To better understand the structure of Azure® Active Directory® (AAD or Azure AD), we will be exploring each tier of their services in a four-part series. This is the final part of that series.
Each part covers the benefits and drawbacks that come with each of Azure AD’s pricing tiers. If interested, feel free to read our previous blog on Azure AD Free, Azure AD Office 365 apps, or Azure AD Premium P1.
Azure Active Directory Premium P2
IT teams become acquainted with Azure AD after purchasing an Office 365™ license or subscribing to Azure cloud infrastructure. Typically, they start on the Azure AD Free tier, upgrading their AAD instance to the higher pricing tiers once they start to utilize AAD for its user management capabilities.
The highest level of AAD’s paid licenses, AAD Premium P2 wasn’t designed to function optimally as a standalone product, and operates best when used alongside a directory service. However, the number of premium features included with AAD’s top tier make it attractive for many organizations invested in securing their applications and monitoring user traffic from the cloud.
As such, we will evaluate Azure AD Premium P2’s native capabilities as a standalone product, and how organizations can best utilize its services to enhance their users’ general productivity.
Benefits of Azure AD Premium P2
Azure AD Premium P2 is most commonly used for providing insight into user activity within Azure infrastructure, Office 365, and web applications. Though lower tiers of AAD have certain limitations, such as with the number of apps and directory objects IT teams can manage, Azure AD Premium P2’s feature set offers admins the opportunity to thoroughly manage their users and their SSO access. AAD Premium P2 offers the following features:
- All of the features listed for Azure AD Office 365 apps
- Leverage SSO for an unlimited number of pre-integrated SaaS applications
- Configure self-service application assignment to enable users to self-discover and request access to applications
- On-premises write-back for all password changes
- Advanced usage reporting
- Application proxy for remote access to on-prem applications
- Self-service group management and application management
- Microsoft® Identity Management (MIM) CAL + MIM server for simplified lifecycle user management
- Conditional access based on device state or location and group
- Automate password rollover for group accounts
- Join a Windows® 10 Pro device to Azure AD to enable desktop SSO, Microsoft Passport for Azure AD, and Administrator Bitlocker recovery
- MDM auto-enrollment, self-service Bitlocker recovery, additional local admin tooling to Windows 10 Pro devices via Azure AD Join
- Identity protection
- Privileged identity management
The biggest difference between AAD Premium P1 and P2 is that when admins purchase Azure AD Premium P2, they attain the ability to deeply observe their users and detect possible threats by automating the detection and remediation of identity-based risks, investigating risks using data in the portal, and exporting risk detection data to third-party utilities for further analysis.
By using Azure AD’s identity protection and privileged identity management, AAD Premium P2 provides admins with much more data than its previous iterations, effectively alerting organizations in a way that helps them attain compliance and troubleshoot issues that may exist with AAD or Azure.
Drawbacks of Azure AD Premium P2
At all pricing levels, Azure AD is designed to work in conjunction with a separate directory service. As such, it was originally meant to work optimally in a hybrid environment (i.e. with a mix of cloud-based and on-prem resources), which could be problematic depending on your organization’s long-term plans for your IT infrastructure.
Organizations looking to move toward cloud infrastructure may struggle to make AAD Premium P2 work entirely on its own. Natively, it lacks the ability to manage users’ access to their networks via RADIUS and its system management capabilities are limited. However, many organizations are eager to move their legacy infrastructure to the cloud, as on-prem hardware is time-intensive and requires manual upkeep.
AAD Premium P2 could suit organizations that already manually configure an additional solution for RADIUS authentication. However, it’s important to note that extensive manual implementation can leave the door open for human error and welcome cyberthreats like brute force attacks on misconfigured networks.
Also, organizations that want to offer their users options when it comes to what machine they work on — Windows, macOS®, or Linux® — will have to implement third-party add-ons since Azure AD Premium P2 exclusively manages Windows 10 Pro. And with the price of AAD Premium P2 already maxing out some IT departments’ budgets, this may cause financial strain.
The ideal solution for identity management in the cloud is one that wholly manages all the resources users may need access to. Azure AD Premium P2’s feature set offers a number of options for IT admins wanting to manage their Azure infrastructure, Office 365 users, and web apps, but many may struggle to make AAD work on its own.
Admins interested in Azure AD Premium P2 typically choose it for its cloud-based infrastructure, so while AAD does sync with AD via Azure AD Connect, IT teams looking to move beyond on-prem hardware are seeking another solution. Finding a cloud-based directory service to complement AAD may be the best option, a core identity provider in the cloud offers greater flexibility for scaling and remote working than legacy infrastructure. Fortunately, there does exist another solution that admins can consider for integrating Azure AD with an identity and access management platform in the cloud.
A Modern Directory Service For Modern Needs
Organizations looking to implement IT infrastructure that lives entirely in the cloud may find more value in pairing Azure AD Premium P2 with a modern directory service built to accommodate evolving technology. JumpCloud® Directory-as-a-Service® syncs with an existing AAD instance through Azure AD Integration, allowing IT teams to sync their O365/Azure AD users with JumpCloud.
A directory service that manages nearly all systems, applications, networks, file servers, and Infrastructure-as-a-Service platforms from one centralized, cloud-based platform is ideal for ensuring secure resource management happens. Additionally, DaaS is platform agnostic, so organizations can implement cross-OS system management in conjunction with their Azure AD Premium P2 instance. And, by utilizing JumpCloud’s event logging features and PowerShell module, IT teams can reach compliance and monitor all their resources, not just the ones covered under Azure AD Premium P2.