To better understand the structure of Azure® Active Directory® (AAD or Azure AD), we are exploring each tier of their services in a four-part series. This is the final part of the series.
Azure Active Directory Premium P2
IT teams most commonly become acquainted with Azure AD after purchasing a Microsoft 365™ license or subscribing to Azure cloud infrastructure. Typically, they start on the Azure AD Free tier, upgrading their AAD instance to the higher pricing tiers once they start to utilize AAD for its user management capabilities.
The highest level of AAD’s paid licenses, AAD Premium P2, wasn’t designed to function optimally as a standalone product, and operates best when used alongside a directory service. However, the number of premium features included with AAD’s top tier make it attractive for many organizations invested in securing their applications and monitoring user traffic from the cloud. It has many features for compliance and security that are suitable for large enterprises.
All tiers of AAD lack device management features, there are additional costs for managing external identities, and management overhead increases when single sign-on (SSO) is necessary for network devices. Microsoft has several separate services to treat identity as your perimeter.
As such, we will evaluate Azure AD Premium P2’s native capabilities as a standalone product, and how organizations can best utilize its services to enhance their users’ general productivity.
Benefits of Azure AD Premium P2
Azure AD Premium P2 is most commonly used for providing insight into user activity within Azure infrastructure, Microsoft 365, and web applications. Though lower tiers of AAD have certain limitations, such as with the number of apps and directory objects IT teams can manage, Azure AD Premium P2’s feature set offers admins the opportunity to thoroughly manage their users and their SSO access. AAD Premium P2 offers the following features:
- All of the features listed for Azure AD Microsoft 365 apps
- Leverage SSO for an unlimited number of pre-integrated SaaS applications
- Configure self-service application assignment to enable users to self-discover and request access to applications
- On-prem write-back for all password changes
- Advanced usage reporting
- HR-driven provisioning
- Self-service group management and application management
- Microsoft® Identity Management (MIM) CAL + MIM server for simplified lifecycle user management
- Conditional access based on device state or location and group
- Automate password rollover for group accounts
- Join a Windows® Pro device to Azure AD to enable desktop SSO, and Administrator BitLocker recovery
- Application proxy for on-premises, header-based, and Integrated Windows Authentication
- MDM auto-enrollment, self-service BitLocker recovery, additional local admin tooling to Windows Pro devices via Azure AD Join
- Role-based access control (RBAC)
- Risk-based Identity Protection
- Privileged identity management
- Self-service entitlement management (My Access)
- Access certifications and reviews
- Entitlements management
- Lifecycle Workflows (preview)
- Privileged Identity Management (PIM), just-in-time access
- Cloud app discovery (Windows Defender for cloud apps)
- Identity Protection reporting: vulnerabilities and risky accounts
- Identity Protection reporting: risk events investigation, SIEM connectivity
- A service-level agreement
The biggest difference between AAD Premium P1 and P2 is that when admins purchase Azure AD Premium P2, they attain the ability to deeply observe their users and detect possible threats by automating the detection and remediation of identity-based risks, investigating risks using data in the portal, and exporting risk detection data to third-party utilities for further analysis.
By using Azure AD’s identity protection and privileged identity management, AAD Premium P2 provides admins with much more data than its previous iterations, effectively alerting organizations in a way that helps them attain compliance and troubleshoot issues that may exist with AAD or Azure.
Drawbacks of Azure AD Premium P2
AAD P2 delivers a far more sophisticated identity and access management (IAM), user lifecycle management, as well as security compliance features than P1. However, it also doesn’t treat identities as the perimeter. Workarounds are required to utilize core network protocols to secure and manage access to network devices. Devices serve as the gateway for identities to access resources in modern IT. Unfortunately, AAD P2 still won’t manage non-Microsoft identities or non-Windows devices without accompanying licenses to more specialized Azure services.
Let’s explore these issues in further detail.
Microsoft licensing can be complex, and implementing best practices for AAD takes a lot of work. Many organizations may have to hire consultants to guide them through the migration. These challenges have given rise to a cottage industry of consultants. This is due to the breadth of configurations, and resulting complexity, that Microsoft’s enterprise features present. AAD P2 includes more sophisticated features that are more likely to require dedicated internal teams with support from specialized external resources. Otherwise, implementations will be incomplete or small and medium-sized enterprises (SMEs) will pay for services that won’t be used.
There are also licensing stipulations to deploy the features that are listed in P2. For example, AAD Connect Health reporting includes fine print:
“First monitoring agent requires at least one license. Each additional agent requires 25 additional incremental licenses. Agents monitoring Azure AD Federation Services, Azure AD Connect, and Azure AD Domain Services are considered separate agents.”
Fit and Value for SMEs
It’s unlikely that SMEs will have the ability to support a full AAD P2 implementation or have the requirements for advanced compliance reporting or a security operations center to support it. Unfortunately, some useful IT management capabilities are also walled off into the P2 tier. SMEs that have P2 recommended to them should evaluate whether they’ll receive enough payback.
Missing Identity and Access Control Functionality
SSO to Everything
AAD P2 is designed to work in conjunction with a directory service and lacks features most organizations find necessary for SSO to everything. For example, no matter the subscription tier, AAD lacks the ability to manage user access to networks via RADIUS or LDAP.
Unfortunately, this ingrains many admins in hybrid infrastructure, which is less than ideal for cloud-forward organizations looking to leave behind the time-intensive and costly nature of running server rooms. Additionally, AD’s RADIUS authentication is performed via an on-prem NPS server, which represents additional infrastructure and attack surface area. IT admins that are looking to move past legacy hardware will find that AD + AAD isn’t the most ideal choice.
It’s important to note that extensive manual implementation can leave the door open for human error and welcome cyberthreats such as opportunistic attacks on misconfigured networks.
Management overhead for on-premise resources and the requirement for additional Azure services raises AAD’s TCO.
Microsoft Entra is necessary to manage external identities within AAD. There are a few ad hoc costs, such as a charge for authenticating those identities with MFA. Its features are geared toward advanced enterprise workflows and governance requirements.
Many IT administrators choose to implement their AAD instances in conjunction with a directory service. They often use on-prem Active Directory, which syncs with AAD via Azure AD Connect, allowing users to leverage their AD credentials for SSO to web applications and Azure infrastructure. Microsoft’s reference architecture for AAD specifically includes AD on-prem, but it may be beneficial for organizations that are deeply entrenched into Active Directory.
However, this leaves a device management gap for organizations that are also invested in systems beyond Windows (such as Android, macOS®, and Linux®) may struggle to make AAD work on its own. Organizations that enact AAD likely need to buy additional solutions to manage Mac, Linux, and additional Windows systems such as Microsoft’s Intune subscription. Microsoft has also partitioned remote assist off as a premium add-on to Intune.
Admins looking to use Azure AD Premium P2’s expanse of services typically choose it for its cloud-based IAM and security infrastructure. However, it’s not the only option and may not be the best fit for an SME. A cloud-based directory service that complements AAD and manages your devices helps to achieve a Zero Trust security model and makes identity the perimeter.
An Open Directory for Modern IT
Organizations that are cloud-first, have external identities (such as Google Workspace), and devices other than Windows may find more value in pairing Azure AD with JumpCloud. JumpCloud is an open directory platform that unifies identity, access, and device management capabilities, regardless of the underlying authentication method or device ecosystem.
In contrast to standalone AAD, the JumpCloud platform provides SSO to everything and includes environment-wide MFA. It supports the following network protocols:
- RESTful APIs
Identity and access management is handled through groups using attribute-based access control, which helps to automate user lifecycle and entitlements management. Changes flow from other directories or human resource systems. In contrast, AAD defaults to role-based access control, which places the onus on IT admins to maintain permissions and memberships. Active Directory is also the de facto “source of truth,” but MIM also provides for HR-driven provisioning within AAD. JumpCloud also contains compliance friendly pre-built reports and reporting tools that capture device, directory, and events from authentication flows.
Conditional access is optional in JumpCloud for organizations that require privileged access management (PAM) based on device and user postures. Risk-based policies are on the roadmap. Several password-less authentication methods are supported, and identities can be further protected by selecting a preferred extended detection and response (XDR) vendor.
Extend and Improve AAD
JumpCloud’s Azure AD integration syncs Microsoft 365/Azure AD users into the directory. It can then serve as the source of truth and manage nearly all systems, applications, networks, file servers, Infrastructure-as-a-Service platforms, and more regardless of their location (on-prem, at other cloud providers such as AWS®, etc.). This way, admins can still leverage Azure AD Premium P2’s feature set while remaining untethered to burdensome on-prem infrastructure.
Additionally, JumpCloud is platform agnostic, so organizations can implement unified system management or mobile device management (MDM) for any major OS to enhance their Azure AD Premium P2 instance. Even the small things that Microsoft charges for are included. For example, self-service password resets are integrated into the JumpCloud platform, reducing IT’s most routine support cases such as when a user is inadvertently locked out of their device(s).
JumpCloud also has additional IT management options that extend its utility for SMEs:
Interested in learning more? Check out our video series on the modernization of directory services, or feel free to register for a personalized demo to see JumpCloud in action. Pricing is workflow based versus being compartmentalized by tiers of features.