AD DS and AAD Integration

There are a variety of ways to integrate on-premises Active Directory Domain Services (AD DS) deployments with Azure Active Directory (AAD). This chart shows three integration levels: None, Synchronized, and Synchronized and Federated. Higher levels of integration reduce account management effort and simplify sign-on by users but have higher technical requirements.

One free tier and three paid tiers of AAD are available. Most enterprises will want to use one of the paid tiers because of features such as user self-service password reset, multi-factor authentication, or a service level commitment of at least 99.9%.

The free Azure Active Directory Connect (AAD Connect) tool performs synchronization between AD DS and AAD. AAD Connect incorporates AAD Sync, the previous tool for performing directory synchronization. (Microsoft will stop supporting AAD Sync and DirSync, the tool that preceded it, in Apr. 2017.) Organizations can also use Microsoft Identity Manager 2016 (MIM) to perform AAD synchronization. (MIM uses AAD Connect internally to perform synchronization.) Windows Server AD Federation Services is required for federated authentication.