Microsoft has recently demonstrated behavior that has alarmed veteran industry watchers. IT admins should take this into account prior to trusting Microsoft to “own” their users’ identities over the long term. It also “owns” their productivity tools, their data, and has a history of embracing and extending standards and services around its products. The cost of time and resources to switch to alternative solutions is compounded, which is not a situation most small and medium-sized enterprises (SMEs) would want to find themselves in as their IT organizations grow and mature.
But this blog post isn’t about feature parity or adherence to open standards: it’s about vendor risk and control. If your eyes are as good as mine, Microsoft’s primary motivation seems to be to connect users to other Microsoft products; its identity services are mainly focused on connecting its customers to its products rather than enabling them to easily connect to what they want. That’s not necessarily aligned with the requirements of SMEs, which benefit from shopping around an open marketplace. I was once part owner of a manufacturing company and we had a global network of suppliers to avoid putting our eggs into one basket. Buying 100% of our (fire sprinkler) frames from a single vendor would have given it extraordinary control over price and order size, which would have inevitably led to a significantly more disruptive cost to switch. Diversification helps SMEs manage supply chain (vendor) risk.
The Risks of a Vendor-Owned Identity
Risks can spiral if the supplier also owns your ID and is the “airline,” i.e., controls the services that make your business possible. Say you want to fly another airline… Microsoft’s “passport” must now be involved. A Google Workspace shop is required to add Azure AD to their environment in order to simply use Microsoft Excel, Word, or PowerPoint. That’s not something I’d imagine they’d want for themselves. Microsoft 365 users can easily connect to Microsoft services, but what about alternative products — how easy is it for Microsoft users to do what they need to with Google Workspace or AWS?
IT departments need direct, cost-effective access to services from multiple vendors of their choosing, not only via the most preferred “routes.” Pure Identity-as-a-service players are agnostic about what users connect to, or even how. Microsoft has a Microsoft-first ideology.
How Microsoft’s Ecosystem is Structured
Microsoft transports its workflows by providing a few identity and access management (IAM) solutions, as well as a tangle of services to manage communication, data, devices, productivity, and security. It can function as a single source for your entire IT infrastructure, but doing so increases supply chain risk, especially if you’re using an Active Directory (AD) domain controller to manage users. One of its principal undertakings is to “own” user identities from Windows: it determines where you can go and it has preferred destinations to Microsoft Azure. Imagine a world where your airline also owns your passport: that’s tremendous monopoly power.
Microsoft CEO Satya Nedella highlighted the significance of Active Directory and Azure Active Directory in an interview with CNBC, “One of the big crown jewels of our strategy and our asset base is Active Directory.” Logic dictates that controlling your directory is at the heart of its cloud strategy, especially since Active Directory is given away free of cost.
A Focus on Integrating Their own Services
To that end, some of its IAM services (AD Federation Services) only extend Active Directory from on prem to its cloud services, while others (such as Azure AD) reluctantly deliver single sign-on (SSO) to Microsoft 365 customers that aren’t bound to AD (as illustrated in the reference architecture below). It’s possible to “get” to web apps, but Microsoft’s primary IAM focus is to tightly integrate its own services, not others. On-prem equipment (that have LDAP interfaces) and on-prem apps aren’t able to connect to it. Take a gander at this chart and tell me that there’s another purpose.
An Unsettling Supplier Relationship
Recent product changes have raised the specter of the “old Microsoft,” which locked customers and partners into its ecosystem by illegally abusing its OS monopoly. It’s no secret that Microsoft has an ongoing history of anti-competitive behavior and most recently raised eyebrows when it made changing the default browser in Windows 11 from Edge an archaic process that my old journalist cohort Paul Thurrot dubbed: “The obtuse Windows 11 UI for default browsers.” Microsoft has since moved to address the public outcry over its attempted browser lock-in.
“Microsoft’s moves seem desperate. And familiar. It is clear they don’t want you to use other browsers. They even offer to pay you to use the browser via their Microsoft Rewards program. This is not the behavior of a confident company developing a superior browser,” wrote Vivaldi CEO Jon von Tetzchner. “It’s the behavior of a company openly abusing its powerful position to push people to use its inferior product, simply because it can. Do not pass Go, do not collect $200. Can you say monopoly?”
A History of Anti-Competitive Behavior
Being compelled to use Microsoft’s flavor of the Chromium browser isn’t the end of the world, but there’s deeper considerations when the question becomes, “What if that anti-competitive behavior extends elsewhere?” I was a technology reporter and once had a candid conversation with a Microsoft executive over its Silverlight application framework — a subset of .NET — and received a knowing nod when I asked whether it was an end around the nascent HTML5 open standard for multimedia. The objective, then as it is now, is to keep organizations within its ecosystem.
Microsoft’s identity services are also mandatory for its Autopilot “zero touch” onboarding program to preconfigure Windows services for new employees. The choice of an IdP is taken away from the consumer, just as it attempted to do with its bundled web browsers.
Many SMEs have Microsoft controlling their directory (an Active Directory server), and what it integrates with, through Azure AD (even more Microsoft products). It’s advisable that IT admins take flexibility and openness into account for IAM purchase decisions, especially when a domainless enterprise has more freedom of choice. One thing’s for certain: I’d never entrust my family business’s ability to operate to a single supplier, especially if there was a history of bad behavior and dominance over its customers. There are more open alternatives. We’re one of those options, for your consideration, and view identity differently than Microsoft does. JumpCloud believes that you should “own your identity.”
Own Your Identity
That’s how we see it at JumpCloud: customers should be able to connect their identities from a directory that they manage and control to the resources they wish to connect to. We want IT organizations to have the freedom to choose the IT technology that’s right for their organization. Our Q2 2022 product roadmap expands upon JumpCloud’s years-long initiative to provide an extensive library of SSO connectors that make integrations with your IAM infrastructure and services much easier. That’s the differentiating factor between JumpCloud SSO and Azure AD: you control your directory and we securely connect you to a wider range of technology.
The aforementioned Google scenario plays out differently with JumpCloud. We integrate with Google as an identity provider (IdP) as well as Microsoft, but extend what’s possible throughout the user lifecycle through our platform, including cross-OS device management, smart groups, and Zero Trust access control. Users can integrate with the PaaS services they desire, using their Google/JumpCloud credentials. Our directory provides autonomy and overall control of your directory (including security policies), who’s in it, where you share that information, and what services you integrate with.
The objective is to connect users to services through our directory infrastructure and cross-OS user lifecycle management capabilities versus (i) Azure AD keeping SMEs tethered to Windows or (ii) Azure AD “owning” your identity, where it interoperates, and your destination. We’re also available when you need support, which can be expensive when dealing with Microsoft’s support services. Give us a try and see whether JumpCloud is right for your organization.
The JumpCloud directory platform can be standalone but also integrates with Active Directory, Azure Active Directory, Google, and AWS to manage user lifecycle, governance, and IAM. Your IdP is your choice, even if your users reside within a Microsoft Windows domain controller. It’s free for 10 users or 10 devices and premium support is available within the initial 10 days of your account creation. You can register for a personalized demo, or sign up for free.