Microsoft’s Active Directory (AD) was created over 20 years ago to secure and manage networks. It establishes an organization hierarchy of users and devices for Windows networks, centralizes administration, manages access control for users and services, and provides single-factor authentication for networks. This technology and the era of computing it was made for is very different from Google’s Identity Services — a modern method of managing cloud services and single sign-on (SSO). Microsoft recognizes this shift and has moved steadily toward the cloud, and AD shops can’t avoid the identity transformation that’s now underway.
Google Identity Services provides optionality to replace Microsoft’s Active Directory or extends AD to utilize Google’s Workspace productivity suite and other cloud services. It accommodates businesses of all sizes. Google recommends JumpCloud as the directory for small and medium-sized enterprises (SMEs) to manage users, unify device management, and secure access to every resource. Identity Services takes an interoperable approach versus proprietary.
The battlefield has expanded beyond standalone AD, and it’s not possible to make an informed comparison between AD and cloud-based directories without acknowledging this reality. This article tackles the dilemma many IT admins face: follow Microsoft’s path, combining AD with cloud services, or look elsewhere. Google + JumpCloud offers a new route to modernize AD.
Microsoft’s AD Legacy
Unsurprisingly, there’s a difference in architecture between these platforms. AD’s top-level component is the forest, which can contain one or more domains. Domains are containers for resources and represent organizational boundaries such as east coast and west coast offices. Organizational units (OUs) are sub-containers within domains such as a sales department.
Domains have inherent trust and credentials can cross domains, but forests don’t “trust” other forests by default. This is a Windows-centric, on-premises model that doesn’t interoperate with web services on its own, or protocols other than LDAP (without adding the NPS server role).
AD can be tightly controlled and customized, but mastering it and following the latest security recommendations can be challenging, costly, and time-consuming. It’s best for on-premises deployments that must meet very specific requirements for compliance or custom applications. Google, on the other hand, was built from the ground up for environments where identities are the perimeter and many devices access resources. That’s distinct from Microsoft’s classic client/server approach to IT system management. Microsoft is ushering customers to the cloud in response, and is shifting toward a cloud-first approach to IT infrastructure management.
Microsoft’s Path to the Cloud
Microsoft hasn’t given up on AD users that are migrating to cloud infrastructures. To the contrary, Azure Active Directory (AAD) is the basis for an entirely new ecosystem of services that are heavily focused on enterprise use cases and offer Microsoft significant new monthly recurring revenue. IT teams can integrate AAD and AD to create hybrid configurations or migrate AD to cloud-only directory infrastructures. However, a patchwork of services, including Intune, is required for endpoint management. Features that the AD ecosystem included are being gated off into its licensing tiers. Let’s explore what that looks like.
- Intune essentially replaces Microsoft System Center Configuration Manager (SCCM) and Intune is expected to integrate with Configuration Manager for “co-management” of existing on-premises resources. Intune is available as an add-on subscription for Microsoft 365 and is included in many of its SKUs. Intune also has its own assortment of add-ons, at cost, for remote assistance and more.
- Azure Active Directory Domain Services (AAD DS) largely fulfills the role of NPS. This is a separate subscription service. Cloud LDAP is now included in this add-on package.
- Microsoft Identity Manager (MIM) Privileged Access Management (PAM) remains in use for isolated AD environments. However, Privileged Identity Management (PIM) is a Premium tier 2 AAD feature. AAD’s premium plans include access licenses for MIM.
- AAD has a significantly different architecture from AD. For instance, OUs have been replaced by administrative units (AUs). User objects are members of AUs versus existing in an OU.
The Azure portfolio can provide SSO to many resources and can work across platforms, but it’s an investment into another Microsoft ecosystem that exists in the cloud versus your server room(s).
A modern IDaaS solution can replace or expand Active Directory and shift virtually your entire IT infrastructure to the cloud; Microsoft’s 365 subscriptions are not the only option SMEs have.
Google’s Directory Alternatives
Google Workspace also utilizes top-level OUs with child organizational units for departments. It integrates with AD for LDAP services, but uses Security Assertion Markup Language (SAML) protocol to make web services available to users across domains and network boundaries. Google offers a premium identity provider (IdP) and leverages partners for the best fit. AD cannot accomplish this without an Active Directory Federation Services (AD FS) server farm or being extended through integrating with Microsoft’s Azure Active Directory (AAD) platform.
Google offers the following directory service options:
Google Sign-In: Google Sign-In is the most basic user management platform for Workspace apps and other services. These are managed user accounts that IT admins can centrally control with their tenant. External IdPs may be used via SAML-based federation.
Partner IdPs: Google recognizes that one size doesn’t fit all and selected JumpCloud as the best fit for SMEs, especially when organizations are migrating from AD. This combination offers SMEs a true alternative to Microsoft’s 365 SKUs to extend Google identities for seamlessly and centrally managed Identity and Access Management (IAM) with unified device management.
JumpCloud’s open directory platform integrates and enhances AD with SSO, unified endpoint management (UEM), and IT management including patch management and remote assist.
Google Cloud Identity: Cloud Identity is an IAM and endpoint management platform from Google. There are free and premium editions with the primary difference being app management, device management, rules, reporting, and other features that aren’t available for free.
Active Directory: Google Workspace has the option to integrate with Active Directory using Cloud Identity. AD is used for user/group account provisioning and can be configured for SSO using AD FS.
The Best of Both Worlds
JumpCloud and Google are better together; AD and JumpCloud are too.
The simplest way for an AD-oriented IT shop to think about JumpCloud’s open directory platform is to imagine an amalgamation of AD, AAD, and Intune’s services (without the gated licenses). First, JumpCloud ensures that every resource has a “best way” to connect to it.
- Servers use SSH keys that are more secure than passwords.
- LDAP authentication for network devices, with built-in multi-factor authentication (MFA). MFA is environment-wide across every network protocol.
- Passwordless certificates secure RADIUS Wi-Fi access.
- Web applications use SAML and OIDC for SSO and provisioning. A decentralized password manager is built-in for situations where SSO isn’t feasible.
- Conditional access rules are available for privileged access management.
JumpCloud and Google are complementary. Both platforms use dynamic groups that leverage user attributes to automate group memberships. JumpCloud imports users into groups from other sources, including AD. AD doesn’t provide pre-built integrations for HR systems; JumpCloud does. The difference lies in how JumpCloud’s groups logically separate objects in a manner that’s simpler than managing OUs, all while providing advanced lifecycle management.
JumpCloud provides unified identity and device management for Android, Apple, Linux, and Windows endpoints. IT teams can opt for an agentless approach for Android devices through Enterprise Mobility Management (EMM) or mobile device management (MDM) for Apple products.
Windows MDM is used for self-service device onboarding workflows and leverages the latest device enrollment and management capabilities from Microsoft. Microsoft shops can use systems they’re familiar with while unifying IAM and IT management for Windows and beyond.
Agents execute pre-built policy templates and root-level commands for Apple, Linux, and Mac endpoint security and compliance. Telemetry is collected for JumpCloud’s reports and events can be viewed with the System Insights tool. There’s no need for reporting add-ons that AD often requires and JumpCloud also syncs with popular SIEM solutions. Additionally, agents make it possible for IT teams to offer unlimited remote assistance through the JumpCloud admin portal without additional costs. Cross-OS browser and patch management are optional services.