Microsoft is making a steady push in identity and mobile device management with an expanding array of cloud services. Many organizations, especially managed service providers (MSPs), are considering Azure Active Directory (AAD) with Intune™ for access control and unified endpoint management. It’s primarily focused on supporting the Microsoft ecosystem with add-on options to support other platforms and increase security for enterprises. In order to integrate into existing on-premises Windows domains, however, complex connectors are required.
JumpCloud takes a different approach through its open directory platform, which can consume identities from multiple providers, through several protocols, to enable frictionless access into different resources. The platform is engineered to follow Zero Trust security principles and automate the user identity lifecycle. The open directory makes it possible for small and medium-sized enterprises (SMEs) and Managed Service Providers (MSPs) alike to provision the best resources, from any vendor, to get work done. It also provides add-ons for deeper system management and security considerations. Microsoft and JumpCloud both provide cloud-based IT management tools for identity management and device management. This article examines how they compare and the best fit for each platform.
What Is Azure AD?
AAD was created for the express purpose of extending Microsoft’s presence into the cloud. It connects users with Microsoft 365 services, providing a simpler alternative to Active Directory Federation Services (ADFS) for single sign-on (SSO). There’s similar nomenclature, but it doesn’t replace all the features of Active Directory and lacks support for key authentication protocols including LDAP and RADIUS. It provides a common identity for Azure, Intune, M365, and other Microsoft cloud products, which permits SSO and multi-factor authentication (MFA) within the Microsoft ecosystem. Cross-domain SSO and MFA are gated behind paid tiers of AAD, once a defined number of integrations per user is surpassed.
Microsoft has a structured gated licensing model with trial subscriptions and a free tier of AAD with some restrictions. For example, there are limits on stored objects and the number of apps a single user can access with SSO and group management with role-based access control (RBAC) costs extra. Microsoft also charges for MFA for external identities, per authentication. AAD’s features, which include a few time-limited trial services when users sign up, are listed on its website.
It also serves as Microsoft’s approach to a multi-tiered portfolio of identity, compliance, device management, and security products. The permutations of accompanying cloud products from Microsoft and challenges of migrating from Active Directory to the cloud have given rise to a cottage industry of consultants. This is due to the breadth of configurations, and resulting complexity, that many enterprise use cases require. However, some organizations may benefit from this approach. Integrations with other paid Microsoft services are possible such as Microsoft Intune Premium Suite, Microsoft 365, automations for management tasks, and reuse of ADMX templates from Windows 10/11.
What Is Intune?
Microsoft’s latest offering is Microsoft Intune Premium Suite. It functions as a mobile device management (MDM) solution to administer features and settings for iOS®/iPadOS®, Android®, and Windows. While it extends to macOS and Linux, it’s historically been less focused on non-Windows platforms. Microsoft is updating its services and is increasing what’s possible on other platforms. For instance, Intune supports custom/templated profiles for macOS, compliance policies, shell scripts, Apple Business Manager (ABM), and user/device enrollment options. Linux support has rolled out slowly and is focusing on compliance policies. Microsoft Edge is obligatory to utilize some of its features, such as conditional access policies for privileged users.
However, Intune bolsters Microsoft products such as Edge and Configuration Manager as first-class citizens. Windows administrators will be familiar with aspects of how it works, such as ADMX templates. Intune is most robust when it is used to manage Windows systems that are hybrid AD-joined, in combination with other services and security solutions. Separate license requirements and costs may impact what services can integrate with Intune.
What is Configuration Manager?
The following provides a quick primer on Configuration Manager:
- Cloud-based MDM to control features and settings; isolation of corporate data
- The Intune admin center offers status updates and alerts as well as device configuration and other administrative settings
- Connectors for Active Directory and certificate-based authentication
- ADMX templates to deploy Windows policies and benchmark group policies and Graph API for scripting, with appropriate licensing in place.
- Integration with AAD, Windows (Win32) LoB apps, and other Microsoft-centric services
- Application deployment and user assignments
- Compliance settings creation and the ability to lock down services with granular conditional access rules based upon group Intuneberships, location, device state, and triggers for specific application access rules (Note: Additional Microsoft products are necessary to protect identities as well as to monitor and control cloud application sessions such as Enterprise Mobility + Security E5)
- Reporting on apps, device compliance, operations, security, and users
- Device-only subscriptions for single-use devices such as kiosks
- Remote support is available as a premium add-on to Intune; unlimited federated identity, which provides SSO and MFA environment-wide requires a higher tier of AAD; and Microsoft offers pre-built connectors and SCIM synchronization through its paid SSO SKU.
What’s possible with Intune is somewhat dependent upon what other Microsoft services are being licensed (standalone or bundled), knowledge of Microsoft’s administrative tools, and how invested an organization can become in the Microsoft ecosystem. Intune is a broad product family, and it’s possible to achieve advanced enterprise-level compliance and security by spending more for additional services.
What Is JumpCloud?
JumpCloud is an open directory platform for SMEs and their MSP partners that includes zero trust identity and access control (IAM), cross-OS device management, and more. It simplifies the orchestration of identity management and access control throughout the vendor and open source landscape. Supported platforms include Linux, macOS, iOS/iPad OS, and Windows. Android support is forthcoming. JumpCloud is cloud-based and can be deployed for a domainless enterprise, without the need for AD or AAD, or extend your existing domains with a more straightforward deployment.
JumpCloud is tailored to the needs of SMEs. Some of its core features include:
- An intuitive user interface and dashboard that makes IT admins more productive and highlights issues that require immediate attention.
- The capacity to integrate with AAD and Google identities, with delegated authentication available for RADIUS using AAD credentials.
- Unlimited, True SSO that delivers SAML, OIDC, and password-based authentication for any web application, as well as SCIM and RESTful support to manage user onboarding/authorization to third party applications. JumpCloud provides ready-to-consume connectors for many popular services.
- Push and TOTP MFA everywhere, including RADIUS and LDAP connections.
- Built-in MDM, without extra costs; isolation of corporate data.
- Application install and management on remote systems.
- Integrated remote assistance with Remote Assist, free of charge.
- Integrations with popular HRIS systems for rapid user onboarding and provisioning.
- Zero-touch enrollment and deployment for Apple devices.
- Automated group memberships that leverage attribute-based access control (ABAC) to modernize the user identity lifecycle and enhance security. This provides entitlement management maturity beyond what’s possible with legacy access control paradigms. In contrast, Microsoft’s RBAC is more labor intensive with higher management overhead.
- Cross-OS policies and root-level CLI interfaces for centralized IT management and commands.
- A streamlined dashboard for IT teams and technicians
- Reporting for Device Insights, Directory Insights, and Cloud Insights for AWS.
- A cloud-based LDAP directory with available Active Directory sync tools.
Even more IT management and security essentials are serviced by the following add-on products:
- Pre-built conditional access capabilities that restrict access by location, whether a device is being managed by JumpCloud, and to enforce MFA for specific groups of users
- JumpCloud Patch Management
- Decentralized password manager that integrates with the directory platform
Comparing JumpCloud to Azure AD with Intune
AAD and Intune have some overlap with JumpCloud on a feature-by-feature basis, and it makes sense for organizations to evaluate all of their cloud-based identity and system management options. Put simply, the comparison between JumpCloud and Azure AD with Intune is really about adaptability versus maintaining the status quo and vendor lock-in.
The open directory platform solves the challenges faced by modern IT professionals versus simply extending an existing ecosystem into the cloud.
The greatest difference lies in Microsoft engineering its products for the enterprise in service of the Windows ecosystem, tooling, and its accompanying cloud services. There’s deep integrations with Microsoft products and specialized services that mostly benefit larger organizations. If you have an all-Windows® network, and are already implementing Azure with Active Directory® on-premises, then Azure AD and Intune could be the right addition for your organization. Using tools created by Microsoft in a Windows environment simply makes sense. Mobile-heavy organizations may also benefit from using Intune’s mobile device management capabilities to manage other operating systems.
JumpCloud is intended for the specific needs of the SME market, as evidenced by how its features are packaged and implemented for ease of use. It was created to address the constraints that arise when a legacy on-prem directory is modified for a new era in computing (that crosses domains). The open directory platform solves the challenges faced by modern IT professionals versus simply extending an existing ecosystem into the cloud.
It also securely connects users to more resources, without the need for additional servers or add-ons. If your organization has AWS, macOS®, Linux®, Okta®, Google Workspaces™, and other non-Windows platforms as core parts of the infrastructure, then you will benefit by choosing JumpCloud’s open directory platform. Organizations can choose the vendors that are best suited for users both now and in the future.
Ease of Use
JumpCloud is simpler and more accessible, with a more intuitive UI and pricing breakdown that’s based on use cases versus features. A common complaint is that Microsoft’s interface changes frequently and causes confusion. That’s a consequence of product bundling and frequent product family/branding changes. Other issues involve functions such as zero-touch deployments being limited to Windows devices. This Reddit thread captures numerous user-reported usability problems. Those include:
- Unpredictable time spent importing provisioning of devices, assigning profiles, and deploying apps. Microsoft’d default polling interval for policy refreshes is 8 hours.
- Simple mistakes can cause actions to fail, such as a Registry key requirement rule filtering out devices
- Problems with assigning available licenses to new users
- Configuration changes taking a long time to go into effect
- Debugging events and sync logs requiring additional third-party tooling
- Loss of internet connectivity causing Windows Autopilot to fail
“Testing any feature takes days to weeks because I go “hmm what does this do? changes setting 3 hours later huh, still no change…” – Reddit User
Centralized Policy Management
A key component of Active Directory is a feature known as Group Policy Objects (GPOs). GPOs allow IT admins to control the behavior of Windows systems in their environment with great precision. The key here is that Microsoft’s GPOs only work for Windows systems and are not applicable in the cloud via Azure AD, and with the recent rise of Mac® and Linux® systems in the workplace, that’s a problem. Microsoft has extended policies to other devices through Intune, which extends Windows administrative methodologies, software, and tooling elsewhere.
JumpCloud offers GPO-like policies for all three major platforms — Windows, Linux, and macOS® — as well as cloud-based resources. IT admins are able to remotely disable virtual assistants, enforce full disk encryption (FDE), and configure system updates with just a few clicks. When a prescribed policy isn’t going to get the job done, JumpCloud enables IT admins to create and execute their own commands and scripts on all three platforms. JumpCloud also provides optional policies for cross-OS patching.
Open Directory Platform
The JumpCloud platform does not need to fully own an identity to manage it. Rather, it can consume identities from different sources and sits in the middle to orchestrate access and authorization to resources. This simplifies IT management for SMEs by addressing the access control and security challenges stemming from having identities exist in silos. Essentially, it becomes SSO to everything.
For instance, Microsoft doesn’t interoperate with Google Workspace, so IT professionals must tackle authorizing and orchestrating those users between different products. An Azure AD user also won’t be able to use RADIUS to access Wi-Fi without a domain controller or third-party service. SMEs can dramatically improve security as well as save on licensing, headcount, time, and effort by consolidating orchestration into a single directory (that sits in the middle).
Mobile Device Management Capabilities
Intune and JumpCloud have MDM services for managing BYOD and BYOC devices, but the respective value propositions diverge when organizations are cost conscious, have limited resources, or must support heterogeneous environments.
Microsoft delivers cross-platform support, but Windows is the favored tenant with the capacity for zero-touch onboarding that would benefit Microsoft shops. JumpCloud is easier to adopt, learn, and works better with Mac and Linux systems. The open directory platform also adds additional value for MDM users to import user identities from non-Microsoft platforms to centrally manage or utilize them all.
Android, Apple, and Linux Devices
Intune has Mac and iOS/iPadOS support for the supervision of Apple devices through user login, device enrollment/deployment, configuration management, patch policies, and software distribution. It’s also offering services to manage Android devices and Linux. Microsoft’s full offering requires AAD, Intune, and an understanding of its Windows templates and tooling. It also has extended requirements for other Microsoft products such as Edge to be able to manage Linux users, limiting customer choice.
JumpCloud’s Apple and Linux MDM capabilities are extensive, beginning with a pre-built collection of policies, configuration options, security functions, and culminating in zero-touch device enrollment. MDM is immediately available as a core feature of the platform, and cross-OS patching is available as an add-on service. JumpCloud supports the most popular Linux distros and doesn’t impose any mandates to use a specific browser.
Affordability and Implementation
With consideration to Microsoft’s extensive stack requirements and gated licensing, JumpCloud’s bundled MDM is more affordable and user-friendly. It’s also easier for IT teams and MSP technicians to learn and manage.
Configuring Intune is a long and complex process. Intune software deployment and polling works on Microsoft’s schedule, creating management “unknowns.” The workflow is as follows: upload an MSI, create a package, apply it to a machine … and it will install at some point. This procedure, coupled with a confusing interface, creates a learning curve. Organizations save on costs as a business/MSP by choosing a tool that’s easier to use. Jumpcloud offers more immediate actions for commands and policies.
Microsoft has devised an extensive cloud services productive portfolio in service of its enterprise customers. It’s a stepwise architecture that enlists adjunct services to build out a broad stack. The Microsoft ecosystem is as broad and comprehensive as a Microsoft shop needs it to be.
JumpCloud is specifically designed for what SMEs need, and sheds the complexity of Microsoft’s ecosystem. It offers far more functionality through one solution that can be bolstered by a mobile-specific MDM, rather than purchasing the entire Microsoft IT stack and everything else required for modern offices to manage users. Organizations that adopt JumpCloud for MDM are more likely to value heterogeneous device management and benefit from its platform approach. Namely, MDM users will obtain greater value by using more of the open directory platform.
Microsoft 365 and Google Workspace Sync
With Microsoft 365™/Google Workspace sync, organizations can access either productivity platform at will with JumpCloud credentials. The open directory platform imports attributes that decorate users with entitlements, streamlining admin workflows, increasing the accuracy of user profiles, and delivering smooth onboarding. IT admins can also manage groups in Workspaces, and the ability to import groups from AAD is launching soon.
When evaluating which identity management provider is right for you, you also want to consider your non-system needs. For instance, if you are interested in LDAP, RADIUS, Samba, SSH, and other protocol support, you might consider JumpCloud’s protocol-level hosted services. JumpCloud also implemented MFA for its LDAP and RADIUS services, which is significant when highly regulated industries like cyber insurance companies require MFA to be enabled for network devices. Otherwise, additional servers and services may be needed to be compliant.
Another core issue for MSPs and IT organizations is vendor lock-in. Microsoft is financially motivated to keep you on the Windows and Azure platform track, which includes its ecosystem of administrative tools and templates. Often, you need a number of additional Microsoft tools on the Azure AD and Intune path. Most organizations with AAD also use AD on-prem, AAD Connect, AAD DS, and other third-party tools to create a holistic IAM and device management approach. That’s a deep investment in budget, training, and dependency on Microsoft.
Intune belongs to an evolving family of IAM products that have undergone multiple re-namings and repackaging. Growing with Intune means licensing Intune as well as other complementary services for security and system analytics. Note that the selections are in flux, making direct comparisons with alternatives more challenging. Buying Intune sinks organizations deeper into the Microsoft stack, which limits their ability to purchase solutions outside the Microsoft domain and customize their stack for their needs. It also introduces some unpredictability in budgeting.
JumpCloud’s open directory platform allows for greater flexibility and shopping around for services, such as adding best of breed XDR integration from Crowdstrike or Sentinel One to secure identities and endpoints, versus a monolithic supply chain from Microsoft.
Total Cost of Ownership
Microsoft’s legacy requirements frequently mandate a hybrid infrastructure configuration. A hybrid infrastructure adds complexity, and complexity correlates to bigger budgets. Managing and licensing your physical servers is expensive (people, hardware, facilities, maintenance, and utilities), and the increase to your potential cyberattack surface area are all factors to consider. These factors combined raise the total cost of ownership for AAD.
A common refrain is that “Microsoft stuff works well together.” In practice, transitioning on-premises Microsoft solutions to the cloud isn’t always straightforward. For example, AD groups don’t all automatically sync over to AAD. This writer recently spoke with an Intune administrator who recounted how his organization, which is invested in Microsoft, was experiencing difficulty transitioning to AAD and Intune from ADFS and Active Directory.
In this example, consultants were brought in to set up Intune. The consultants attempted to turn on “full blown AAD” for the environment. That decision resulted in downstream problems with Virtual Desktop Infrastructure (VDI), because only persistent virtual machines (where every user’s personal desktop settings are set for each virtual desktop) are supported in on-premises ADFS. This scenario may seem arcane, but it illustrates that even migrating to Microsoft’s latest and greatest services isn’t always straightforward. Microsoft has a multitude of legacy components for SSO that tie back to AD, which introduces difficulties that are unique to its ecosystem.
The Intune administrator summed it up perfectly: “I need to focus all my time [elsewhere] but can’t because I get pulled in every direction [due to the complexity of Microsoft’s ecosystem].” Simply put, if your infrastructure’s a mess, everything’s a mess … and costs more than is necessary. The more an organization sinks into Microsoft, the less flexibility it has to go elsewhere.
Cost of ownership is a key differentiator between AAD + Intune and JumpCloud. AAD is initially a great value — if you’re a heavy user of the Microsoft stack — but costs mount as use increases and third-party services and non-Windows devices are added to your infrastructure. Navigating Microsoft’s complex gated licensing scheme is another driver of rising subscription costs.
For example, organizations that are considering M365, which can bundle Intune, must assess the differences of all 30 license variations. Some consultants even specialize in demystifying Microsoft’s licensing options. Basic tiers are only the price of admission. There are additional costs involved simply to obtain a few fundamental capabilities such as federated identity in AAD to securely access resources outside of Microsoft’s stack using SSO. That’s the real-world starting point for modern IT, even before Intune or other subscriptions factor in.
Consuming external identities also costs more. Microsoft introduced a separate product family called Entra, which is its solution for decentralized identity, identity verification, and entitlement management. Entra extends Microsoft’s strategy to monetize interoperability that is focused on the enterprise market and the sale of adjacent services. In contrast, JumpCloud’s foundation supports expanding capacity to accept and incorporate other identities into workflows.
IT Infrastructure Consolidation
IT tool sprawl is just one of the many unintended consequences of today’s remote-first workforce. Adopting a consolidated stack is beneficial to avoid overlapping feature sets from many different software products. A Microsoft shop may not need to look elsewhere to meet compliance, IAM, IT management, and highly advanced security requirements with its stack (assuming they have the budget). However, there are downsides.
Smaller organizations may find themselves overextended by the breadth and complexity of Microsoft’s components and services that form its hybrid architecture. Buying, operating, and supporting a datacenter is just the start. It’s very likely that IT teams will have to employ external resources to assist with AAD + Intune implementations. Those decisions involve a substantial and costly long-term commitment.
Azure works best if organizations are fully incorporated into a Microsoft tech stack environment, but not outside of Microsoft’s cloud infrastructure (i.e., it can’t be used to manage non-Windows servers hosted in Amazon or Google clouds).
JumpCloud’s open directory platform enables IT teams to assemble a stack of best-of-breed solutions that are secure, on managed devices, and available through the identity provider of their choosing. Optional products assist with security, IT hygiene, and password management without extensive management overhead or mandates to deploy them successfully.
What’s Best for Your Shop?
If you are locked in to Microsoft solutions, or if you have corporate-owned iOS and Android mobile devices, then Azure solutions may be an acceptable fit. However, its platforms are intended for the enterprise and extend broadly through gated licensing. Alternatively, if you are an SME that’s invested in other non-Windows platforms and non-Microsoft services and identities, and wish to (or see a path to) consolidate IT resources, then you should consider JumpCloud’s open directory platform. A third option is to use both to obtain the greatest value for your organization.
JumpCloud centralizes user and system management, regardless of platform or where identities reside. This includes our Multi-Tenant Portal (MTP), designed specifically for MSPs to manage multiple client organizations from one pane of glass. JumpCloud offers cross-platform GPO-like capabilities to manage fleets of systems with policies, including local admin system controls, full disk encryption with FileVault 2 and Bitlocker, screen lock regulations, and more. Apple MDM capabilities are available for macOS machines, for machines to execute security functions and distribute configuration policies.
For MSPs, consolidation gives you the chance to proactively manage and monitor your clients’ tech with fewer providers. It decreases your monthly expenditures without sacrificing efficiency or usability, and frees you up to spend more time helping your clients reach their goals. IT consolidation has many benefits for MSPs and their clients, including cost savings, a streamlined user (and management) experience, and an increase in client trust.
The Choice Is Yours
However you choose, all options present benefits to an organization. To learn more about JumpCloud versus Azure AD with Intune, contact us or join our community to engage your peers in conversation.
As always, signing up for the JumpCloud platform is completely free, and includes 10 users and systems to get you started. The best way to learn is by doing. You also get 10 days of premium 24×7 in-app chat support. Sometimes self-service doesn’t get you everything you need. If that’s how you’re feeling, schedule a 30-minute consultation to discuss options for implementation assistance, migration services, custom scripting, and more.