A Comparison – AWS Managed Microsoft AD and Azure Active Directory Domain Services

A Comparison – AWS Managed Microsoft AD and Azure Active Directory Domain Services

Over the past year I’ve done deep dives into both Amazon’s AWS Managed Microsoft Active Directory and Microsoft’s Azure Active Directory Domain Services.  These services represent each vendor’s attempt at a managed Windows Active Directory (AD) service.  I extensively covered the benefits of a service over the course of the posts, so today I’m going to cover the key points of the services.  I’m also going to include two tables.  One table will outline the differences in general features while the other outlines the differences in security-related features.

Let’s hit on the key points first.

  • Amazon provides a legacy (Windows AD is legacy folks) managed service while Microsoft provides a modernized service (Azure AD) which has been backported to “kinda” work like a legacy managed service.  The approaches are very different and my personal opinion is Amazon’s approach fits far more use cases.
  • Microsoft synchronizes users, passwords hashes, and groups from the Azure AD to a managed instance of Windows Active Directory.  The reliance on this synchronization means the customer has to be comfortable synchronizing both directory data and password hashes to Azure AD.  Amazon on the other hand does not require any data to be synchronized.
  • Amazon provides the capability to leverage the identities in the managed instance of Windows AD or in a forest that has a trust with the managed instance to be leveraged in managing AWS resources.  This is an interest approach in that Amazon is taking a legacy service and modernizing it while Microsoft is taking a modern service and trying to make it worth like a legacy service.
  • Amazon provides more control in scaling the Windows AD instance at a very affordable price point.  Microsoft on the other hand handles scaling itself at a price point that is 400% the cost of Amazon’s service.
  • Amazon’s service is eligible to be used in solutions that require PCI DSS Level 1 or HIPAA.  I’m unsure what/if any compliance requirements Microsoft’s service has met.
  • Both services use a delegated model where the customer has full control over an OU rather the directory itself.  Highly privileged roles such as Schema Admin, Enterprise Admins, and Domain Admins are maintained by the cloud provider.
  • Both services provide LDAP for legacy applications customers may be trying to lift and shift.  MIcrosoft limits LDAP to read operations while Amazon supports both read and write operations.
  • Both services support LDAPS.  However, Amazon does require an instance of Active Directory Certificate Services be deployed and acting as either a root or intermediate certificate authority.
  • Both services do not allow the customer to modify the Default Domain Policy or Default Domain Controller Policies.  This means the customer cannot modify the password or lockout policy applied to the domain.  While Amazon does provide a method of enforcing custom password and lockout policies through Fine Grained Password Policies, Microsoft does not.  Additionally, the customer is stuck with whatever hardening decisions the vendor has made for the configuration of the domain controller’s operating system. Amazon has done a much better job at following industry best practices in locking down the domain controllers.
  • Amazon’s service supports only Active Directory forest trusts.  Microsoft’s service doesn’t support trusts of any kind at this time.

Here is a table showing the comparison of general features:

Features AWS Managed Microsoft AD Azure Active Directory Domain Services
Cost Basis Number of Domain Controllers Number of Direcotry Objects
Cost (Assumed >100,000 objects) $0.40/hr (includes 2 DCs) + $0.20/hr per additional DC $1.60/hr
Schema Extensions Yes, with limitations No
Trusts Yes, with limitations No
Domain Controller Log Access Security and DNS Server Event Logs No
DNS Management Yes Yes
Snapshots Yes No
Limit of Managed Forests 10 per account 1 per Azure AD tenant
Supports being used on-premises Yes with DirectConnector or VPN No, within VNet only
Scaled By Customer Yes No
Max number of Domain Controller 20 per directory Unknown how service is scaled

Here is a table of security capabilities:

Features AWS Managed Microsoft AD Azure Active Directory Domain Services
Requires Directory Synchronization No Yes, including password
Fine-Grained Password Policies Yes, limited to seven No
Smart Card Authentication Not native, requires RADIUS No
LDAPS Yes, with special requirements Yes, but LDAP operations are limited to read
LDAPS Protocols SSLv3, TLS 1.0, TLS 1.2 TLS 1.0, TLS 1.2
LDAPS Cipher Suites RC4, 3DES, AES128, AES256 RC4, 3DES, AES128, AES256
Kerberos Delegation Account-Based and Resource-Based Resource-Based
Kerberos Encryption RC4, AES128, AES256 RC4, AES128, AES256
NTLM Support NTLMv1, NTLMv2 NTLMv1, NTLMv2

Well folks that sums it up.  As you can see from both of the series as well as this summary post both vendors have taken very different approaches in providing the service.  Personally I feel Amazon has a much strong managed Windows AD service (not just because I work for them 🙂 ).  I know from my time at Ignite last year Microsoft is hard at work at addressing many of the gaps.  However, I think the deployment model they’ve chosen of retrofitting legacy capabilities to a modern identity service is going to greatly hinder the pace they are able to move.  Only time will tell.

Until next time my fellow geeks!