Integrating non-domain resources with Microsoft® Active Directory® (AD) can result in a mess of IAM solutions stacked on top of one another. The concept of securely connecting users to IT resources should be simple, but the outcome could result in ballooning costs and complexity in traditional AD environments. It’s important to not fall victim to scattershot decisions aimed at accommodating individual resources — rather, it’s about developing a comprehensive plan. So, before you commit to an AD integration strategy, check out this playbook.
Do You Even Need AD?
Many organizations assume they need AD because it’s the industry standard, but if you don’t already have it, then you have a great opportunity to avoid vendor lock-in. A modern, cloud IAM alternative could set you up with best-of-breed resources that fit your organization’s needs, rather than limiting you to the Windows® ecosystem.
If you can’t shift to the cloud completely, finding the best tool to integrate AD with all non-domain resources creates the flexibility needed to use the best solutions for the job. Either way, the days of selecting a product stack from a single vendor for the sake of administration are gone because a proper integration enables you to use tools from any vendor you see fit.
Keep in mind that, in some scenarios, it may make sense to replace AD instead of integrating it — this is especially true if your organization is making the move to a heterogeneous, cloud-forward environment. That leads to our next point.
Directory services operate as a foundational piece of infrastructure. It’s wise to choose a solution that doesn’t only work for you now, but that will also continue to serve the organization well for many years to come.
So ask yourself, “What does the future look like?” Do you want to get rid of all your on-prem equipment and go all cloud? Is this even a possibility for you? Do you want to employ remote workers? What is your stance on mixed-platform environments (e.g. Windows, Mac®, and Linux®)?
Understanding your long-term needs now is the first step to determining what types of solutions to use and which ones to discard. You don’t want to be back in this position a year from now and reconsidering your directory.
Look for Gaps
If you decide to keep AD, the first step in planning your AD Integration strategy is listing all the non-domain bound resources that you want to centralize control over. In other words, what resources in your environment are going unmanaged by AD? The most common answers are web apps, Macs, Linux servers, and cloud infrastructure.
Microsoft would like to push you toward Azure® AD to fill those needs. After all, it serves as an SSO provider to help you manage web applications. But what about Macs, Linux servers, and cloud infrastructure? Well, it’s important to remember that Azure AD was not designed as a replacement for on-prem AD — it works best when used in conjunction with AD. You’ll still need to route everything through AD to fully sync users with cloud and legacy resources, which means using identity bridges and device management tools for Mac and Linux because AD struggles to integrate with and manage these systems.
When it comes to cloud infrastructure, providers such as AWS®, GCP™, and Azure each have unique integration methods with AD. AWS uses AWS Managed AD Directory Services, GCP has Google Cloud Directory Sync (GCDS), and Azure uses Azure AD Connect. If you use any combination of these services, your integration work could take a significant amount of time, as some require additional on-prem equipment.
Finally, if you have remote workers, these users are often burdened with utilizing a VPN to authenticate against AD. That means they need to authenticate to the VPN and then to AD, which creates friction for end users. As a result, some organizations choose not to manage remote workers. But unmanaged systems present a security risk to organizations because IT admins have no way of knowing if the systems they’re using are safe. For example, are they patched or poorly configured? IT has no way of knowing.
Of course, all purchase decisions at some point come down to cost. Before we discuss the cost of integrating AD with other resources, let’s take a look at the basic components required to use AD so you can get an idea of the costs associated with it:
- Client Access Licenses (CALs)
Then there are the costs of the AD integration vendors themselves. These are now usually delivered “as-a-Service” and priced on a per user, per month or per device basis:
- RADIUS, VPNs, and network management
- Cloud directory services
These solutions represent just the beginning of your work. You also need to spend a significant amount of time integrating and getting these tools to work with AD. These labor costs can add up, especially when you think of all the tools that you’ll need to integrate.
Consolidate Where Possible
We’ve listed a variety of disparate tools above, but you introduce added complexity with every platform you integrate with Active Directory. Consider a solution that can perform your most critical aspects of identity management from the cloud.
ADI Playbook Final Thoughts
Understanding these basic questions can help you form a strong gameplan when it comes to Active Directory integration. After you answer the preceding questions, consider the JumpCloud® Directory-as-a-Service® AD Integration. It lets IT organizations use a single solution to integrate all their non-Windows resources with Active Directory including:
- Mac and Linux systems
- Cloud infrastructure (AWS, GCP, and Azure)
- SAML and LDAP apps
- WiFi networks and VPNs
JumpCloud extends AD to all of the above using cloud LDAP, cloud RADIUS, and SAML, without the need for additional on-prem servers. And then, with MFA built into the platform, you can apply it to the resources you’d like to layer additional security onto. It could be the only supplement to AD that your organization needs. For organizations without Active Directory, JumpCloud can also serve as a standalone directory service.
To try it for yourself, sign up for a free JumpCloud account. You can manage up to 10 users with it for free — forever. It’s a great way to test Active Directory Integration at zero risk to you.