The Extending Active Directory® (AD) Complete FAQ serves as a hub for IT admins seeking answers to commonly asked questions surrounding facets of Active Directory Integration. We’ll cover questions about integrating macOS® and Linux® devices, cloud infrastructure, and web applications with AD. Knowing the right questions to ask often provides a lens by which to start addressing challenges in your IT environment.
Active Directory Integration Basics
Why Extend AD?
By itself, AD struggles to extend identities to non-Windows resources. So, IT admins often add on solutions to AD to simplify their management. Some common resources that require additional tooling include:
- Web applications (e.g. Salesforce® and Slack®)
- Mac® and Linux systems
- Cloud infrastructure (AWS®, GCP™, Azure®)
The benefits of integrating AD with these resources are numerous, but consider the following:
Users achieve higher levels of productivity when they only have to utilize a single identity. That means they don’t have to fumble around typing in password after password to access their resources. This takes on a security angle as well. With the right password complexity rules in place, users pick a single strong password to access all their resources — no more reusing variations of “PassWord123”.
For admins, robust AD integration provides a centralized location to manage users and their resources. This increases security because admins don’t have to dig around numerous accounts or remote servers after an employee leaves to fully deprovision them. When an identity becomes centralized, suspending it or deleting it from the directory can instantly cut access to resources.
What Do I Do First?
Take inventory of everything you want to extend AD to. Think about systems, apps, files, and networks. Are they controlled by AD? Or is your entire infrastructure managed via an assembly approach, meaning each resource has its own separate administrative tool?
Then, think about the resources you aren’t currently managing that you would like more control over. Are you worried that they’re security threats? Find out what you want to extend AD to and move from there.
How Long Has IT Needed to Extend AD Credentials?
Since the release of AD in 1999, IT environments with non-Windows tools needed a way to extend AD if they chose to build their IAM infrastructure on it. That’s because:
- AD is ideally for Windows-based tools
- Everything was on-prem, but web applications and cloud infrastructure started to emerge shortly after AD’s release.
In short, AD is an on-prem Microsoft solution ideally created to manage Microsoft products. If you need to use AD creds for non-Windows or web-based solutions, you’ll generally need to layer one or more supplemental solutions on to it.
What Are Some Examples of Extending AD?
Let’s start with SaaS apps. SaaS apps exploded in popularity, but each needs its own identity. That meant users could have a set of credentials for each web application they leveraged, which for some users climbed into the hundreds. So, SSO solutions were created to extend a single AD identity to web applications and simplify identity management for IT admins.
Identity bridges, or directory extensions, do the same for macOS and Linux systems. These solutions help IT admins manage all their users from one interface. Some admins have an Apple Open Directory (OD) instance for their macOS users and an OpenLDAP™ instance for their Linux users. Identity bridges instead centralize their users in AD, giving IT admins one place to manage all users regardless of OS.
Similarly, IT admins want similar control over their cloud infrastructure as well. Cloud infrastructure providers each have their own way of extending AD to their services. These solutions let users leverage a single identity for just about all of the services that particular provider offers.
Microsoft Tools for Extending AD
What is Azure AD?
This is Microsoft’s tool to move people to the cloud. Azure AD (AAD) often serves as the means to extend AD credentials to web applications. But it is not a comprehensive solution like AD in that it provides complete management of users, systems, and more. AAD works to manage Azure itself and all the capabilities in that ecosystem, as well as Office 365™ users and resources. Plus, it has SSO features that enables it to push AD creds to web applications. It’s really meant to help with authentication to Azure focused cloud-based resources.
What Role Does Active Directory Federation Services Fill?
Active Directory Federation Services (ADFS) is the on-prem SSO solution from Microsoft. It is used to extend on-prem AD creds to web applications. AD FS was originally designed to support users working in multiple organizations and thus requiring access to different domains. Microsoft smartly extended this concept more broadly to enable access to web applications.
Are There Limitations to Microsoft’s Approach?
Microsoft tools generally fill a single role. AD FS now effectively provides on-prem SSO capabilities. Azure AD works to extend AD credentials to Azure and Office 365. Then, there is Network Policy Server (NPS) for network authentication. A comprehensive approach ensures your entire IT environment gets the management it needs, which may mean looking outside of the Microsoft ecosystem and freeing yourself from vendor lock-in.
Third-Party Tools for Extending AD
Depending on what you’re trying to extend AD to, a solution probably exists for it. The challenge here is that there are likely many different non-Windows solutions that you want to extend AD to, and if that’s the case, you’re going to have many different horses in your IAM stable.
How Do I Extend AD to Mac and Linux?
Identity bridges from various vendors each offer their own set of pros and cons. The key is finding one that provides AD integration for all your non-Windows systems — not just one or the other.
What about Cloud Infrastructure?
AWS, GCP, and Azure each have their own ways of extending AD credentials to their infrastructure. If you use any combination of these services, you’ll have multiple solutions to maintain. That means essentially having multiple AD instances to manage and integrate.
How Do I Connect AD to AWS?
AD Connector from AWS syncs on-prem AD identities to AWS services, and at the surface it appears to be a feature of AWS Directory Services, meaning that you’ll need to buy that component as well. It is a cloud-based solution that utilizes AD as your source of truth so users can use their AD credentials for access to AWS servers mainly. However, it’s scope is limited to AWS.
How Do I Connect AD to GCP?
Google Cloud™ Directory Sync (GCDS) represents Google’s version of AD Connector. The difference between the two is that GCDS is an on-prem solution that IT admins must maintain themselves. GCDS extends AD credentials into Google’s proprietary Cloud Identity platform which will enable access to a wide variety of Google solutions.
Things to Look for in ADI Software
Is It Comprehensive?
Find a single solution to integrate with everything in your environment. But only pay for what you need. In other words, find something flexible, yet powerful. Using multiple solutions for extending AD creates cost and complexity challenges.
Is It Cloud-Based?
Look for a solution that you don’t have to manage yourself. On top of managing users, AD, and everything else, a solution that stays secure and up-to-date is a major time saver.
Does It Fill Multiple Needs Aside from Extending AD Credentials?
You likely need more than just an AD extension. Here are a few to consider:
- MFA for securing identities
- RADIUS for network access control
- LDAP for on-prem legacy applications
- GPO-like policies for system management
- SSH key management for remote server management
Each of these additional elements delivered from a single solution saves IT admins a significant amount of time and boosts the security of an organization greatly.
By now, you’ve seen that the more non-Windows or cloud-based software you seek to include in your IT environment, the more you’ll have to add-on to AD. As your needs grow, so do the extensions and add-ons that you layer on top of AD. That’s why it’s best to find a solution that can roll all of these different aspects into a single platform. Plus, if you don’t use all of these services or resources, you can mold that solution to your exact needs — and only pay for what matters to you with the option to grow and expand later down the line.
A solution that enables you to do all that is JumpCloud® Directory-as-a-Service® and its Active Directory Integration (ADI). ADI enables IT admins to connect their non-Windows and cloud-based resources to AD with a single solution. You can use any number of disparate solutions, like macOS, AWS, AD, and G Suite™, and manage them all from a single cloud-based interface. That same interface enables you to manage AD users from a web browser which gives IT admins the ability to remotely manage their AD instance.
Still Looking for Answers?
If you have additional questions, please reach out to us and ask. If you think we missed something and have information to add, we’re happy to consider making changes to this FAQ to keep it complete. For questions about JumpCloud in general, take a look at our FAQ.
To test the product, sign up for a free account. You can use it to manage up to 10 users free — forever. And for a peek at ADI, consider watching the following video.