Azure® Active Directory® and Zero Trust Security

By Vince Lujan Posted April 13, 2019

Azure® Active Directory® (Azure AD) and Zero Trust Security are two of the hottest topics in the identity and access management (IAM) space in 2019. It makes sense. As IT admins start to embrace the Zero Trust Security model, there is a question around what identity provider (IdP) is most helpful. Given that identity management is at the center of Zero Trust, it is no wonder that IT admins are wondering if Azure AD and Zero Trust Security are a good match.

Prior to Zero Trust Security

Traditionally, IT admins have leveraged the on-prem Microsoft® Active Directory® (AD) platform for directory services and to create the Windows® domain. AD enabled IT admins to manage an on-prem network of Windows-based IT resources from one centralized location. Prior to the rise of the cloud, and subsequently the concept of Zero Trust Security, AD was effectively the only IdP required in most IT organizations. Of course, the introduction of cross-platform system environments, web and on-prem applications, physical and virtual file storage, and remote networks changed this Windows-centric, on-prem approach.

The shift to the cloud began in the early-2000s, with the release of web applications such as Salesforce® and Google Apps (now called G Suite). Then came the cloud infrastructure solutions from AWS® and GCP®. Such solutions were highly successful, and ultimately impacted Microsoft’s bottom line in a big way. In response to this, Microsoft created their own cloud-based productivity suite in Office 365, and then their own infrastructure-as-a-service (IaaS) offering with Azure. Microsoft then created Azure AD, which is a user management platform for Azure and a single sign-on (SSO) platform for various business applications.

However, while many IT admins believed that Azure AD would be the cloud version of the on-prem AD platform, the truth is that Azure AD is more of a complement to on-prem AD than anything else. This is demonstrated by the fact that Azure AD still requires on-prem AD to fully sync users and enable them to leverage both cloud and on-prem resources. Further, Azure AD shares many of the same limitations of the traditional AD platform. Specifically, Azure AD is still primarily focused on Windows-based domains. The latter is especially troubling with respect to Zero Trust Security.

Azure AD and Zero Trust

Under a Zero Trust Security model, the concept of the domain is effectively eliminated. In other words, there isn’t an internal network that is safe, and then the external Internet that is untrusted. Rather, as the name implies, everything is untrusted in a Zero Trust Security model. Thus, the domain-bound approach of both AD and now Azure AD seem to be counterintuitive to the Zero Trust Security methodology as the Microsoft solutions work to establish trusted assets that need not authenticate at each point.

To add fuel to the fire, a centralized IAM strategy is effectively required to implement a Zero Trust Security model successfully. Yet, the Windows-centric approach of Microsoft solutions basically force IT organizations to decentralize their identity management approach. For example, admins in disparate IT environments often must purchase and implement directory extensions for macOS® and Linux®, SSO solutions for web applications, privileged identity management (PIM) for AWS and GCP, and more if they hope to manage the breadth of modern networks via AD. Microsoft even requires that you purchase and implement Azure AD Connect just to connect AD and Azure AD. All of which, are sold separately.

Zero Trust Identity Provider

Rather than trying to leverage a patchwork of identity management solutions to try and force fit a Zero Trust Security initiative in a legacy environment, what IT organizations really need is an IdP that was designed for Zero Trust. This solution, of course, would enable IT admins to authenticate all of their users and IT resources individually and continuously. It would also be delivered from the cloud and provide centralized IAM functionality, thus enhancing security and convenience. Fortunately, this is achievable with JumpCloud® Directory-as-a-Service®. The JumpCloud platform is effectively Active Directory reimagined for the cloud era.

Sign up for a free account to see how the Directory-as-a-Service platform can support your Zero Trust Security initiative. Contact JumpCloud to learn more about Azure Active Directory and Zero Trust Security, and how the Directory-as-a-Service platform can play the role of an Azure AD and AD alternative.

Vince Lujan

Vince is a writer and videographer at JumpCloud. Originally from a small village just outside of Albuquerque, he now calls Boulder home. When Vince is not developing content for JumpCloud, he can usually be found doing creek stuff.

Recent Posts