To better understand the structure of Azure® Active Directory® (AAD or Azure AD), we explore each tier of their services in a four-part series. This is part three of the series.
Each article covers the benefits of a particular service, as well as the drawbacks that come with each tier. Click here to read our previous blog on Azure AD Free.
What Is Azure Active Directory Premium P1?
Azure AD is a cloud-based user management platform often introduced to organizations via the purchase of a Microsoft 365™ license or Azure subscription. Although IT teams commonly start their organizations with Azure AD Free or Microsoft 365 apps (since those are included with a subscription to either service), organizations often look to upgrade their Azure AD instances to Premium P1 or P2 licenses.
AAD’s paid licenses are used alongside a directory service, and as such, complement features of an existing directory. Organizations often implement AAD Premium P1 in conjunction with a core identity provider, but many are aware that AAD Premium P1 can be used entirely on its own to manage Microsoft 365/Azure identities, as well as enact single sign-on (SSO) for pre-integrated web applications. It doesn’t manage devices or external identities without additional subscriptions from Microsoft or additional identity management solutions.
This article evaluates Azure AD Premium P1’s capabilities as a standalone tool, and explores how organizations can best utilize AAD Premium P1’s services.
Benefits of Azure AD Premium P1
Azure AD Premium P1 offers the following features:
- All of the features listed for Azure AD Microsoft 365 apps
- SSO for an unlimited number of pre-integrated SaaS applications
- Self-service application assignment to enable users to self-discover and request access to applications; this enables cloud app discovery
- Cloud app discovery
- The option for advanced group management
- On-premises write-back for all password changes
- Group-based access management and provisioning (comes with additional provisioning customization)
- End user self-service
- Advanced usage reporting and fraud alerts
- Custom security attributes
- Application proxy for remote access to on-prem applications
- Multi-factor authentication (MFA) for on-premise applications
- MFA triggers based on risk events
- Conditional access based on trusted IPs, device state, or location and group
- Automated password rollover for group accounts
- For Windows® Pro: Application Proxy for on-premises, header-based, and Integrated Windows Authentication, and Administrator BitLocker recovery
- MDM auto-enrollment (out-of-box experience), self-service BitLocker recovery, additional local admin tooling to Windows Pro devices via Azure AD Join
- A service level agreement
- Microsoft Identity Manager (MIM) user client access license (CAL)
The premium features offered by Azure AD Premium P1 are attractive for Microsoft shops. However, there are drawbacks to consider with AAD Premium P1 as a holistic identity management solution.
Drawbacks of Azure AD Premium P1
AAD P1 is focused on extending SSO to the Microsoft ecosystem and doesn’t treat identities as the perimeter. Workarounds are required to utilize core network protocols to secure and manage access to network devices. Devices serve as the gateway for identities to access resources in modern IT. However, AAD P1 will not manage non-Microsoft identities or non-Windows devices without additional subscriptions from Microsoft. Let’s explore these issues in further detail.
Microsoft licensing can be complex, and implementing best practices for AAD takes a lot of work. Many organizations may have to hire consultants to guide them through the migration. These challenges have given rise to a cottage industry of consultants. This is due to the breadth of configurations, and resulting complexity, that Microsoft’s enterprise features present.
Missing Identity and Access Control Functionality
SSO to Everything
AAD P1 is designed to work in conjunction with a directory service and lacks features most organizations find necessary for SSO to everything. For example, no matter the subscription tier, AAD lacks the ability to manage user access to networks via RADIUS or LDAP.
Unfortunately, this ingrains many admins in hybrid infrastructure, which is less than ideal for cloud-forward organizations looking to leave behind the time-intensive and costly nature of running server rooms. Additionally, AD’s RADIUS authentication is performed via an on-prem NPS server, which represents additional infrastructure and attack surface area. IT admins that are looking to move past legacy hardware will find that AD + AAD isn’t the most ideal choice.
Management overhead for on-premise resources and the requirement for additional Azure services raises AAD P1’s TCO.
Microsoft Entra is necessary to manage external identities within AAD. There are a few ad hoc costs, such as a charge for authenticating those identities with MFA. Its features are geared toward advanced enterprise workflows and governance requirements.
Many IT administrators choose to implement their AAD instances in conjunction with a directory service. They often use on-prem Active Directory, which syncs with AAD via Azure AD Connect, allowing users to leverage their AD credentials for SSO to web applications and Azure infrastructure. Microsoft’s reference architecture for AAD specifically includes AD on-prem, but it may be beneficial for organizations that are deeply entrenched into Active Directory.
However, this leaves a device management gap for organizations that are also invested in systems beyond Windows (such as Android, macOS®, and Linux®) may struggle to make AAD work on its own. Organizations that enact AAD likely need to buy additional solutions to manage Mac, Linux, and additional Windows systems such as Microsoft’s Intune subscription. Microsoft has also partitioned remote assist off as a premium add-on to Intune.
Admins looking to use Azure AD Premium P2’s expanse of services typically choose it for its cloud-based IAM and security infrastructure. However, it’s not the only option and may not be the best fit for an SME. A cloud-based directory service that complements AAD and manages your devices helps to achieve a Zero Trust security model and makes identity the perimeter
Open Directory Services
Organizations that are cloud-first, have external identities (such as Google Workspace), and devices other than Windows may find more value in pairing Azure AD with JumpCloud. JumpCloud is an open directory platform that unifies identity, access, and device management capabilities, regardless of the underlying authentication method or device ecosystem.
In contrast to standalone AAD, the JumpCloud platform provides SSO to everything and includes environment-wide MFA. It supports the following network protocols:
- RESTful APIs
Identity and access management (IAM) is handled through groups using attribute-based access control, which helps to automate user lifecycle and entitlements management. Changes flow from other directories or human resource systems. In contrast, AAD P1’s tier defaults to role-based access control, which places the onus on IT admins to maintain permissions and memberships. Active Directory is also the de facto “source of truth,” but MIM also provides for HR-driven provisioning within AAD.
Conditional access is optional in JumpCloud for organizations that require privileged access management (PAM), and several password-less authentication methods are supported.
Extend and Improve AAD
JumpCloud’s Azure AD Integration syncs Microsoft 365/Azure AD users into the directory. It can then serve as the source of truth and manage nearly all systems, applications, networks, file servers, Infrastructure-as-a-Service platforms, and more regardless of their location (on-prem, at other cloud providers such as AWS®, etc.). This way, admins can still leverage Azure AD Premium P1’s feature set while remaining untethered to burdensome on-prem infrastructure.
Additionally, JumpCloud is platform agnostic, so organizations can implement unified system management in conjunction with their Azure AD Premium P1 instance. For organizations with budgetary restrictions, the directory integrates with Azure AD Free so organizations can still manage their Azure/Microsoft 365 users with a directory service entirely from the cloud.
JumpCloud also offers additional IT management options that extend its utility: