Azure AD is a cloud-based identity service that offers the following: However, just because they both have AD in their names, doesn’t mean they are identical services. It combines core directory services, application access management, and identity protection into a single solution.Ĭloud-based identity and mobile device management that provides user account and authentication services for resources such as Office 365, the Azure portal, or SaaS applications.Azure AD can be synchronized with an on-premises AD DS environment to provide a single identity to users that works natively in the cloud.Īzure AD offers some of the same features in the cloud, as AD DS offers on-premises. Azure AD is a multitenant, cloud-based directory and identity management service from Microsoft. NOTE: In this article, the terms traditional AD and traditional AD DS, refer to the on-premises deployment of Active Directory and Active Directory Domain Services.Īzure Active Directory (Azure AD) is the Azure solution for identity and access management. The Enterprise Administrators are responsible for managing AD DS domain controllers, AD sites, trust relationships between the domains, Group Policies, backing up and restoring AD DS, etc. Some of the key features offered by AD DS includes:ĪD DS is managed by the organizations on-premises. These objects are part of the Active Directory domain, which allows the administrators to securely manage them through Group Policies. Organizations use AD DS to centrally manage all their resource objects, such as users, computers, printers, shared folders, groups, organizational units (OUs), etc.
The Active Directory Domain Services (AD DS), is the traditional on-premises version of domain services provided by AD.
At high level, these identity solutions and feature sets are:Įnterprise-ready lightweight directory access protocol (LDAP) server that provides key features such as identity and authentication, computer object management, group policy, and trusts.ĪD DS is a central component in many organizations with an on-premises IT environment, and provides core user account authentication and computer management features.įor more information, see Active Directory Domain Services overview in the Windows Server documentation. Instead, you could just use Azure Active Directory.Īlthough the three Active Directory-based identity solutions share a common name and technology, they’re designed to provide services that meet different customer demands. For example, if you mostly manage cloud-only users that run mobile devices, it may not make sense to build and run your own Active Directory Domain Services (AD DS) identity solution. This choice in identity solutions gives you the flexibility to use the most appropriate directory for your organization’s needs. Select Delegate Control.To provide applications, services, or devices access to a central identity, there are three common ways to use Active Directory-based services in Azure. Right-click on the OU that contains the computer objects with BitLocker recovery keys. We created a new security group in AD-BitLocker Viewers. You can delegate the permissions to view information about BitLocker recovery keys in AD to a certain group of users. Or use the following one-liner: Get-ADComputer 'lon-wks-c211'| Get-ADObject -properties * | Select-Object distinguishedname, msFVE-REcoveryPassword, whencreated Delegating Permissions to View BitLocker Recover Keys in AD Get-ADObject -SearchBase ((GET-ADRootDSE).SchemaNamingContext) -Filter ') To do this, run the following cmdlet from the AD for Windows PowerShell module: Import-module ActiveDirectory You should verify if your AD schema version has attributes required to store BitLocker recovery keys in Active Directory. Active Directory Requirements to Use BitLockerīitLocker recovery data storage feature is based on the extension of the Active Directory schema.