Editor’s Note: Given the fast-paced nature of technology, it is possible that some of the information presented in this article is out-of-date, or incomplete, in some fashion. The author periodically reviews and revises this article to ensure information contained within is as accurate as possible.
This article analyzes the features and benefits offered by Microsoft’s Azure Active Directory (AAD or Azure AD) “Free” edition, as well as the potential drawbacks and challenges of adopting Microsoft’s cloud platform. You’ll also learn more about the impact of these constraints on your overall security posture. Identity is the new security perimeter, but this tier of AAD leaves gaps by failing to manage identities everywhere they reside and may place them at risk.
Microsoft provides services to secure devices, extend single sign-on (SSO) access to network appliances, and manage entitlements. There are many interwoven, segmented services in the Azure portfolio. It’s important to understand what Azure SKUs provide, and what’s left out of the mix. Making an informed decision about your requirements will determine the value of “free” and when further investment and planning is needed.
What Is Azure Active Directory?
AAD is a cloud directory service that extends Active Directory identities to Microsoft® Azure, Microsoft web applications (like Microsoft 365™), and many external SSO apps. When comparing Azure AD free vs. premium tiers, the price escalates dramatically.
AAD Free is designed to be a complementary service to on-prem AD. Without it, Azure AD cannot complete tasks related to system management, legacy application authentication, and network access control. Azure AD also requires authentication from Azure AD Domain Services (Azure AD DS) to manage Windows servers and applications hosted at Azure. It’s also not a full-fledged identity and access management (IAM) platform, and it isn’t a cloud replacement for on-prem Active Directory. AAD won’t manage your systems, especially non-Windows OSs.
Benefits of Azure AD Free
There are several benefits for Microsoft users with simple configurations and few users. AAD Free gives IT teams the ability to:
- Sync Active Directory via Azure AD Connect
- Sync with up to 500,000 directory objects
- Leverage SSO for many external SaaS applications using your Microsoft identities
- Enact self-service password change for cloud users only (this does not include password resets that flow back to on-prem AD)
- Sync with Azure AD Connect (which is a Microsoft utility designed to bridge the gap between on-prem AD and Azure AD)
- See basic reporting on their substrate identity management solution
- Use basic security and usage reports
- Use automated user provisioning to Microsoft apps
- Use built-in administrator roles
- Use advanced features to meet future requirements
Azure AD Free offers basic SSO functionality that’s essential for organizations using AD to access Microsoft’s portfolio of cloud services. It’s also essential (and prerequisite) for cloud-first organizations to access the M365 suite, but it lacks interoperability with other identity providers (IdPs). For example, AAD Free wouldn’t enable AD users to access Google Workspace. That may be okay for Microsoft-only infrastructures, but leaves little room to change.
Significantly, AAD omits features deemed necessary by security experts for cloud-based identity management. AAD Free remains remarkably similar to when it was introduced for limited SSO in 2014. However, the silos between endpoints, data protection, and user identity are dissolving in response to the evolving tactics of sophisticated threat actors. That results in a stagnant security posture that is no longer sufficient to address today’s security concerns as attackers have adapted to move laterally more rapidly than ever. The free edition of AAD maintains undesirable boundaries between IT and security operations to mitigate these threats.
CrowdStrike reports that adversary breakout time for lateral spread has dropped from over 9 hours to just 1.5 hours. Identity breaches account for >75% of breaches in the cloud.
Drawbacks of Azure AD Free
Microsoft cordons off AAD features that protect identities everywhere they exist in addition to the associated security and compliance controls. It’s impossible to follow Microsoft’s best practices for AAD without subscribing to P1, P2 (and beyond) to manage your devices. The Premium 1 (P1) and Premium (P2) tiers (as well as one of two integrations) are necessary for SSO into on-premise Windows applications. There’s also an extra cost to import and manage identities external to the Microsoft ecosystem by subscribing to the full Microsoft Entra service stack.
Many IT shops adopt Microsoft because products “work well together.” Unfortunately, you must pay to fully integrate AAD with AD and Windows Server roles such as NPS for network authentication behind the firewall. Navigating your options can be a complicated undertaking that’s even given rise to websites dedicated to demystifying its licensing. There’s also higher management overhead for IAM, given the free SKU’s limitations. Further, implementing AAD’s enterprise features (and even AD integration) could compel you to hire specialized consultants.
Moreover, AAD omits features deemed necessary by security experts for cloud-based identity management. The next section explores how gated licensing impacts your ability to reach your operational and security objectives and manage identities throughout your entire infrastructure.
Small and medium-sized enterprises (SMEs) must assess what’s feasible to spend per user and balance that reality against productivity gains and security obligations. It can be difficult (and often confusing) to forecast your needs when licensing is complex and required features are gated off into higher licensing tiers. Buying more than your SME needs for a few requisite features is a Faustian bargain that can significantly impact IT departments with strict budgets.
The entirety of AAD/Entra, Intune, and Microsoft’s security stack can satisfy complex, exhaustive IAM use cases and security requirements. That, however, increases supply chain risk in the vendor relationship. Most SMEs aren’t that fortunate and must navigate Azure’s licensing. That process begins when AAD Free is selected as a directory solution, because you’ll immediately be enrolled in trial subscriptions and face the boundaries of the Free tier.
SSO and Provisioning Limitations
Here are a few examples to consider about how licensing factors in. First let’s examine authentication and access control for your applications, both on-premise and SaaS:
- It’s not possible to have SSO for domain-bound applications without P1, P2. The same holds true for accessing resources behind the firewall via Windows Server’s NPS.
- Group assignments to applications will require P1, P2, or equivalent service tiers. That includes role-based access control to establish a Zero Trust security posture. Admins who want to use groups to manage what users may access either have to upgrade their Azure subscription or find another solution altogether.
- You cannot utilize external IdPs without paying more.
- MFA configurations are limited to the security defaults with AAD Free with per user settings versus group management. Per Microsoft, “Authentication methods and configuration capabilities may vary by subscription.”
- There is a charge per MFA instance for external IDs.
- Conditional access for privileged identities management is limited to P1, P2.
- HR-driven provisioning is unavailable outside of P1, P2
- Self-service password changes with on-premise write-back requires P1, P2
- Advanced group management driven by policies and rules requires P1, P2
- Advanced security and usage reports for compliance reporting requires P1, P2
No Device Management
Identity is the new perimeter, and it’s not possible to protect identities without also managing devices through mobile device management (MDM) or GPO-like policies. The device is a substrate for the user, their activities, and your organization’s data. CrowdStrike has found that 25% of attacks occur on devices without any endpoint protection and 71% of attacks are malware free once the adversary is in the environment. These types of attacks lack traditional indicators of compromise and are easier to hide among standard IT traffic. Endpoint Detection and Response (EDR) security cannot safeguard against inadequate IAM security practices.
Now, consider that AAD Free won’t manage devices. It becomes necessary to enroll in Intune, which accrues significant price increases per user. An organization with 10 active users will pay roughly $2,000 annually for IAM with device management from Microsoft. Azure could deliver a near complete solution, but SMEs will find themselves heavily oriented toward Microsoft. Microsoft has also partitioned remote assist off as a premium add-on to Intune.
Overall, Azure AD Free can be a useful tool for admins looking to introduce their organization to cloud-based infrastructure. However, it ultimately requires a number of additional authentication solutions to serve as a core identity provider (IdP). For instance, AAD doesn’t natively authenticate users to their Wi-Fi networks or hardware via RADIUS or LDAP. That holds true for P1, P2. Organizations either have to maintain a parallel system for authentication or invest in additional server infrastructure and configurations — a sequence of activities that isn’t free. Siloed identities complicate identity practices, increase technical overhead, and enlarge the attack surface area.
As previously noted, Entra costs more when it’s used to govern and manage external IDs through AAD. The costs compound when MFA is implemented, which isn’t optional. Costs will rise organically as your organization grows and the velocity of authentications increases.
“Free” is a relative term. AAD Free helps organizations with a small number of users and devices to manage Microsoft applications and SaaS services, but security is inherently lacking when those resources are being accessed using untrusted devices. Gaps in services and dependencies on the Windows platform (and various other quirks) may increase your workload and make implementation more difficult. Then, you’ll have to manage AAD + Azure in perpetuity.
Working toward Zero Trust security and compliance with ever expanding regulations obligates someone in your organization, or a trusted advisor, to become an expert in Azure licensing. Licensing and product bundles change and are rebranded with some regularity. Your team will also have to make many determinations to live within your budget. It’s not strictly about subscriptions — you’ll also have to account for implementation costs and TCO.
The variety of cloud services from Microsoft and challenges of migrating from Active Directory to the cloud have given rise to a cottage industry of consultants. This is due to the breadth of enterprise configurations, and resulting complexity, that many enterprises encounter. The complexity is ongoing: Azure uses role-based access control (RBAC) for security. RBAC can be labor-intensive and requires ongoing maintenance for a least privilege access model. Adding Intune into the mix means mastering ConfigMgr, due to limitations in the Azure web interface.
IT teams that inhabit Microsoft’s ecosystem must also set up best practices for AAD, some of which are critical due to the potential for phishing to be used to compromise identities. Plan on spending extra time to focus on those critical AAD settings, in spite of your subscription level. For example, AAD’s default settings permit all users to access the AAD admin portal and register custom SSO applets (My Apps). Attackers are actively exploiting this workflow in phishing exploits, which can bypass MFA. That’s a recipe for compromised identities and data in absence of other security controls including biometrics, managed devices, and certificates.
This complexity exists due to the amount of scenarios Microsoft supports, down to the granular requirements of large enterprises. It has also woven trials and upsells into admin settings workflows such as self-service password reset (SSPR). This blurs the lines between what’s possible to configure and what’s not within your reach. For example, a “Free” tier admin sees the option to configure SSPR, but will be prompted to assign a premium tier license to users.
An SME should consider whether it’s ready for and can afford this platform.
Azure and Vendor Lock-In
IT teams that are centered around AD expand Microsoft’s presence in their infrastructure by adopting AAD. Any SME that adopts AAD and other Azure products becomes more deeply embedded in Microsoft “monoculture” over time as custom configurations and more integrations occur. This is fine for some organizations that have deeper expertise in Microsoft platforms. They accept the vendor risk of standardizing all essential IT infrastructure and operations with a sole partner.
Sometimes, a combination of AAD and third-party services, such as JumpCloud, is more optimal. This next section outlines how JumpCloud integrates with and extends Microsoft systems through its open directory platform.
An Open Directory Platform
JumpCloud’s open directory platform provides value lock-in and enables you to choose any best-of-breed solution you want. For instance, your organization might prefer Google Workspace over M365 or choose identity and endpoint protection from CrowdStrike instead of Azure. You can connect users to any resource, from any location, from trusted devices, with the appropriate permissions, while abiding by Zero Trust principles. The platform provides SSO and device management, as well as compliance and reporting, to access and secure resources.
SSO to Everything
The open directory accepts third-party identities from Google, LDAP, Microsoft AD and AAD, Okta, and a wide variety of authentication protocols. Every authentication method is protected by MFA through either Push MFA with the JumpCloud Protect™ app or TOTP options. Conditional access policies for privileged access management (PAM) are optional if the use case fits, and JumpCloud offers a decentralized password manager and vault to protect user credentials.
The supported protocols include:
- Cloud LDAP
- RADIUS with dynamic VLAN assignment
- SAML with SCIM provisioning
- Delegated authentication (for AAD)
Users are provisioned through either importing accounts or attributes (and even AAD group assignments) from another directory or integrations with popular HRIS systems. There’s no “tax” placed on having basic interoperability or using external identities. SSPR is also available without raising your license requirements. Access to applications is managed through groups with automated entitlement controls by using attribute-based access control (ABAC). ABAC reduces management overhead and the possibility of introducing errors such as wasting licenses on inactive users. It’s Zero Trust by virtue of continuously verifying user attributes, which serves as a security control to avoid insider threats or forgotten user accounts.
Device management is included at no additional cost for Android, Apple products, Linux, and Windows. It includes MDM, pre-built policies (such as full disk encryption), and a commands queue. Windows admins can even utilize PowerShell scripts for batch jobs. Zero-touch deployments are available for Macs and iPads/iPhones with Windows Out of Box Experience (OOBE) as another option to stage devices and onboard users. Free remote assistance is built into the platform, for several operating systems, providing further cost-savings and value.
There’s also the option for cross-OS patch management, including browser version control.
Reporting and Data Services
All JumpCloud tenants include Directory Insights and System Insights to provide telemetry that follows identities everywhere they exist and all pertinent user activities. Cloud Insights will soon become available for observability and monitoring cloud infrastructures such as AWS. JumpCloud also provides multiple pre-built reports for compliance purposes and management.
Available reports include:
- Users to Devices: Returns all user attributes and device associations for each user.
- Users to RADIUS Server: Returns all user attributes and associations to RADIUS Servers for each user.
- Users to LDAP: Returns all user attributes and associations to LDAP resources for each user.
- Users to Directories: Returns all user attributes and associations to directories for each user.
- User to SSO Applications: Returns all user attributes and SSO application associations for each user.
- OS Patch Management Policy: Provides a clear view of each of their device’s status relative to the OS policies that they have deployed.
Try JumpCloud for Free
Don’t just think about where you are today, consider where you’re headed.
Azure AD Free is a prerequisite to access Microsoft cloud apps, extends AD to the web, and can provide an economic choice for SSO into cloud resources. However, it leaves gaps in manageability and security that defers costs, which could become substantial, at a later date. Subscriptions align with features, not use cases, and will make upgrading necessary.
JumpCloud is available for free, without restrictions, for the first 10 users/devices of any organization. Device management isn’t an additional cost, but some features are optional. Simply sign up for JumpCloud today to get started for a streamlined user experience with pricing that’s based on supporting the use cases you need from the Open Directory.
Premium chat support is available within your first 10 days to get you started. In the meantime, if you need to get going fast and be sure everything is set up correctly the first time, our Professional Services team is here — just find a 30-minute slot that works for you.