By Cassa Niedringhaus Posted January 9, 2020
Microsoft® Azure® is an umbrella for a variety of cloud services, including Azure Active Directory (Azure AD or AAD). On its face, Azure AD might seem like a replacement for on-prem AD or a cloud-based solution for organizations in need of a directory service, but more factors come into play for IT admins making purchasing decisions. Let’s explore the total cost of ownership of Azure AD.
Cost of Azure Active Directory
Azure AD extends on-prem Active Directory identities to Azure where it serves as the user management function, and for web applications through single sign-on capabilities. Azure AD is sold under four tiers of subscription packages. Depending on the package you select, Azure AD can be free with Azure services because it serves as the substrate identity management solution to control Azure user access.
However, the free package doesn’t include identity and access management for Office 365TM applications, single sign-on (SSO) for more than 10 applications, or other premium IAM (identity and access management) features.
Beyond that, Azure AD can’t really serve on its own as a directory service for organizations that do not already have an AD instance. If you use Azure AD without on-prem AD, you’ll have limited administrative capabilities. For example, you won’t be able to employ the suite of group policy objects (GPOs) to on-prem Windows devices for which AD is known, and you’ll struggle with authenticating local IT resources like applications and file servers.
In order to fully leverage Azure AD, Microsoft’s reference architecture suggests an array of Microsoft-based tools. For those who want to connect Azure AD identities to other IT resources, they’ll require an even greater number of solutions.
The important thing to note is that by using Azure AD, you are thereby encouraged to use Azure throughout your environment. Azure AD, like AD, encourages the use of Microsoft infrastructure and services/applications. This strategy has been successful for Microsoft in the past, and the company is employing it again to work to lock-in customers to Microsoft services.
To fully assess the TCO of Azure AD, we’ll explore various other tangential but necessary costs. These include Azure Active Directory Domain Services, which you’ll need if you have Azure systems and infrastructure, and more.
We’ve also developed an equation to help you understand the TCO of Azure AD, which we’ll cover in more detail below:
Costs of Azure Active Directory = Azure AD Premium Package + Azure AD DS + Active Directory + Add-Ons for Mac and Linux + LDAP Server + RADIUS Server + Integration/Management Time
Cost of Azure Active Directory Domain Services
Azure Active Directory Domain Services is billed as a domain controller-as-a-service for virtual machines and legacy applications. It’s charged for the hour, and the price is based on the number of directory objects.
Per Microsoft, “Azure AD DS provides a managed domain for your users, applications, and services to consume. This approach changes some of the available management tasks you can do, and what privileges you have within the managed domain.”
Azure AD DS differs from on-prem AD in a number of ways, including its lack of domain or enterprise administrator privileges. You also cannot add on-prem domain controllers to the managed domain.
If you use Azure AD and Azure AD DS in conjunction with on-prem AD — which is necessary if you want full AD capabilities — you’ll have to factor in the associated costs for that as well.
Cost of Active Directory
Active Directory represents a number of costs for organizations, including servers, software, and licensing.
Servers: Domain Controllers
If you use Azure AD with on-prem AD, servers are an obvious cost. You either need to maintain a server room or spin-up AD in a virtual environment, both of which must factor into the TCO of Azure AD. You need to budget for the costs of redundant servers, too, in case your primary domain controller fails.
Software: Windows Server
Beyond the cost of the servers themselves, you’ll need to purchase the software to be installed on them. Since 2016, Windows Server licensing has been on a per CPU core pricing structure, rather than the previous per socketed CPU structure. Admins can purchase those licenses in 2- or 16-packs.
Licensing: Client Access Licenses
Another important cost to consider is client access licenses (CALs), which you purchase based either on user count or device count.
Add-Ons: Mac, Linux, and Other Non-Microsoft Resources
If you’re using Azure AD in an environment with Mac® and/or Linux® machines, you’ll likely need to seek out a third-party tool for central user and system management of those machines. If you have AD on-prem, you might be able to authenticate Mac and Linux machines locally — but it will be a struggle without any central user management or GPO-like capabilities for those platforms.
If you aren’t hosting all your server infrastructure in Azure, you’ll also need to manage the associated identity management costs to manage user access to other cloud infrastructure providers like AWS® and GCP. Some of these platforms offer their own managed Active Directory services, so you can potentially leverage those managed AD services, but you’ll need to make sure that they can connect back to your other AD infrastructure and/or with Azure. None of this work is easy, and it can add a great deal of fragility to your IAM environment.
Azure AD doesn’t come with cloud LDAP functionality, so you’ll need to maintain an LDAP server, as well as service on-prem LDAP applications, if required.
Azure AD DS allows organizations to migrate legacy applications to Azure entirely, but that service represents an additional cost as well as the work around the migration of applications which is not an easy task in most instances.
Azure AD does not come with cloud RADIUS functionality either. Instead, you’ll need to spin-up a RADIUS server on-prem or virtually to have the capability of managing WiFi and VPN access, which is an important security component.
Evaluating Azure Active Directory
In conclusion, Azure AD might be the solution for a Microsoft shop that already has AD established and needs to extend their IT resource management to the cloud. However, organizations should assess their existing stack and whether Azure AD will address all their needs before making the purchase — especially if it will fulfill only some of their IT needs.
Beyond Azure AD, organizations will likely need to purchase Azure AD DS and maintain Azure AD Connect (along with their on-prem AD instance), as well as RADIUS and LDAP instances and other add-ons to extend AD to Mac and Linux systems, all of which represent cost centers. Azure AD is not an all-in-one solution but does meet certain use cases.
If you’d like to learn about other directory options in the cloud age, consider reading our resource “What is an Open Directory?” next.