Can you replace Microsoft Active Directory with Azure Active Directory? This is a very common question for IT professionals. With almost all of the IT environment moving to the cloud, there are a number of incentives to move the core directory service to the cloud too. Unfortunately, Microsoft’s path to the cloud can be unwieldy, expensive, and difficult to comprehend. It’s also heavily focused on Windows as its first-class citizens and the Microsoft ecosystem at large.
It all starts with Azure Active Directory (AAD), Microsoft’s foray into cloud-based directory services. It’s reasonable to think that it would have all the capabilities of Active Directory® (AD), as the name implies, but the truth is more complicated than that – even before Microsoft’s licensing factors in.
Replace AD with Azure AD?
Can Azure AD actually be the complete replacement to AD that admins are looking for? Unfortunately, the short answer to that question is no. Azure AD is not a replacement for Active Directory. AAD was originally intended to connect users with Microsoft 365 services, providing a simpler alternative to Active Directory Federation Services ADFS for single sign-on (SSO). It has since evolved into a springboard to new subscription services that target enterprise customers and charge for capabilities that on-prem AD provided at no additional cost.
AAD also lacks support for key authentication protocols including LDAP and RADIUS. It does provide a common identity for Azure, Intune, M365, and other Microsoft cloud products, which permits SSO and multi-factor authentication (MFA) within the Microsoft ecosystem. However, costs start to rise when small and medium-sized enterprises (SMEs) seek to move beyond the Microsoft stack; cross-domain SSO and MFA are gated behind paid tiers of AAD.
Think of AAD as Microsoft’s approach to migrate Windows shops to a multi-tiered portfolio of Azure AD device management, identity, compliance, and security products that cater to large enterprises. Microsoft has devised complex gated licensing schemes for those services. Nothing is straightforward. The permutations of cloud products from Microsoft and challenges of migrating from Active Directory to the cloud have led to a cottage industry of consultancies. This is due to the breadth of configurations, and resulting complexity, that many enterprise use cases require.
You don’t have to take our word for it though, check out what a Microsoft representative said on this Spiceworks post:
Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the exact same capabilities with AD. It actually provides many more capabilities in a different way.
That’s why there is no actual “migration” path from Active Directory to Azure Active Directory. You can synchronize your on-premises directories (Active Directory or other) to Azure Active Directory but not migrate your computer accounts, group policies, OU etc.
As you can see here Azure Active Directory is an identity and access management solution for hybrid or cloud-only implementations. It can extend the reach of your on-premises identities to any SaaS application hosted in any cloud. It can provide secure remote access to on-premises applications that you want to publish to external users. It can be the center of your cross-organization collaboration by providing access for your partners to your resources. It provides identity management to your consumer-facing application by using social identity providers. Cloud app discovery, Multi-Factor Authentication, protection of your identities in the cloud, reporting of Sign-ins from possibly infected devices, leaked credentials report, user behavioral analysis are a few additional things that we couldn’t even imagine with the traditional Active Directory on-premises.
Even the recently announced Azure Active Directory Domain Services are not a usual DC as a service that you could use to replicate your existing Active Directory implementation to the cloud. It is a stand-alone service that can offer domain services to your Azure VMs and your directory-aware applications if you decide to move them to Azure infrastructure services. But with no replication to any other on-premises or cloud (in a VM) domain controller.
If you want to migrate your domain controllers in the cloud to use them for traditional task you could deploy domain controllers in Azure Virtual Machines and replicate via VPN.
So to conclude, if you would like to extend the reach of your identities to the cloud you can start by synchronizing your Active Directory to Azure AD.
Why Azure AD Can’t Replace AD Outright
When you step back and think about Microsoft’s identity and access management strategy, it makes sense that you can’t replace AD with Azure AD. From a business perspective, Active Directory already has more market share than just about any solution they offer.
The on-prem directory acts as a tie that binds a Microsoft network together. By providing a way for customers to shift to a cloud directory service, Microsoft would open up the door to potential customer loss. Instead, it directs SMBs to cloud services that broaden the breadth and depth of its product families. However, these are intended to service enterprise customers and can be difficult to deploy and learn.
Beyond the business perspective, there are also the technical capabilities to consider. Think of Azure AD as a user management platform for the Azure cloud platform, along with basic web application SSO capabilities. Where Azure falls short is that it doesn’t manage on-prem systems or resources without being integrated with a domain controller or add-on services for Windows.
For example, on-prem Windows (except for Windows 10), Mac, and Linux systems can’t be controlled for user access or systems management without subscribing to Microsoft Intune or Microsoft Endpoint Manager(MEM). Intune has limited functionality for Macs (without more MEM subscriptions) and, at present, has limited Linux support. Windows support is extensive, including auto-pilot onboarding.
Further, non-Microsoft solutions such as AWS and Google Workspace are outside of the scope of provisioning as well. There are a lot of resources that users need that can’t be touched by Azure alone, without adding additional subscriptions.
While it’s possible to utilize Intune for a domainless enterprise, many organizations are still compelled to have a hybrid environment for full compatibility with AD or ADFS. Microsoft’s reference architecture (diagram below) prescribes both AD and AAD in an environment.
JumpCloud: Extend or Replace Azure Active Directory
Every environment has different requirements and constraints that can make cloud migration more challenging. Some shops are locked into the Microsoft stack and would benefit from SSO, simplified Zero Trust security, and cross-OS system management that AAS + Intune don’t provide or charge too much for. Other organizations aren’t tied to legacy on-prem systems and can adopt a domainless architecture, saving on infrastructure, management, and rising CAL licensing costs. JumpCloud makes it possible to do either, or anything in between, for individual SMEs or through a multi-tenant portal for MSPs to consolidate tools and deliver value at scale.
JumpCloud’s open directory platform can serve as a cloud replacement to AD. JumpCloud enables admins to have seamless management of users with efficient control over systems (Mac, Windows, and Linux), wired or Wi-Fi networks (via RADIUS), virtual and physical storage (Samba, NAS, Box), cloud and on-prem applications (through SAML, OIDC, RESTful APIs, and LDAP), local and cloud servers (AWS, GCE), and more. Automated group memberships, that pull relevant user attributes from other IdPs or HRIS systems, assist with identity lifecycle management. Environment-wide push/TOTP MFA is implemented for each protocol for free.
Your identities can be assigned to trusted devices. JumpCloud provides cloud-based device management for iOS/iPadOS, Linux, and Windows. Android support is forthcoming. Zero-touch onboarding is available for Apple devices. With MDM and the Windows agent, IT teams can leverage GPO-like policies such as full disk encryption. The CLI of each OS is accessible, at root, to deploy custom commands and policies that fall outside of JumpCloud’s point-and-click catalog of policies.
The platform services IT management and security needs with security add-ons, including:
- Cross-OS patch management
- Pre-built conditional access policies to secure high value credentials
- Cloud Insights for AWS
JumpCloud can also integrate seamlessly with Azure AD, Google Workspace, or Okta to create one core identity provider for an organization. It is truly the cloud-forward directory that is built for the modern IT environment. JumpCloud’s open directory platform is interoperable and frees its users to adopt the IT stack of their choosing from best-of-breed services.
Open Directory Platform
The JumpCloud platform does not need to fully own and manage an identity. It consumes identities from different sources to orchestrate access and authorization to resources. This simplifies IT management for SMEs by addressing access control and security challenges that arise from having siloed apps and heterogeneous device endpoints outside of a corporate network. For instance, Microsoft doesn’t interoperate with Google Workspace, so IT professionals would otherwise have to seek alternatives for Identity and Access Control (IAC) and device management. Unfortunately, most other alternatives aren’t an integrated solution.
JumpCloud makes it possible for trusted devices to securely access resources across domains.
Delegated authentication is another option for access control. IT can configure AAD credentials to be used for RADIUS authentication into Wi-Fi networks with JumpCloud. There’s no domain controller or third-party service required.
JumpCloud helps SMEs to improve security, save on licensing, reduce headcount, and save time and effort by consolidating orchestration into a single, open directory that serves as an identity broker. The JumpCloud platform also works with Okta identities to provide RADIUS and LDAP access control, SSO, and system management for your device endpoints.
Try JumpCloud for Free
Want to learn more about how you can replace Active Directory with JumpCloud? It’s as simple as signing up for the JumpCloud Free account. JumpCloud offers all free accounts for 10 users and 10 devices, with no credit card info required. This grants the perfect opportunity for you to try out the entire platform including all of our premium functionality and see exactly how it works for yourself. Need more tailored, white glove implementation assistance? Schedule a free 30-minute technical consultation to learn about the service offerings available to you.
The JumpCloud community is always open for peer discussions about any IT topic.