The Truth About Most Active Directory Extensions, Add-Ons, & Identity Bridges

Written by Mike Ranellone on March 2, 2020

Share This Article

Now that many business-critical operations have migrated to the cloud and Mac and Linux systems are common in the workplace, a relatively new category of IT solution has emerged out of necessity.

Active Directory (AD) extensions, sometimes referred to as AD add-ons or identity bridges, do the work of connecting Active Directory identities to cloud infrastructure, SaaS apps, networks, non-Windows systems, and/or other modern IT resources that AD struggles to support. 

Many organizations actually use multiple solutions in tandem to connect different individual resources back to AD. Ideally, the right combination would replicate the secure, centralized identity management experience once afforded by the on-prem Windows Server® domain. 

Common Types of AD Extensions 

Some of the IT solutions we think of as AD extensions include:

  • SSO providers 
  • Mac management suites 
  • G Suite and Office 365 integrations
  • User management solutions for AWS and other cloud infrastructure platforms 
  • Remote employee management software
  • Password and SSH key management tools 
  • Products that automate user provisioning and access control 
  • Multi-factor authentication (MFA/2FA), full disk encryption, and other security tools
  • System reporting apps for troubleshooting, security, and compliance 

With modern environments that require most or all of the above services, the process of adopting and configuring the right AD extensions can get complicated quickly. 

The Problem: Comparing One AD Identity Bridge to Another 

For organizations trying to choose between AD extension products, the problem is that these solutions rarely — if ever — actually offer comparable functionality. Some were built to handle SSO elegantly, but can’t pull off GPO-like system management for Mac, Windows, and Linux machines.

Some keep cloud infrastructure access neatly in order, but do nothing for the rest of your environment. Still others work pretty well if you intend to stay a Windows-centric shop forever, but wouldn’t it be nice to manage mac devices like those rogue Mac Books on the graphic design team with the same product that locks the USB ports on your ThinkPads? 

One-Way vs. Two-Way Syncing

Usually, when people talk about extending AD identities, they’re talking about a one-way sync between AD and the newly connected resource.

A basic identity bridge lets the resource authenticate against the AD database, but few solutions offer a deeper, directory level integration or the kind of bidirectional sync that would let a Mac user change their own device password and securely write that change back to AD, for example.

Remote AD User Management

Taking that concept of a true bidirectional sync a step further, a more comprehensive AD extension could even fully envelop your AD instance, allowing secure AD user provisioning and attribute modification remotely from the cloud. 

The Right Combination of AD Extensions

When evaluating AD extensions and comparing their pricing structures, it’s important to identify the areas where they overlap in order to avoid paying for redundant functionality. It’s equally important to identify gaps that may require you to combine multiple solutions for comprehensive access control across your entire environment. Depending on your organization’s unique requirements, it can be difficult to find the right combination of tools. 

Why Extend Active Directory in the First Place?

With the above considerations in mind, many IT teams are starting to wonder whether Active Directory still belongs at the core of IT. If the legacy, on-prem directory service requires so many add-ons to function in a modern environment, is it really worth the associated hardware and licensing costs?

Still, there are a number of reasons why an organization may prefer to keep and extend Active Directory rather than opting to replace it altogether. 

Complexity & Depth of AD Usage 

Admins who have mastered AD’s nuances and kept it organized and updated will likely see value in keeping it. Many of these seasoned AD admins have developed strong PowerShell scripting chops, using the command-line interface to automate directory management tasks and customize their environments.

Others who manage highly complex instances, perhaps at larger organizations, will note that the process of replacing AD would be like ripping the engine out of a car while it’s speeding down the highway. 

Budgeting & Existing Investments 

Financial obligations factor in as well. If you’ve recently paid to upgrade your Windows Server license and the hardware it runs on, if you’re locked into another related contract, or if your organization’s budget is fixed for the time being, migration to a totally new directory service may not be ideal.  

For organizations that need to keep AD for the foreseeable future, extending its capabilities with the right combination of add-ons can be a necessary approach. One AD extension could help smooth out a merger or acquisition, securely bridging AD identities to remote offices without additional domain controllers. Another could give users a seamless single sign-on experience for their SaaS apps, reducing the temptation to use insecure or shared passwords. Other solutions could fill in for AD to manage Mac and Linux systems, extending GPO-like policy management to these machines. 

But what if, instead of a patchwork of products that each cover one or two areas of IAM, a single, cost-effective solution could integrate deeply with AD, extending user identities and system policy management to virtually all IT resources on-prem and in the cloud? 

A Single, Consolidated AD Extension 

Because JumpCloud® Directory-as-a-Service® was built to stand on its own as a cloud-hosted core directory in place of AD, it’s also naturally suited to function as the ultimate AD extension. JumpCloud’s deep, directory level AD Integration lets users securely access their Mac, Windows, and Linux systems, SaaS apps, cloud infrastructure, file servers, networks, and more — all with their AD credentials. It even lets admins remotely manage AD identities, provisioning, modifying, and deprovisioning AD users entirely from the JumpCloud web console. 

With JumpCloud, you get a full spectrum of cloud-hosted identity and access management solutions instead of just one or two. Interested in learning more? Try JumpCloud completely free, with full functionality to manage your first 10 users and systems. 

Mike Ranellone

Mike is a writer at JumpCloud who's especially interested in the changing role of tech in society. He cut his teeth in the ad agency world and holds an M.F.A. in creative writing from the University of Colorado-Boulder and a B.A. in English and music from St. Lawrence University in Canton, NY. Outside of JumpCloud, he's an avid skier, cellist, and poet.

Continue Learning with our Newsletter