Entra ID - Definition of Terms
Active Directory Domain Services (Windows Server / on-premises)
Standard Active Directory role on a traditional Windows server machine that is managed with tools like Active Directory users and computers, sites and services, domains, and trusts.
Contains user, group, contact, and computer objects.
Traditional Windows desktops and servers join this AD.
Users and Groups can be synchronized with Entra ID using Entra ID Connect.
Entra ID – Microsoft Cloud Directory Services
Despite its similar name to traditional Active Directory, this is a different service that is hosted by Microsoft and is the top-level object in the Microsoft Cloud (O365, D365, and Azure).
Contains user, group, and contact objects.
Windows 10 and 11 computers can join Entra ID, while older operating system machines cannot.
Can be synchronized with a traditional AD via the ADConnect tool, so the same username and password can be used for both (with password hash synchronization enabled).
Entra Domain Services
An Azure-hosted, Microsoft-managed AD DS.
Most of the same capabilities as traditional, on-premises AD DS with some limitations due to the lack of administrative access to the actual domain controller, which Microsoft manages.
Automatically synchronizes with Entra ID, which may be synchronized with on an on-premises AD DS, and allows VMs running in Azure to join it regardless of the type of Windows OS (for example, Windows 11/10/8/7 or Server 2008/2012/2016/2019).
Customers With a Cloud-Only Environment
Entra ID is required to use any of the Microsoft Cloud services (Office 365, Azure Virtual Desktop (AVD), Dynamics 365, etc.). When users access these cloud services, all user authentication begins in Entra ID.
For organizations with “cloud native” deployments, the user information (for example, username, password, group membership, etc.) only resides in Entra ID and is not synchronized with any other directory. If the customer does not have on-premises, line-of-business (LOB) application servers and is not looking to implement virtual desktops in Azure, this Entra ID-only scenario may be sufficient and fairly simple.
Customers With Existing Servers and Applications and/or Virtual Desktops
Most customers start out with existing LOB applications running on-premises and want to migrate these workloads to Azure, reinstall them on new VMs running in Azure, or implement virtual desktops in Azure with AVD. Prior to winter of 2021, AAD alone was not sufficient as LOB servers and virtual desktop VMs must join an Entra Domain Services domain to function and be manageable. Microsoft now supports Entra ID Joined for AVD session hosts, with support for Entra ID Joined for Azure files expected soon (as of November 2021).
Enable Active Directory Functionality in Azure
The following methods are available to enable AD functionality in Azure:
Do-it-yourself AD in Azure.
Entra Domain Services PaaS.
Do-it-yourself AD in Azure
Conceptually, the easiest way to create an Azure deployment is:
Connect to the on-premises network with a site-to-site VPN.
Deploy a new VM in Azure.
Join it to the existing AD domain via the VPN.
Promote it to a domain controller and configure the proper sites/subnets/etc.
What you end up with is an AD deployment that spans both the on-premises network and the Azure deployment with the ability to move server VMs from on-premises to Azure without having to rejoin them to a new domain and without disrupting users’ connectivity to these VMs.
The challenge with this deployment lies in the difficulty of implementation, the need to manage new domain controllers, and the cost of additional VMs to run these domain controllers. The advantage is the easy-to-understand deployment for anyone who has managed Active Directory before and complete flexibility with full administrative access.
Azure Active Directory Domain Services (AAD DS) PaaS
To address the challenges with the do-it-yourself AD in Azure method, Microsoft introduced Entra Domain Services--not to be confused with Entra ID.
Entra Domain Services is a PaaS offering in Azure that is operated, monitored, and updated by Microsoft with administrators having limited access. The advantage of Entra Domain Services is that it does not require VMs to be deployed and managed and it does not rely on a VPN to synchronize with an on-premises domain.
When Entra Domain Services is deployed in an Azure subscription, Microsoft creates a pair of high-availability domain controllers and synchronizes the user data from Entra ID.
Entra Domain Services is a new domain that contains read-only copies of users, groups, and password hashes that reside in Entra ID. It synchronizes this data at 20-minute intervals. Azure VMs can be joined to this new domain and existing usernames and passwords can be used to connect to these VMs since the user credentials are synchronized with Entra ID, which may be synchronized with an on-premises AD using Entra ID Connect.
See this Microsoft article for more information about Entra ID Connect.
Microsoft deploys and manages an Active Directory for you, so you don’t have administrative access to it but can connect to manage it with traditional AD management tools (for example, Active Directory Users and Computers or Group Policy Management).
Entra Domain Services is a new domain that has your existing domain’s user objects, if synced using Entra ID Connect.
User objects that are synchronized from Entra ID to this new domain are read-only. They can only be modified in the source AD (if Entra ID Connect is in use) or Entra ID (if the customer is cloud-only).
When you create VMs in Azure, they join this new domain. They are not part of your existing domain that is on-premises, only the new domain that is in Azure.
Servers that are joined to your existing on-premises domain are not part of the new Entra Domain Services domain--only user objects are replicated. There is no trust enabling authentication between the Entra Domain Services and on-premises AD DS environments.
When doing a lift-and-shift migration of a server from on-premises to Azure with Entra Domain Services enabled, you need to join the server to the new domain and then existing users can be entitled to access it. This requires making changes to the server.
You need a “management VM” running in Azure with RSAT installed to manage your new Entra Domain Services domain.
Active Directory Federation Services (AD_FS) functionality, which enables single sign in Office 365, is not supported.
Directory Schema extensions are not supported.
There is no way to fail-over the Entra Domain Services domain to another Azure region in case of a regional outage.
Once deployed, there is no way to pause Entra Domain Services to save on costs without deleting the deployment.