As more IT organizations shift their identity management infrastructure to the cloud, the competition for SaaS identity management solutions is intensifying. In the web application single sign-on (SSO) landscape, it is often Azure Active Directory (Azure AD or AAD) versus Okta.
In fact, Microsoft and Okta have a bit of history with each other, with strong words and accusations going back and forth over the years. Interestingly, while both compete in the Identity-as-a-Service (IDaaS) or web app SSO market, they both also heavily rely on Microsoft Active Directory to function at a high-level.
While they may be competitors where they overlap in web app SSO and multi-factor authentication (MFA or 2FA), they largely diverge down different paths beyond this similarity. After the head-to-head competition in web application single sign-on and 2FA, they are separate tools that serve different needs for IT administrators. Today, we will compare and contrast Azure AD to Okta and explore where their intense competition lies.
Azure AD: Think Active Directory Extension, Not Replacement
Many IT organizations are initially confused by their similar names and believe that Azure Active Directory is the cloud-based directory services replacement for Active Directory, but this is not the case. Active Directory is still hosted on-premises, while Azure AD is designed to be the cloud-based user management system for Azure infrastructure in the cloud and web applications.
This is demonstrated by the fact that Azure AD doesn’t really have the capability out-of-the-box to authenticate users to on-prem or remote systems including Windows® (sans Windows 10), Mac® and Linux® machines, cloud infrastructure hosted at AWS® or GCP™ (Google Cloud Platform), on-prem network resources (VPNs, WiFi), on-prem Samba-based file servers, and generally anything else that operates outside of the Microsoft Azure ecosystem (outside of web apps).
The primary role for Azure AD is to be the user authentication infrastructure for Azure, Microsoft’s cloud computing service that competes with AWS and GCP, Microsoft 365, and a web single sign-on solution. It is highly tailored for Windows servers and Windows-based infrastructures hosted in Azure, with Microsoft’s goal to shift their customer’s infrastructure from on-prem into their data center (Azure). Microsoft is using this heavily to compete against AWS, to stem the exodus of Windows server workloads away from them.
This means that, while Azure Active Directory may be a significant stride towards a cloud-based user management system, it still ties organizations to Microsoft; even Microsoft’s own reference architecture requires AD on-prem (and the bridge technology Azure AD Connect) for AAD to manage on-prem resources and non-Windows 10 systems.
As a result, most organizations use an on-prem Active Directory instance to manage their on-prem infrastructure, while still managing an additional identity solution (Azure AD) for their Azure cloud infrastructure. These two connect together using yet another solution from Microsoft called Azure AD Connect.
Don’t Forget About Okta
Falling under the broad identity and access management (IAM) realm and more specifically IDaaS, web app SSO solutions are at the forefront of IT admins’ minds with the migration to the cloud. Okta, which went public in 2017, was one of the first cloud-based web application SSO solutions on the market. Web app SSO solutions, commonly referred to as first generation Identity-as-a-Service (IDaaS) platforms, are popular due to the wide use of web applications such as Slack, GitHub, Salesforce, and thousands of others.
While Okta is a leading web application SSO platform, according to Okta it is paired with a core on-prem identity provider, which historically has been Active Directory, over 95% of the time. While this multi-product approach may work, it certainly creates challenges, including high cost. It also creates a strange dynamic for Okta where they compete with Microsoft with respect to AAD, yet work together in IT organizations where Okta and Active Directory are present. It’s no wonder that Okta considers Microsoft their most significant competitor and that when they are in accounts they try to lock them up with long-term deals so that customers can’t easily switch.
Where Solutions Intersect
Now that we understand that Azure AD provides user management for Azure, M365, and SSO to select web apps and Okta is primarily a web app SSO provider, we can investigate where these two point solutions collide.
The overlap between the two is due to the fact that Azure AD, unlike Active Directory, has built in web application SSO capabilities and multi-factor authentication. In fact, Azure Active Directory rivals strong web app SSO providers like Okta in the marketplace, and has caused Google to take them on with their own SSO solution, Google Cloud Identity management solution (not to mention that Amazon has recently gotten into the web app SSO game, too).
Of course, the reasons behind the interest from Microsoft, Google, and Amazon isn’t to dominate the SSO market, but rather to hold organizations captive with their identities and ultimately use that leverage to sell them other services. Once an identity has been locked inside of Azure AD or Google Workspace, it is harder for the customer to get it out to use non-Microsoft or non-Google solutions, so customers end up defaulting to more Microsoft / Google solutions, which was the overall intent from those organizations anyway.
Okta’s SSO is their primary focus, so it makes sense that IT admins compare Azure AD and Okta, although Azure AD’s services extend beyond SSO. As many IT admins realize quickly, Azure AD and Okta are only pieces of the overall identity management puzzle that they are trying to solve. For example, how do organizations control access to macOS and Linux systems, on-prem applications, on-prem VPN and WiFi networks, and more with solely AAD or Okta as their identity management platform?
With the desire to move to cloud identity management, the place where IT admins need to start is finding a replacement for Active Directory, or a core-identity provider in the cloud. The identity provider serves as the core platform from which IT organizations build out their IAM approach. Both AAD and Okta struggle as the core IdP, although both are willing to try. Azure AD will link your identities to Windows 10 devices in order to hook you in, while Okta will downplay the importance of devices, because after-all the world runs on web applications, right?
However, organizations should start with the foundation first. Once the foundation is set with a cloud directory, it can make sense to consider a web app SSO solution, or depending upon the organization’s needs, it may not be necessary. A strong, open foundation will ensure that an organization can connect their users to whatever they may need whether that is a macOS device, an AWS Linux server, or an on-prem Samba file server. That flexibility is most critical when considering the right overall identity management approach.
A Modern Approach With JumpCloud Directory Platform
We reinvented the approach to the cloud directory service. This cloud identity management platform integrates web app SSO and multi-factor authentication with securely managing users’ access to systems, web applications, WiFi and VPN networks, legacy applications, as well as cloud or on-prem files—all using one cloud directory. In fact, the JumpCloud Directory Platform is built using Zero Trust Security principles, so you can leverage those concepts for secure, frictionless access to IT resources.
The result is that you don’t need to consider add-on solutions such as Azure AD or Okta (or even system management solutions / MDMs such as Intune, as well). Of course, JumpCloud integrates tightly with either AAD or Google Workspace so that you can provision / deprovision access to these critical productivity platforms. Further, JumpCloud is an all-in-one access control and device management platform from the cloud, but for virtually any type of resource.
To learn more, sign up for a JumpCloud Free account to learn about how JumpCloud replaces web app SSO and Active Directory altogether. Your first 10 users and 10 systems are free. For questions as you proceed, hit our in-app chat 24×7 within the first 10 days and our Customer Success Engineers will help.