By Cassa Niedringhaus Posted November 27, 2019
Is Okta® Universal Directory (UD) a replacement for Microsoft® Active Directory®? The latter has been a fixture in the IT landscape for almost two decades now, and replacing it requires forethought and planning.
Whether UD can work for your organization is ultimately up to you and your individual requirements, which will vary based on organization type and industry. Still, there are certain fundamental capabilities a core directory service should offer if it’s up to the task of fully replacing Active Directory. We’ll focus on those capabilities in this post as a baseline for evaluation, to which you can then add industry- and environment-specific factors.
Active Directory has historically done three things well inside on-prem, Windows®-based networks: authenticate, authorize, and manage users and systems. In a traditional domain, end users could enter their credentials into a Windows laptop or desktop and access whatever they needed on the Windows network. Today, non-Windows and cloud offerings challenge AD’s model, and it would be advantageous for its replacement to connect all major operating systems and cloud resources.
To replace Active Directory in modern environments, IT admins should look for the following capabilities and features in a new directory service:
- Cloud-hosted and secure
- Support for systems, applications, files, and networks
Cloud-Hosted and Secure
Active Directory isn’t delivered via Software-as-a-Service, but most IT organizations are moving to cloud offerings in which they can shift the heavy lifting of running the service to a responsible third party. In fact, a RightScale report highlighted that the vast majority of enterprises have a multi-cloud strategy.
A cloud approach to directory services allows IT admins to avoid the hassle of configuring and maintaining on-prem infrastructure (and getting locked into Client Access Licenses). It also allows them to take an agile and contemporary approach to connecting users to their resources.
However, IT admins often feel that internal control offers more security, so a third-party provider needs to prove its mettle on the security front, including submitting to third-party assessments and implementing strong data and network security measures.
Support for Systems, Apps, Files, and Networks
Active Directory cuts across various types of IT resources, but they’re usually all Windows-based. It doesn’t natively (or voluntarily) connect to non-Windows and cloud-based resources very well, which continue to grow in number. Analysts note that cloud-native technologies are transforming organizations and industries and introducing competitive advantages for those that use them.
An up-to-date IT network includes a wide range of systems (Windows, macOS®, and Linux®), cloud and on-prem servers (AWS and on-prem data centers), web and on-prem applications, physical and cloud file servers, and WiFi/VPN networks.
An Active Directory replacement should support virtually all of these solutions natively.
Confirming a user’s identity is critical, especially in an era when identities are the keys to vital digital assets. A next-generation Active Directory replacement should be able to juggle the protocols needed for the vast array of resources employees use — from SAML for web applications to RADIUS for secure WiFi authentication, and more.
Such a directory service wouldn’t be limited to, say, Kerberos or SAML. It would also include LDAP, RADIUS, SSH keys, TOTPs for multi-factor authentication (MFA), and more. MFA in particular is a simple but key measure in ensuring security by helping verify users, access to systems, and access to applications and networks.
A key capability of Active Directory is the power to grant different permissions and access rights to various IT resources. Generally, through group membership and role-based access, IT admins are in control of who can access what.
Any replacement of AD must enable this same ability, such as granting application access to one department but restricting it in another, or by segmenting network access with VLAN tagging.
IT admins value Active Directory’s Group Policy Objects (GPOs), which allow them to manage Windows systems tightly. This feature has become a mainstay in Active Directory networks and often becomes a key reason why admins feel it isn’t replaceable.
Any Active Directory alternative will need GPO-like functions not only for Windows but also for popular operating systems like Linux and macOS, the latter of which in particular is popular among end users. These cross-OS policies might include security measures such as full disk encryption or password complexity requirements.
Whether Universal Directory can replace Active Directory is really up to each organization’s unique set of needs and requirements, but the key capabilities and roles that Active Directory plays are outlined above. Of course, Active Directory has much more functionality than we’ve described above, so detailing your existing use cases is critical to analyzing whether you can replace it.
Before selecting UD or any another Active Directory replacement, consider browsing our comprehensive Active Directory guide, which outlines how you can compile information on your business goals, technical environment, and directory service needs.