Extend Active Directory Users To Modern Resources

By George Lattimore Posted November 17, 2019

Extend Active Directory identities concept visualization

Microsoft® Active Directory® has been a cornerstone of IT for decades. As the number of non-Windows devices and cloud-based tools multiplies however, so do the limitations of using AD to secure employee access to these modern resources. Eventually, an organization’s infrastructure becomes so entrenched in AD that replacing their on-prem servers / domain controllers doesn’t seem feasible. So, how can admins simplify the management of AD-based IT environments if they don’t want to (or can’t fully) replace their on-prem investments?

How Practical is it to Stack the Domain Controller with Add-ons?

Extending AD identities through multiple add-ons is possible if the organization has the funds and time to do so, but managing a daisy chain of SSO solutions, identity bridges, MFA tools, on-prem RADIUS and/or LDAP servers eats away at an admin’s time and sanity. Depending on the number of add-on solutions and the size of the organization, even the most experienced IT pros can struggle. 

Enterprises with heavy capital investments tied to Microsoft often find themselves in this tricky scenario, yet inadvertently, small- to medium-sized businesses (SMBs) can also stumble into needing extensive “middleware” as well. Essentially, for AD to manage non-Windows devices (such as macOS® and Linux® systems) or cloud-based resources, a system management tool and a directory extension are required to work alongside AD. 

Historically, Active Directory acts as the one-way authority and source of truth with third-party add-ons still needed to federate the changes out to non-Windows and cloud-based applications and resources. Unfortunately, when changes like password resets are made outside of AD’s reach, this information doesn’t synchronize back through AD. Active Directory simply wasn’t designed to work that way. Thankfully, a new generation of solutions has emerged to cleanly and simply extend AD identities to modern resources. 

The Need for Bi-Directional AD Integration (ADI) 

For admins and their remote employees, using a bidirectional, multipurpose add-on provides a more practical route for securing access to cloud resources and mixed-OS devices. Solutions like JumpCloud’s AD Integration are meeting AD-centric IT environments with cross-platform, cloud-forward support. Greg Keller, JumpCloud’s Chief Strategy Officer, summarized the benefits of AD integration for IT organizations as follows:

“The freedom of choice in computing resources, like a MacBook, is a key tenant of JumpCloud. Providing secure credential management to and from those Macs with AD, along with policy control and MFA are how we’re enabling sysadmins to better secure their remote employees, all from the cloud, and without the need for VPNs to maintain that trusted bind with AD.”

By using AD Integration, users can self-serve password changes from their systems, reducing the number of IT tickets created. Furthermore, the number of add-ons are minimized, and everyone benefits from greater flexibility. As Mac and Linux devices continue to proliferate alongside cloud resources, environments entrenched in AD now have a powerful yet lightweight solution to secure resources bi-directionally and cross-functionally. Employee credentials can now be synchronized through SAML, RADIUS, and LDAP authentication protocols with system-level MFA ready for macOS and Linux machines. In summary, AD Integration works by leveraging these two main features:

  1. AD Import: user and group synchronization from AD to resources not directly supported by AD
AD Import Process Diagram - Extend AD Identities
  1. AD Sync: automatically secure object (e.g. password) writeback from resources to AD
Active Directory Identity Sync Process Diagram

Benefits of Using AD Integration 

  • Maximize investment in AD
  • Extend AD-based identities to systems, cloud and legacy applications, VPNs, wireless networks via RADIUS, servers in AWS®, and more
  • Eliminate multiple AD instances
  • Centralized control over AD-based environment
  • Choose IT resources regardless of platform, provider, or location
  • Access control to remote and unbound Mac, Windows, and Linux systems
  • Full list of benefits

In conclusion, AD Integration is a powerful solution that reduces management complexity and costs, yet it’s only one use case for Directory-as-a-Service®. For tens of thousands of IT organizations around the world, JumpCloud not only simplifies the management of AD identities by reducing middleware costs and complexities, JumpCloud also completely alleviates their on-prem AD dependencies. Unlike Azure AD which is primarily a cloud complement to AD, JumpCloud can also operate entirely as a standalone directory services solution should your organization decide to go full cloud. 

George Lattimore

George is a writer at JumpCloud, a central source for authenticating, authorizing, and managing your IT infrastructure through the cloud. With a degree in Marketing and an MS in Public Communications and Technology, George enjoys writing about how the IT landscape is adapting to a diversified field of technology.

Recent Posts