AD Authentication vs Office 365 Authentication

Hello Simon,

When a customer has a hybrid environment, we normally suggest using O365 since the 2FA is already configured on that account, so it is simpler to implement for your users since they do not need to configure an additional 2FA on their cellphone.

Several compagnies are moving from a hybrid model to AAD only, so it would be more future proof, which is something to keep in mind.

Currently, the change from domain to O365 is simple for the users (SQL script), but the groups are more complex due to the permissions. The engineering team is already working on this issue to make it simpler in the future.

Best regards,

Hi,

Firstly I don't think any of the two authentication backends are going anywhere anytime soon.

I'd say there is less chance to see major development on the Windows Active Directory (AD) side simply because it is a mature technology and Microsoft itself are not releasing any ground breaking feature to this product nowadays, but it is still very robust and knowledge about it is easily available and IMHO it is one of those tech that just works.

Azure Active Directory (Office 365) is the authentication backend Microsoft is currently betting on. If you already plan on using more advanced authentication feature such as conditional access, passwordless authentication, risk-based authentication and are looking to move toward a Zero-Trust(ish) approach, I'd say you should lean more toward Azure AD (although there is definitely a price tag on those features).

The other benefit is that Azure AD is accessible from any location since it is a hosted service, so you won't need a direct line of sight between the DVLS servers and your Windows Active Directory domain controllers (which sometimes is a pill that can be hard to swallow for security teams, especially if you plan on making DVLS accessible from the Internet).

One downside of authenticating with Azure AD is that, for this to be efficient, it need to rely on an internal cache for users and group membership inside DVLS itself so the change you make in group membership can take a moment to get synchronized in DVLS.

At the end of the day, I'd say it really depends on the strategy you have selected for authentication in your organization.

Excellent responses guys,

We are fully in the AAD ecosystem and the on-premise side of the hybrid is purely for internal servers and services.

Leaning on the Office 365 side will there be more development to get the offering on a par with the AD Domain side so that auto create of new users happens for just the groups you have chosen instead of all users.

A feature to assign licences by group would be great on the Office 365 side as well.

Just an update on this thread for those that come across it, we finally settled on AD authentication as the Azure side is not quite at parity feature wise as on premise AD. Also to access the data source and indeed the servers our users need to be on the network or VPN, so there was no real benefit to using Azure authentication for us.