To better understand the structure of Azure® Active Directory® (AAD or Azure AD), we explore each tier of their services in a four-part series. This is part three of that series.
Each part covers the benefits of that particular service, as well as the drawbacks that come with each tier. Click here to read our previous blog on Azure AD Free, or here to read about our blog on Azure AD Office 365 apps.
Azure Active Directory Premium P1
Azure AD is a cloud-based user management platform often introduced to organizations via the purchase of an Office 365™ license or Azure subscription. Although IT teams commonly start their organizations with Azure AD Free or Office 365 apps (since those are included with a subscription to either service), organizations often look to upgrade their Azure AD instances to Premium P1 or P2 licenses.
AAD’s paid licenses are used alongside a directory service, and as such, complement features of an existing directory. Organizations often implement AAD Premium P1 in conjunction with a core identity provider, but many are aware that AAD Premium P1 can be used entirely on its own to manage Microsoft 365/Azure identities, as well as enact single sign-on (SSO) for pre-integrated web applications. Below, we evaluate Azure AD Premium P1’s capabilities as a standalone tool, and how organizations can best utilize AAD Premium P1’s services.
Benefits of Azure AD Premium P1
Azure AD Premium P1 offers the following features:
- All of the features listed for Azure AD Office 365 apps
- SSO for an unlimited number of pre-integrated SaaS applications
- Self-service application assignment to enable users to self-discover and request access to applications; this enables cloud app discovery
- On-premises write-back for all password changes
- Group-based access management and provisioning (comes with additional provisioning customization)
- Advanced usage reporting
- Application proxy for remote access to on-prem applications
- Microsoft® Identity Management (MIM) Client Access Licenses (CAL) + MIM server for simplified lifecycle user management
- Conditional access based on device state or location and group
- Automated password rollover for group accounts
- For Windows® 10 Pro: desktop SSO, Microsoft Passport for Azure AD, and Administrator Bitlocker recovery
- MDM auto-enrollment, self-service BitLocker recovery, additional local admin tooling to Windows 10 Pro devices via Azure AD Join
The premium features offered by Azure AD Premium P1 are attractive. However, there are drawbacks to consider with AAD Premium P1 as a holistic identity management solution.
Drawbacks of Azure AD Premium P1
As mentioned earlier, Azure AD is designed to work in conjunction with a directory service and lacks certain features most organizations find necessary. For example, no matter the subscription tier, AAD lacks the ability to manage user access to networks via RADIUS.
Also, AAD’s system management capabilities are exclusive to Windows 10 Pro, so organizations invested in systems beyond Windows (such as macOS® and Linux®) or beyond a single version of Windows may struggle to make AAD work on its own. Organizations that enact AAD likely need to buy additional solutions to manage Mac, Linux, and additional Windows systems.
Because of this, many IT administrators choose to implement their AAD instances in conjunction with a directory service. They often use on-prem Active Directory, which syncs with AAD via Azure AD Connect, allowing users to leverage their AD credentials for SSO to web applications and Azure infrastructure. To be fair, Microsoft’s reference architecture specifically includes AD on-prem as part of the overall approach.
Unfortunately, this ingrains many admins in hybrid infrastructure, which is less than ideal for cloud-forward organizations looking to leave behind the time-intensive and costly nature of legacy hardware. Additionally, AD’s RADIUS authentication is done via an on-prem NPS server, which represents additional on-prem infrastructure, so many IT admins looking to move past legacy hardware find that AD + AAD isn’t the ideal choice.
Admins looking to use Azure AD Premium P1’s expanse of services typically choose it for its cloud-based infrastructure, so finding a cloud-based directory service to complement AAD may be a better fit.
Cloud-Based Directory Services
Cloud-focused organizations may find more value in pairing Azure AD with JumpCloud® Directory-as-a-Service® (DaaS).
Through Azure AD Integration, IT teams sync their Microsoft 365/Azure AD users with JumpCloud acting as the source of truth and managing nearly all systems, applications, networks, file servers, Infrastructure-as-a-Service platforms, and more regardless of their location (on-prem, at other cloud providers such as AWS®, etc.). This way, admins can still leverage Azure AD Premium P1’s feature set while remaining untethered to burdensome on-prem infrastructure.
Additionally, DaaS is platform agnostic, so organizations can implement unified system management in conjunction with their Azure AD Premium P1 instance. For organizations with budgetary restrictions, Directory-as-a-Service integrates with Azure AD Free so organizations can still manage their Azure/Microsoft 365 users with a directory service entirely from the cloud.