Can I Replace Active Directory with Entra ID? No, Here’s Why.

Written by David Worthington on May 29, 2023

Share This Article


Contents


Updated on April 22, 2024

It’s very common for IT admins to ask, “Can I replace Microsoft Active Directory with Entra ID?” That’s especially true when the bulk of modern IT environments reside in or are migrating to the cloud. Microsoft even offers incentives to migrate your core directory to its latest services. However, Entra ID isn’t a replacement for AD alone, and the services you’d require to achieve parity may not be the optimal stack for your organization. Choosing to consolidate with Microsoft has downstream impacts that affect your organization’s budget, security, and freedom of choice.

This article outlines how AD and Entra differ and what options organizations have for modernization as they make the transition away from AD as their sole directory. For instance, Google and JumpCloud have joined together to offer an alternative solution. Many organizations find themselves at this inflection point and may not realize that Microsoft doesn’t have to remain central to identity and device management. In essence, migrating to Entra is similar to adopting another platform than AD. It just happens to be Microsoft’s path to retain its AD customers.

Let’s begin by examining what Entra is, and why it’s not a direct replacement for AD.

Entra ID vs. Active Directory: What’s the Difference

Microsoft’s Entra ID is a cloud directory that underpins Microsoft 365 (M365) subscription services. It’s used to configure access to software as a service (SaaS) and on-premises applications, and it’s a requirement to access productivity, IT management, and security services. Entra ID has different subscription levels that gate off its capabilities; certain Microsoft services have dependencies on its Premium service tiers. 

Those include Intune for endpoint management as well as components that will synchronize AD instances with Entra ID. Other features, like LDAP and RADIUS, still aren’t cloud resident and require a hybrid setup with AD.

Major differences will quickly become evident to admins. Familiar concepts such as GPOs are replaced by Intune and Microsoft Endpoint Manager, which again, are separate services. Organizational units are replaced by another model called administrative units, and nested groups are a legacy concept. Cloud directories have a flat hierarchical model where permissions are assigned to individual groups and users, either explicitly or implicitly or through automations that leverage user attributes.

Its access control model is based around securing assets versus a traditional network perimeter with AD. As such, Entra ID utilizes different protocols and more modern means of authentication and authorization, and it’s central to Microsoft’s architecture.

AD and Entra ID Aren’t the Same Thing

Microsoft won’t add modern identity and access management (IAM) features to AD. It remains an on-prem directory that enables IT departments to create and manage user accounts, create and enforce security policies, and control access to resources on corporate networks.

Ultimately, Entra ID works differently and uses different technologies. It’s a separate platform that can lock customers into a new Microsoft ecosystem. Significantly, new technologies that Microsoft created to modernize and secure AD aren’t available without it, and it’s rarely purchased alone.

Note:

Learn more about how Microsoft’s access models have changed, specifically, and why Active Directory modernization is imminent.

A Microsoft-Centric Model

Microsoft’s path to a modernized cloud architecture can be unwieldy and expensive: admins can be confronted with complex licensing schemes, lack of choice, and difficult implementations.

Cost

The permutations of products and challenges of migrating from Active Directory to the cloud have given rise to a cottage industry of consultants for implementation and planning. The breadth of configurations and options may be fitting for enterprises that have considerable resources to support deployments. Understand that one price doesn’t mean “integrated.”

An IT team may feel as if it’s consolidating its infrastructure with Entra ID, but it’s really just shifting from one multi-product solution to another. Each component of M365 has its own sprawl of challenges and complexities, as well as operational, support, and security considerations. 

Costs will increase when small and medium-sized enterprises (SMEs) are pulled deeper into the Azure platform and require interoperability with directories that fall outside of the Microsoft ecosystem. For example, SMEs may have to pay more for Entra ID Governance SKU licenses when working with external collaborators.

It’s easy to end up with significant resources allocated into configuration, deployment, and training for many Microsoft’s products. The larger an organization gets, the more it matters. This can become unmanageable and lead to unexpected burdens on IT departments.

Security

Security and costs go hand-in-hand in this new ecosystem. Microsoft has been accused of monetizing AD’s legacy status and security flaws. Entra ID is the entryway into an identity monoculture where detecting and preventing lateral movement by attackers requires many services. These services are recommended in its deference architecture, but aren’t included.

  • Entra ID Premium 2 (P2) includes Identity Protection to detect, investigate, and remediate identity-based risks. It’s considered essential for hybrid AD deployments.
  • Intune to manage your endpoints, including Windows provisioning and management.
  • Defender for Identity is a safeguard that protects AD against movement through the Microsoft stack. Standalone AD is vulnerable to privilege escalation when unpatched (or zero-day vulnerabilities) or misconfigurations are exploited to bypass its security.
    • Defender for Identities won’t work to its full potential without Microsoft Defender for Endpoints. Meaning, you’ll also be using Microsoft for antivirus protection.
  • Defender for Servers is recommended if you host AD in AWS or GCP.

Considering that it’s not even possible to abide by Microsoft’s best practices for Entra without subscribing to Premium tiers, and additional products beyond that, Entra ID may be a major mismatch for SMES that have straightforward needs.

Freedom of Choice

Entra ID’s Premium SKUs are rarely purchased a la carte. There’s a financial incentive to pay for bundles of services and to get unified endpoint management with Intune. In the case of M365, you don’t always get to select the best-of-breed solutions that users want. 

The deeper you go, the harder it is to change, and with breakneck technological innovation you should ask yourself what your organization could be missing out on in the next few years by being locked in. 

Can You Replace Active Directory With Entra ID?

The short answer is no, depending on your subscription level and whether requirements obligate you to select a hybrid deployment between AD and Entra. Again, Entra is not a replacement for Active Directory. Entra was originally intended to connect users with Microsoft 365 services, providing a simpler alternative to Active Directory Federation Services (AD FS) for SSO. As noted above, it evolved into a springboard to new subscription services. Microsoft now charges for PC management capabilities that on-prem AD once provided without the need for a cloud directory.

Why Entra ID Can’t Replace AD Outright

The on-prem directory binds a Microsoft network together. Microsoft would open up the door to potential customer loss by providing a way for customers to start over from scratch with a cloud directory. Instead, it directs SMEs to cloud services that broaden the breadth and depth of its existing product families and upsell established customers.

Think of Entra ID as a user management platform for the Azure cloud platform, along with basic web application SSO capabilities. Entra falls short by failing to manage on-prem systems, non-Windows endpoints, or accessing network resources without being integrated with a domain controller or add-on services. It’s not a complete solution like AD was intended to be. 

For example, cross-OS endpoints can’t be managed without also subscribing to Microsoft Intune. It’s possible to utilize Intune for a domainless enterprise, though many organizations are still compelled to have a hybrid environment for full compatibility with AD or AD FS.

JumpCloud: Extend or Replace Azure Active Directory

JumpCloud realizes that every organization has different requirements. AD shops that modernize AD with JumpCloud benefit from SSO, simplified Zero Trust security, and cross-OS system management, and can adopt features on a workflow basis (not only the entire platform). Organizations that don’t require on-prem systems and can go further and adopt a domainless architecture, saving on infrastructure, management, and rising CAL licensing costs.

JumpCloud enables admins to have seamless management of users with efficient control over systems (Mac, Windows, and Linux), wired or Wi-Fi networks (via RADIUS), virtual and physical storage (Samba, NAS, Box), cloud and on-prem applications (through SAML, OIDC, RESTful APIs, and LDAP), and more. Automated group memberships pull relevant user attributes from other identity providers (IdPs) or human resources systems, simplifying identity lifecycle management. 

Environment-wide push/TOTP MFA is available for each protocol and for every resource with the option to deploy phishing-resistant modern authentication using JumpCloud Go™.

JumpCloud can also integrate with Entra, Google Workspace, or Okta to create an open directory platform for an organization. JumpCloud’s open directory platform is interoperable and frees its users to adopt the IT stack of their choosing from best-of-breed services. It’s a workflow-friendly platform with a modern cloud architecture to automate entitlement management.

Note:

What is JumpCloud’s Active Directory Integration?

System Management

Identities are assigned to devices without additional subscriptions. JumpCloud provides mobile Enterprise Mobility Management (EMM) for Android, device management (MDM) for iOS/iPadOS, as well as endpoint management for Linux and Windows. Zero-touch onboarding is available for Apple devices. Admins deploy GPO-like policies such as full disk encryption

The CLI of each OS is accessible, at root, to deploy custom commands and policies that fall outside of JumpCloud’s point-and-click catalog of policy templates. The agents collect system telemetry and make it possible for admins to provide users with options for remote assistance.

The platform services IT management and security needs with security add-ons, including:

JumpCloud and Google

Google provides optionality to SMEs to select the directory that works best for them. JumpCloud and Google partnered to bring access control, identity, and device management to organizations that use Workspace or are seeking an alternative to M365. JumpCloud includes a free, pre-built cloud directory sync that makes it possible for admins to automate lifecycle and provisioning for Workspace users. 

Unifying identity and device management will enable your organization to reduce costs, improve operational efficiencies, strengthen cybersecurity, support workplace and digital transformation, and reduce the pressure on IT admins and security teams.

JumpCloud

Securely connect to any resource using Google Workspace and JumpCloud.

Try JumpCloud for Free

JumpCloud helps SMEs to improve security, save on licensing, reduce headcount, and save time and effort by unifying identities and devices using a single platform that functions as a secure gateway to resources. Try JumpCloud for free and find out if it’s the right option for your organization’s move to the cloud. You can also use our guided simulations and see for yourself.

David Worthington

I'm the JumpCloud Champion for Product, Security. JumpCloud and Microsoft certified, security analyst, a one-time tech journalist, and former IT director.

Continue Learning with our Newsletter