsoft Entra ID is a cloud-native identity service designed for modern applications and cloud resources. It uses modern protocols like OAuth 2.0, OpenID Connect, and SAML for authentication, and manages access to SaaS apps, Azure resources, and Microsoft 365.

They serve different purposes and often coexist in hybrid environments. Entra Connect (formerly Azure AD Connect) synchronizes on-premises AD identities to Entra ID, enabling a unified identity experience across cloud and on-premises resources.

Key Points

  • AD DS: On-premises, LDAP/Kerberos, Group Policy, OUs, domain-joined devices
  • Entra ID: Cloud-native, OAuth/OIDC/SAML, Conditional Access, flat structure
  • Entra ID is NOT a cloud replacement for AD DS - they serve different roles
  • Entra Connect synchronizes identities between AD DS and Entra ID
  • Hybrid identity allows users to access both on-prem and cloud resources seamlessly

Hybrid Identity Architecture

Step 1

AD DS (On-Prem)

Domain controllers, GPOs, LDAP/Kerberos authentication

Step 2

Entra Connect

Sync agent that replicates identities to the cloud

Step 3

Entra ID (Cloud)

Cloud directory, modern auth, SSO to SaaS apps

Step 4

User Experience

Single identity for on-prem and cloud resources

Why This Matters in Real Organizations

Most enterprises operate in hybrid environments with both on-premises and cloud resources. Understanding the distinction between AD DS and Entra ID is critical for designing secure, efficient identity solutions that bridge both worlds without introducing security gaps.

Common Mistakes to Avoid

Trying to replicate AD DS structure (OUs, GPOs) directly in Entra ID
Assuming Entra ID can replace AD DS for domain-joined device management
Forgetting that Entra ID uses a flat structure - no OUs or forests
Not planning for Entra Connect sync filtering and attribute mapping

Interview Tips

  • Clearly articulate the differences in protocols, structure, and use cases
  • Explain hybrid identity and when organizations need both
  • Discuss Entra Connect sync options: password hash sync, pass-through auth, federation

Exam Tips (SC-300)

  • Know the protocol differences: LDAP/Kerberos vs OAuth/OIDC/SAML
  • Understand Entra Connect authentication methods and when to use each
  • Know which features exist in AD DS only vs Entra ID only vs both

Course Complete!

You've finished all lessons

Previous|Next|HHome