By Kayla Coco-Stotts Posted November 11, 2019
Azure® is a cloud infrastructure provider that offers compute, storage, and other infrastructure platforms, such as Office 365™. Azure introduced its own identity management solution called Azure Active Directory® (AD), but this doesn’t serve as a solution for bringing the on-prem directory service, Active Directory, to the cloud. Though Azure does not offer its own RADIUS server, RADIUS-as-a-Service solutions make it simple to level up the security of WiFi and VPN networks.
What Does Azure AD Do?
Azure AD incorporates a user management function (like authentication and authorization) for Azure services (like compute, storage, and applications). Azure AD provisions, deprovisions, and modifies user access to Azure-related services such as Windows® servers and Office 365.
It also does web application single sign-on, enabling SSO for Office 365, Salesforce®, Dropbox, and other select applications to be accessed with a singular identity.
What Azure AD doesn’t offer is an integrated, hosted, and managed RADIUS solution, making it difficult to manage access to VPNs and on-prem WiFi and forcing IT admins to leverage other mechanisms to manage user access. Often this means setting up their own RADIUS servers (i.e. FreeRADIUS or Windows NPS) to keep their networks secure.
Azure AD RADIUS Authentication Services
Because Azure AD doesn’t have native RADIUS server functionality, IT admins need to employ different methods for securing their on-prem wireless Internet access.
For instance, admins can host a RADIUS server in Azure, either through an NPS extension or through FreeRADIUS, but this process is time consuming, requiring extensive self-implementation and potentially forcing IT admins to stray away from cloud-based services and applications that shift the heavy lifting of the infrastructure to a third party. Beyond that, admins still have to integrate the RADIUS infrastructure back into whatever core directory service they are using.
Azure AD does offer IT admins the ability to configure Azure MFA servers for RADIUS authentication through an NPS extension, or they can implement their own FreeRADIUS authentication source to be linked back to AD.
However, Microsoft’s solution is limited in that it only supports RADIUS authentication and MFA, so admins cannot do one or the other; they’re forced to do both every time. In addition, this method can only work via a password authentication protocol (PAP).
IT admins can build out their own RADIUS services by using FreeRADIUS to connect to Azure AD. This does allow admins to move their RADIUS authentication entirely to the cloud, removing the need for implementing on-prem servers.
However, those with self-managed RADIUS servers within Azure require extensive management and upkeep. Because a self-implemented, cloud-based RADIUS is not managed as-a-Service within Azure AD, IT admins will have to maintain the service outside of Azure AD’s service boundary.
Bridge RADIUS and Directory Services to the Cloud
Admins may be interested in moving all on-prem infrastructure to a cloud-based directory service that includes RADIUS-as-a-Service and AD Integration. This service makes implementing cloud-based RADIUS easy and load balanced while providing organizations with the opportunity to implement RADIUS on a global scale. It also gives IT admins the freedom and flexibility to migrate on-prem infrastructure to the cloud without the cost of time, licensing, and maintenance.
Check out our guide to migrating AD to a cloud-based directory service to leverage RADIUS-as-a-Service for an easy, user-friendly way to protect networks’ sensitive information from potential hackers.