By Ryan Squires Posted December 31, 2019
Many IT admins work in disparate environments comprised of Office 365™ users, non-Windows® systems, applications, file systems, and networks. IT admins want to manage environments like this from a single console without having to integrate multiple solutions. Ultimately, that means managing O365 users without the Azure® Active Directory® (AAD or Azure AD) console.
Office 365, AAD, and the Whole Picture
Each subscription of O365 comes with an identity managed by AAD, which helps IT admins govern individual users and groups for O365 access. As such, many IT admins have only used AAD to maintain their O365 user base. They know it fills an administrative need in their environment, but its limited scope becomes apparent when looking at the big picture.
When you step back, you see that what you need is a holistic identity management platform, not just a tool for managing O365 users and Azure. The simple thought is usually to extend Azure AD’s usage to include other areas, after all it does have Active Directory in its name. That said, it is important to know what AAD provides IT admins.
How Can AAD Help You?
Aside from the above, IT admins use AAD to provide and manage single sign-on (SSO) to select web applications (requires Azure AD P1 or P2 for more than 10 apps). Joining a Windows® 10 Pro device to Azure AD also enables user access to their system, web applications, and O365 account with a single set of credentials. All told, this integration delivers great functionality to organizations that exist as Windows 10 Pro environments who only utilize Azure cloud resources and a select group of web applications.
The problem with this setup, though, is that many IT organizations also want to manage Mac® and Linux® systems, control access to file servers and on-prem/web applications, and protect their network access with RADIUS.
How Can’t AAD Help You?
Utilizing Azure AD alone doesn’t provide the system management features delivered by on-prem Active Directory (AD) via Group Policy Objects (GPOs). Connecting your Azure AD account to an existing AD instance does enable you to push GPOs to Windows systems. But with the influx of macOS® and Linux devices in many environments, leveraging GPOs on those systems presents the following challenges:
- On-prem AD was not designed to work with Mac and Linux systems.
- Utilizing identity bridges to connect Mac and Linux systems to AD equates to higher costs and complexity.
- Tools built specifically for cloud-based system management often work for one system platform and not the other. This means integrating multiple solutions with Azure AD.
Of course, you can leverage Azure AD Domain Services (AAD DS) which has GPO functions for Windows servers hosted at Azure. That won’t, obviously, work for AWS® or GCP™ Linux servers.
Controlling Network Access
To use RADIUS to secure your networks, you’ll need to set up Active Directory on-prem alongside a Network Policy Server (NPS) instance. This way, AD acts as the user store and NPS provides network authentication through RADIUS.
If you want to remain vendor agnostic, an on-prem FreeRADIUS server fills that void as well. You can store your user identities in the FreeRADIUS server itself, or connect it to an identity provider like OpenLDAP™ or AD. Either way you’ll be adding on-prem infrastructure or worse, managing multiple sets of identities.
On-Prem Applications and Files
Many on-prem legacy applications authenticate via LDAP. Network attached storage (NAS) devices often require LDAP as well. But Azure AD struggles to authenticate on-prem LDAP-based applications and file servers. That means you’ll need to utilize another solution in addition to Azure AD, which dismisses any notion of management from a single console.
Find an All-Inclusive, Cloud-Based Option
Managing your entire IT environment with Azure AD presents challenges. In most cases you’ll need on-prem AD to complete tasks related to system management, legacy application authentication, and network access control. That said, it’s likely you’ll also have to build on top of AD to fill in areas that Azure AD doesn’t manage. Just the connection between AD and AAD will require another, third, product from Microsoft called Azure AD Connect.
A Solution from the Cloud
A new breed of directory services called Directory-as-a-Service® (DaaS) provides IT admins the ability to integrate the directory with O365. Importing users, adding and deleting users, and modifying access to O365 occurs remotely, from a single browser window. Plus, it gives you the ability to manage virtually all your resources including systems, applications, files, and networks from one interface as shown below.
Try Directory-as-a-Service Today
If you’re ready to manage your IT resources from a single console, sign up for a demo to see how Directory-as-a-Service remotely manages O365 users.