← All terms
Active Directory (AD)

What is Active Directory (AD)?

Active Directory is Microsoft's directory service for Windows domains, managing users, computers, and policies, and authenticating them with Kerberos and LDAP.

Last updated: 14 July 2026

How Active Directory works

Active Directory organizes an enterprise into domains served by domain controllers, servers that hold a replicated database of users, computers, groups, and policies. Domains can be grouped into trees and forests with trust relationships between them, and entries are arranged in organizational units that mirror company structure.

AD is more than a phone book. It authenticates users and machines using the Kerberos protocol (with NTLM as a legacy fallback), answers attribute and membership queries over LDAP, and enforces configuration through Group Policy, which lets administrators push security settings to thousands of Windows machines from one place. When a user logs into a domain-joined PC, it is AD that validates the credentials and issues the Kerberos tickets used to reach file shares, printers, and internal applications without further prompts.

Why Active Directory matters

For most established enterprises, AD is the identity backbone: decades of applications, file servers, and infrastructure assume its presence. That centrality also makes it the highest-value target in the network. Ransomware operators routinely aim for domain administrator privileges, because controlling AD means controlling every domain-joined system at once. Attack techniques such as Kerberoasting, pass-the-hash, and Golden Ticket forgery specifically abuse AD's mechanics.

AD's other challenge is scope. It was designed for on-premises Windows networks, not for SaaS applications, mobile devices, or contractors outside the domain. Modern protocols such as SAML, OIDC, and SCIM are not native to it, which is why nearly every organization now pairs AD with a cloud identity layer rather than replacing it outright.

Active Directory in practice

The dominant architecture today is hybrid: AD remains authoritative for domain-joined machines and legacy applications, while an identity platform synchronizes its users and groups and extends them to the cloud with SSO, MFA, and automated provisioning. This lets employees keep one identity whether they open a file share or a SaaS tool, and lets security teams put modern authentication in front of systems AD alone cannot protect.

Operationally, the priorities are protecting domain controllers, keeping privileged AD groups small and monitored, disabling legacy protocols like NTLMv1 where possible, and cleaning up stale computer and user objects. Monosign synchronizes users and groups from Active Directory and supports Kerberos-based integrated Windows authentication, so an existing AD investment plugs directly into modern SSO and MFA.

Frequently asked questions

What is the difference between Active Directory and Entra ID (Azure AD)?
Despite the shared branding, they are different products. Active Directory is the on-premises directory using Kerberos, LDAP, and Group Policy for domain-joined machines. Entra ID is a cloud identity service speaking SAML, OIDC, and SCIM for SaaS applications, with no organizational units or Group Policy. Many organizations run both, synchronized.
Can Active Directory do single sign-on for cloud applications?
Not by itself. AD provides seamless sign-on inside the Windows domain through Kerberos, but SaaS applications expect SAML or OpenID Connect, which AD does not speak natively. The standard approach is to put a federation-capable identity platform in front of AD that authenticates users against it and issues the modern tokens applications need.
Is Active Directory going away?
Not soon. Too many line-of-business applications, file services, and industrial systems depend on it. The realistic trajectory is a shrinking on-premises footprint: AD keeps serving legacy and domain-joined workloads while cloud identity takes over user-facing authentication, until the last AD-dependent systems are retired.