With more organizations looking to move their IT infrastructure to the cloud, admins are asking: Can I use Azure® Active Directory® for authentication? The short answer is yes, but it depends on what you need to authenticate to.
Authentication confirms that a user is actually who they say they are, and protects internal resources against unauthorized access. It’s essential for securing IT infrastructure, and with cybercrime on the rise, IT teams are evaluating the best option for secure authentication in the cloud.
Below we’ll discuss what resources Azure AD can natively authenticate users to and what resources it struggles with, as well as options for IT teams looking to troubleshoot gaps in AAD’s authentication coverage.
What is Azure AD?
Azure AD is a user management platform offered by Microsoft® that manages access to Azure infrastructure, Office 365™ (O365), and a selection of web applications. AAD is mainly meant to be used in conjunction with an existing on-prem Active Directory instance, though it can be used on its own.
By itself, it functions as a substrate identity and access management (IAM) solution with specific administrative capabilities. When used with Active Directory, Azure AD Connect federates AD credentials to Azure AD, ensuring that users can authenticate to web-based apps and Azure using their existing on-prem credentials.
Azure AD’s Native Authentication Capabilities
Natively, AAD authenticates user credentials to Windows® 10 Pro devices and select web apps. In conjunction with Azure AD Domain Services, it can create a login process for a domain of servers and applications hosted at Azure. Alone, however, AAD doesn’t authenticate to:
- Networks via RADIUS
- Other Windows systems (i.e. not Windows 10 Pro), macOS® machines, or Linux® servers hosted in AWS®, for example
- LDAP-based applications or file servers
Although it’s a useful solution for integrating Azure credentials with certain apps, AAD’s authentication properties often leave IT teams searching for other solutions (like OpenLDAP™ or FreeRADIUS) for authenticating to the rest of their IT environment.
However, IT teams can improve this workflow by tethering Azure AD to their on-prem existing directory service.
Azure AD with Active Directory
Most organizations choose to leverage both Azure AD and AD at the same time. With Azure AD, organizations get SSO for select web apps and Azure infrastructure. But when paired with AD, IT teams still retain administrative capabilities that allow them to push policies, patches, or updates for Windows systems, as well as manage a select number of systems, applications, or storage that are Windows-based.
For most, it seems like a no-brainer to employ this hybrid environment to solve all authentication needs. However, even with Active Directory acting as the primary identity provider (IdP), Azure AD still doesn’t natively authenticate users to systems outside the Windows domain.
So, for macOS machines on-prem or Linux servers hosted in AWS, admins typically implement third-party solutions to manage user access. Additionally, IT teams looking to allow user access to their wired and wireless networks need to implement an additional on-prem NPS server (or a cloud-based FreeRADIUS server) for RADIUS authentication.
So, although Azure AD alongside AD does authenticate users to a number of IT resources, it does not provide admins with a solution for centralized, cloud-based authentication to virtually all of their IT resources.
Centralized Authentication in the Cloud
So what is the best option for your enterprise? That answer depends on the circumstances in your individual organization. For Windows-centric IT environments looking to blend their legacy on-prem infrastructure with the convenience and security of the cloud, Azure AD + AD may be ideal. Keep in mind that this hybrid approach comes with a number of additional resources that IT teams need to manage, including Azure AD Connect, AAD DS, an NPS server for RADIUS authentication, Active Directory Domain Services, and more.
Leveraging Azure AD + AD can be a costly decision, especially when taking into account the other Windows-hosted resources that come with it. Additionally, if your organization includes Mac and Linux systems, or if you’re looking to move identity and access management (IAM) entirely to the cloud, Azure AD may not be the best option.
For those interested in identity management for modern needs, JumpCloud® Directory-as-a-Service® is the first cloud IAM platform that authenticates users to their heterogeneous systems, applications, networks, and files from one central console.
DaaS can function as a standalone IdP hosted in the cloud, or it can be layered on top of on-prem AD as an alternative to Azure AD in many ways, but also tightly integrated to manage O365 and Azure user accounts. With JumpCloud’s Active Directory Integration, IT teams can keep AD as the core source of truth for authentication, but bridge AD identities to resources that AD doesn’t natively integrate with.