The Hidden Costs of Choosing Microsoft Active Directory

Choosing the most cost-effective directory services solution means understanding your requirements. Modern directory solutions will manage your digital estate across every device type and resource, using stronger authentication methods than were previously available. Standalone Microsoft Active Directory (AD) is firmly baked into many organizations’ IT infrastructures, but it doesn’t accomplish those objectives. 

AD is a legacy technology that must be secured in order to function for the foreseeable future. 

Microsoft’s prescribed approach to AD modernization entails combining AD with cloud services to manage a “hybrid of everything” estate. Your infrastructure could span IoT, multi-cloud, on-premises, and operational technologies, and a directory provides access to everything. Costs and complexity will vary depending upon requirements, licensing, and implementations.

There are notable differences between solutions like a hybrid deployment of AD and Microsoft’s Entra ID (formerly Azure AD) service and alternatives for modernizing AD, such as JumpCloud’s open directory platform. That can make comparing the cost more challenging, especially considering that not all directory services are “one size fits all” when it comes to ensuring an organization gets the best value for the money and time they’ll put into setup and ongoing management.

This article explores the true costs of running AD, more than two decades after it first shipped, and how to modernize it for effective identity and access management (IAM) and better security.

Hidden Hardware Costs of Active Directory

Let’s start with the essentials of operating server rooms. You must account for expensive hardware servers, which becomes costly if multiple servers are needed or if a company has multiple geographical locations that require their own fleet of servers. AD servers must be dedicated systems and meet very specific hardware requirements. This is a particular challenge for distributed environments which require multiple AD servers at each physical location.

Cloud solutions either help reduce server room sprawl by providing services and scalability on demand, or can replace AD when the requirements are appropriate for a total migration.

Software Expenses 

It’s not uncommon for a server that meets your sizing and specification requirements to cost five figures; although, it’s not due to inflated hardware costs. It’s because Microsoft has modified its licensing scheme to be based on a per core basis. Client Access Licenses (CALs) are an additional fee. Here’s what Windows Server licensing can cost for an 8-core server:

Credit: WintelGuy.com

The licensing is complex (depending upon your agreement) and can be difficult to understand. Microsoft periodically audits customers to ensure they are compliant with its licensing terms. And that’s just the server operating system costs. You also need to purchase virtualization management software. Here’s an example of a real invoice that was once paid:

AD is focused exclusively on Windows devices, so a company needs add-on, third-party software to manage Mac and Linux devices. This is often licensed per device per user.

Microsoft Cloud Service Subscriptions

Hardening AD isn’t a throwaway suggestion. Microsoft’s literature and Microsoft Learn collateral urge customers to never sync on-premise admins to Entra, because AD can be compromised. A Microsoft shop should use Entra ID “onmicrosoft.com” domain admins to “break the glass.”

Microsoft’s Cybersecurity Reference Architecture (MCRA) prescribes cloud security solutions to protect AD against threats. That means subscribing to Entra ID Premium 2 (P2) for Identity Protection as well as licensing Defender for Identity. Defender for Identity can prevent lateral spread and privilege escalation. IT admins will first have to establish a hybrid configuration using Microsoft Azure AD Connect directory synchronization tool.

Other suggested subscriptions and steps for hardening AD include:

• Entra ID P2, which provides Identity Protection, and costs $9.00 user/month
• Defender for Identity, which is priced a la carte. Advanced Threat Analytics (ATA), an on-premise solution, ended mainstream support on January 12, 2021, leaving Defender as the only option if your organization goes all in with Microsoft.
  • Microsoft Defender for Endpoint is also recommended if you to extend monitoring to server threats, which also places Microsoft in control of your Endpoint Detection and Response (EDR).
• Windows Defender Credential Guard is included in Microsoft 365 E3 and E5. It protects AD against brute force attacks against AD.
• Azure Bastion as a jumpbox for RDP and SSH into Windows Server.
• Setting up a Windows secure admin workstation (SAW).

Network Equipment Expenses

A percentage of a company’s data center space needs to be allocated for networking equipment, as well as software that allows IT admins to manage and monitor the equipment.

You should account for:

• Network overhead, including support agreements for firewalls and switches
• High-speed internet
• Back-up power
• Disaster recovery
• Special hazards fire protection and HVAC equipment
• Physical security controls

An inert gas system requires sealing a room and having dedicated HVAC. Other solutions for special hazards, including in-rack fire suppression, are also costly. The following serves as an example:

Admin and Maintenance Costs

Installing, configuring, and maintaining an AD server, or servers, takes time and effort. A sizable portion of costs are put into resources, people trained and skilled to maintain the AD hardware and software, as well as the network equipment. When choosing a directory services solution, every organization should remember to factor in the cost for necessary patches and upgrades; otherwise, an entire business can abruptly halt if your system goes down.

Windows Entra and Azure services require additional training and might necessitate new hires with salaries at market rates. Account for the training and certification costs of modernizing AD. Team members that use Entra AD have proficiency at the level of Microsoft’s SC-100 and SC-300 certifications. Entra ID is an enterprise solution that has many interdependencies. Microsoft also recommends outsourcing automations and workflows to vendors.

User Management Expenses

Because AD does not have a central portal to handle password resets and other end-user problems, an organization needs to hire IT admins who can be on the frontline to assist employees with their devices and applications. Lifecycle management is a manual process without add-ons or automations, which provides low maturity entitlements management. Incidents such as the Colonial Pipeline hack occurred due to stale account management.

Modernize AD with JumpCloud

Modernizing AD through Microsoft means remaining locked into its software monoculture through Entra ID, now, and for the foreseeable future. Security services, staff training, potential new hires, and external vendors to manage workflows raise costs. These costs are also locked in and go beyond the sticker prices of Microsoft 365 plans needed for Entra ID.

Every organization should factor in what maintenance, add-on software, and IT staffing will cost if they continue to operate most services on premises. To help compare directory services solutions, we created a cost comparison calculator that you can use for a side-by-side comparison of Microsoft Active Directory with JumpCloud. Want a copy to simplify the process? Drop us a note. We’d be happy to send you our cost comparison calculator.

JumpCloud provides a sensible and holistic approach to AD modernization; it also integrates with AD and other identity providers (IdPs), such as Okta, through federation and directory synchronization. It’s an even better solution when paired with Google Workspace for productivity and collaboration. IT professionals and MSPs can modernize or replace AD with JumpCloud.