Authenticating Linux Against Azure Active Directory

By Rajat Bhargava Posted May 16, 2019

Authenticating Linux machines using Azure Active Directory

The shift to Azure® Active Directory® (Azure AD or AAD) is underway in many IT organizations, but it is not without difficulty. A key challenge stemming from this shift has to do with how IT organizations manage users and systems. More specifically, many of the Linux® systems that organizations use are strewn across the web and hosted by the likes of Amazon Web Services® (AWS®) or Google Compute Engine™. IT organizations need a way to manage these cloud resources and their users. As a result, one of the first questions admins ask is if they can authenticate Linux against Azure Active Directory.

The Need to Authenticate Linux Systems and Associated Challenges

With the incredible popularity of Infrastructure-as-a-Service (IaaS) solutions like AWS and GCP, there is an obvious need to manage the users who utilize systems on those services. But, it isn’t just remote systems that need management. You may have some Linux machines on-prem either in desktop or laptop form. With Linux’s increasing popularity, the critical data inevitably stored on each endpoint needs securing. Unfortunately, configuring each system can be a manual task for IT admins. With more Linux machines in IT environments than ever before, manual management can represent a major time sink.

Another method that IT admins have implemented in an effort to automate Linux user and system management comes from popular automation tools like Chef, Ansible, Puppet, and Salt. These tools can help, but they require a fair amount of coding and expert-level knowledge to make work properly. If you’ve got the people in place to do these tasks, then by all means go ahead with it. But, one thing to consider is that these automation tools fall outside the grasp of whatever identity and access management (IAM) platform you use, whether it’s on-prem Active Directory or OpenLDAP™ or a cloud-based IAM service like Azure Active Directory. This scenario leaves the door wide open for shadow IT and security vulnerabilities.

Azure AD Integration

While it is possible to integrate Azure AD with AWS and GCE for simply logging in to their web consoles, the limitations inherent to Azure AD alone, or even paired with an on-prem Active Directory implementation, may not make up for that integration. As well, an Azure AD identity isn’t used to log in to a Windows or Linux system hosted at AWS or GCE. For example, Azure AD can work with Windows systems within Azure or Windows 10 systems remotely, but an Azure AD identity is largely limited to Azure.

In addition, with the exploding popularity of macOS®, Azure AD is not an option for authentication without the help of add-on solutions. So, you essentially need to be an all-Windows shop and Azure user in order to utilize Azure AD to its full potential.

But, we know that’s not how most IT organizations are set up. Each IT environment is different, and most are heterogeneous computing environments filled with Windows, Mac®, and Linux machines as well as remote systems. Authenticating those non-Windows on-prem systems is a major headache for Azure AD mainly because it is not natively possible. To get that functionality, you would need to pair Azure AD to an on-prem AD implementation, and then stack a bunch of add-ons (identity bridges, web application SSO platforms, privileged access management, 2FA solutions, and more) on top to make it all work. This scenario, of course, leads to increased cost and complexity.

More Than Systems

While Azure AD gives you the ability to manage users within the Azure platform as well as a number of software-as-a-service (SaaS) applications, that’s just one small portion of your overall IT environment. For example, with Azure AD you will not be able to authenticate user access to on-prem applications that authenticate through LDAP, networks (WiFi and VPN) via RADIUS, non @gmail G Suite accounts, on-prem file servers, etc. Also, Azure AD has no ability to enforce GPOs, so the systems that you can authenticate via Azure AD will not have security-minded system features like full disk encryption (FDE) enabled – at least not without buying more add-ons.

Cross Platform, Modern, and Vendor Neutral

So, if Azure AD leaves too many holes in your overall identity and access management strategy, what is a viable alternative? JumpCloud® Directory-as-a-Service® is a comprehensive directory services solution for the modern IT environment. With JumpCloud, you don’t need to worry about whether or not you should implement an on-prem AD instance to complement your Azure AD service so that you can manage both cloud and on-prem components. It works out of the box for both on-prem and cloud-based resources.

JumpCloud empowers admins to manage the systems and users in their environment, no matter if they’re leveraging a Windows, macOS, or Linux device. With SAML and LDAP protocols baked in, admins can create a single username and password combination for both legacy on-prem applications and modern web apps. That same username and password can also be utilized to access wired and WiFi networks, file servers on-prem and in the cloud, systems, Office 365™ and G Suite™, and many more resources. We call it True Single Sign-On™.

As a comprehensive directory, JumpCloud also has the ability to enforce cross-platform GPO-like policies—from the cloud. Now, you can ensure that your endpoints are protected with screen lock timers, automatic OS updates, and full disk encryption (for macOS and Windows). It’s user and system management all from one cloud-based, administrative pane of glass.

Learn More About JumpCloud

If you’re looking for more than just authenticating Linux against Azure Active Directory, give JumpCloud a try today for free. Your first 10 users a free forever. If you ever get stuck or need some assistance, contact us or visit our Knowledge Base.

Rajat Bhargava

Rajat Bhargava is co-founder and CEO of JumpCloud, the first Directory-as-a-Service (DaaS). JumpCloud securely connects and manages employees, their devices and IT applications. An MIT graduate with two decades of experience in industries including cloud, security, networking and IT, Rajat is an eight-time entrepreneur with five exits including two IPOs, three trade sales and three companies still private.

Recent Posts