Active Directory® (AD) is a legacy Microsoft® technology that’s been a mainstay in IT for decades. It has provided IT admins with a directory service that manages fleets of Windows® systems and users. AD has served as an indispensable tool for small businesses and managed services providers (MSPs), because it established access control over an entire workplace.
Widespread adoption of cloud-based apps, non-Windows endpoints like Android, macOS®, and Linux®, began to raise the question of whether Active Directory was still the best option. Small businesses are judicious about adopting new technologies, and many weren’t convinced that adding “more stuff” was really necessary. AD modernization has become crucial for Zero Trust security strategies, which are used to protect businesses (of all sizes) from cyber threats. Attacks can adversely impact business operations and disrupt cash flow. In response, Microsoft is directing organizations that use AD to adopt its vertically integrated suite of services. It’s addressing AD’s functional and security problems by selling you more products.
That top-down approach may not be ideal for every organization, especially ones that have fewer resources on hand. A small business may ask whether it’s possible to modernize AD in another way that’s more flexible, won’t distract from their mission, is centralized, and cost-effective. This article explores Microsoft’s options as well as JumpCloud’s open directory.
What you decide to adopt next could become what you end up using for the next 25 years. JumpCloud provides a path to modernize AD without locking you into a major commitment.
Directory Services for Small Businesses
Many business owners and IT people work from their smartphones. An unmanaged device that accesses company resources is a major security risk because CEO fraud and business email compromise (BEC) are cybercriminals’ favored method of attack. A cloud directory can help.
A centralized identity provider (IdP) includes unified endpoint management (UEM) to organize and secure all of a business’ IT assets, regardless of its size. This approach meets Microsoft’s criteria for IT modernization, which mirrors Zero Trust security objectives. It’s possible for a small business to modernize AD using an IdP, without getting rid of what it has.
IdPs can securely connect and authorize users into virtually any IT resource such as web apps, devices, or network hardware. Privileged access can be configured using technologies such as conditional access that add context to sign-ins. That may all sound good to an IT person at a small business, but it’s natural to question, “how much extra work will this create for me?”
In reality, modernizing AD reduces IT admins’ workloads by automating processes such as onboarding and offboarding users and streamlining entitlements management for your digital estate. IdPs can also integrate with HR systems to bring HR and IT closer together. That eliminates manual processes that can introduce mistakes and inefficiencies at the very least. In general, eliminating silos and point solutions that have been used to extend AD piecemeal will reduce management overhead and permit you to build a stronger relationship with your IdP.
Some organizations may still opt to do nothing and stick exclusively with AD. Let’s examine the impact to costs, productivity, and flexibility of that approach from a small business perspective.
Active Directory provides services that IT admins can employ to manage Windows systems housed within an organization. Of these, the most common are:
- Centralized identity and access management
- Password management
- Group policy objects (GPOs)
- LDAP/Kerberos support
However, AD struggles to effectively control and manage services outside the scope of Microsoft’s IT stack or that reside beyond the traditional office network. Unmanaged devices violate the principles of Zero Trust, which assume that any user or device can be risky and should be validated before it can access your resources. There are a few ways to deal with this.
IT admins and MSPs can add point solutions and add-ons to extend AD to disparate systems, but the increased cost, management, and occasionally, limited support leaves a great deal to be desired by those managing infrastructure. Ultimately, this can lead admins to leverage additional third-party services and extensive licensing on top of other solutions to get AD to operate for modern infrastructure. The costs associated with implementing hardware, add-ons, monitoring, backups, data centers/on-prem servers — and the time associated with such extensive implementation — can be overwhelming and costly for small businesses.
Additionally, AD is still housed on-prem, requiring admins to maintain legacy hardware, as well as forcing them to add solutions to provide authentication and access for users on web-based applications and productivity suites like Google Workspace™ and Microsoft 365™ (M365).
Active Directory Is a Legacy Product
Microsoft no longer intends for AD to be a product that you can set up once and then forget about. Microsoft’s Cybersecurity Reference Architecture (MCRA) recommends using premium Entra ID (formerly Azure® Active Directory, or Azure AD) services for conditional access and Identity Protection in addition to Defender for Identity to detect and prevent unauthorized access. Existing on-prem add-ons for privileged access management (PAM) and advanced threat analytics are being retired in favor of cloud subscriptions for enhancements that will protect customers from AD’s security vulnerabilities that stem from its legacy architecture.
Brass tax: you’re paying it to protect your business, i.e., your assets.
IT admins and their MSP partners at small businesses should consider utilizing a cloud directory service that modernizes AD and can be implemented without forcing admins into a security monoculture. Add-ons and services that small businesses can’t implement and support will increase IT management overhead and TCO without improving their security situation.
Active Directory made IT administration productive for Windows networks. IT professionals easily maintain and control user access to IT infrastructure. However, AD struggles to maintain productivity for an IT admin wishing to leverage one directory service for a variety of systems and applications. Admins must set up additional infrastructure such as:
- A required AD FS server farm to authenticate into web apps using protocols like OIDC, SAML, and WS-Fed for single sign-on (SSO). A cloud IdP is necessary for a hybrid approach to modernization, and Microsoft pushes customers to use Entra ID.
- Modern authentication methods such as device native biometrics that require add-ons or cloud IdPs. Remember, devices are gateways into your resources, and it’s important to manage them all.
- The Network Policy Server (NPS) role that must be installed on a member server for RADIUS connectivity. Microsoft only offers cloud LDAP through Azure AD Domain Services, which is a subscription service that’s separate from Entra ID.
Microsoft introduced cloud-based Entra ID as a way for users to connect to external resources like M365 and Azure. This service was initially designed to be used in conjunction with on-prem AD, granting IT admins access to web applications previously hosted entirely apart from AD. It’s now an expansive platform for identity and access management that has enterprise features.
Entra’s enterprise architecture can hinder admin productivity and raise costs by introducing a patchwork of services that can be difficult for a small business to implement without a vendor. For example, Intune device management is a separate product interface. There’s a lot to learn and the learning curve can be steep, possibly requiring new hires. Microsoft recommends using a partner to set up Entra ID given the breadth and high rate of change of its cloud services.
Small businesses should consider adopting IdPs that offer one interface for their existing admins to work off of. This helps to maintain admin productivity while providing them with the tools that they need to protect endpoints and grant users access to cloud-based apps and services.
With innovation there must be flexibility. In the world of technology, innovation is ever-present, and people across the globe are enjoying the benefits of improvements within the computing and digital space. An IdP should offer small businesses:
- The right to retain freedom of choice and lower supply chain risks
- The freedom to enable teams to be more productive with the tools that are best for them
- The ability to increase agility/flexibility
- The potential for a small business to shop around beyond a single cloud
Unfortunately, AD struggles to remain flexible amid identity transformation, where identities are a new perimeter outside of your network. IT admins within small businesses, as well as MSPs, are forced to sacrifice a move toward modernization as a result. AD does not natively support Android, macOS systems, Linux machines, and web apps; admins may resort to implementing ad hoc security and services outside AD to keep their digital estates secure. That makes onboarding new IT hires more difficult and dramatically increases non-strategic work. IT people may find themselves distracted from their mission or behind on helpdesk requests.
Microsoft understands those drawbacks and offers a prescribed path for AD modernization that requires small businesses to buy into its vertically integrated suite of cloud services. The services that you need are typically bundled with other unrelated Microsoft products. That not too subtle push toward uniformity and Microsoft monoculture can eliminate freedom of choice for employees who want to use best-of-breed solutions when they’re working. For example, Harvard Business Review found that 59% of employees feel that they’re being forced to use the wrong tools: “Collaboration tools are not aligned with how their teams prefer to work.”
Note: Using the same tools doesn’t help you to rise above your competitors.
JumpCloud Modernizes AD for Small Businesses
JumpCloud provides multiple configuration options for Active Directory Integration.
JumpCloud integrates with AD to manage identities and every endpoint, everywhere. Employees can access web apps and network resources using the most popular protocols. It also features phishing resistant modern authentication to protect businesses from cyber threats.
You have options. JumpCloud acts as either the core identity provider or federates with other IdPs for device management. Think of it as identity-driven security that makes an admin’s life easier.
The JumpCloud platform provides modernizations for AD like SSO and MFA with passwordless authentication included. It also has optional conditional access, password management, remote assist, and cross-OS patch management to meet modern IT needs from a single console. A small business would typically have to juggle multiple invoices for those tools. There’s less to onboard as well as less training for your team, and you improve your security.
JumpCloud’s unified console centralizes user and system management and makes it possible for even a small team (or even a single admin) to make AD modernization happen. The best way to find out how is to try JumpCloud for yourself. You may sign up for a free trial to explore AD integration and access our premium 24×7 in-app chat support to help get you started. MSP partners are also available to help you to ramp up if internal resources aren’t readily available.
Note: JumpCloud understands small businesses. Our open directory platform is trusted by over 180,000 organizations, but our CEO and co-founder still acts like it’s a small business and takes the time to read actual customer emails.