User Provisioning & Active Directory

Provisioning users to a variety of IT resources – think Mac/Linux/Windows machines, web applications, cloud infrastructure, VPNs, and more – is part of any admin’s job, but establishing a single identity for each resource with Active Directory^® (AD or MAD) presents a challenge. AD is not natively designed to federate identities to resources that have emerged – e.g. cloud infrastructure / web applications – since it was invented in 1999. Further, with the on-going global pandemic and the shift to remote work, provisioning user access to IT resources has become even more challenging.

Ideally, using one authoritative identity per user — which they use to access their permitted systems, apps, networks, and files — prevents identity sprawl and enables admins to suspend access across their organization’s infrastructure immediately. Further, in the modern era of security, this approach can enable IT admins to leverage Zero Trust principles to further lock down their infrastructure. Zero Trust and it’s instantiation through Conditional Access policies are an important tool whether a user’s credentials are compromised, the user leaves the organization or they are just accessing IT resources remotely.

However, despite the challenges of connecting users to modern IT resources, many admins see no alternative to AD because of its dominance in the market over the last twenty years. Its strengths in Windows-based user management and configuration are well known, but in an era where there are more non-Windows resources and work-from-home (WFH) is prevalent, is the on-prem domain model the correct one? In this post, we’ll examine modern user provisioning requirements and how to best meet them while either maintaining AD and reducing identity sprawl or by considering the alternative: the Domainless Enterprise.

Modern User Provisioning Requirements

It’s worth taking stock of the needs in your IT environment by asking yourself some important fact-finding questions:

• Are more users requesting to use Mac^® systems? 
• Are Linux servers and desktops more prevalent? 
• Do you have a roster of SaaS / web apps? 
• Do you rely on a productivity suite, such as Google Workspace^TM or Microsoft 365? 
• Is AWS or a similar infrastructure-as-a-service solution core to your organization?

Modern organizations regularly use SaaS and IaaS platforms to get work done, whether they are email platforms and the associated productivity suites, web applications to manage customer relationships and organize projects, or used to host infrastructure in the cloud. They are also increasingly providing Mac systems to their users. Each of these resources introduces heterogeneity and complexity in an IT environment.

For admins with a customized AD instance and deep knowledge of the domain, they might not envision migrating off AD to a cloud directory service — but they likely recognize the need to supplement it with add-ons to connect users with all of these resources. For some organizations, the chance to completely shift their user management infrastructure to the cloud is a welcome opportunity to modernize their management toolset.

The following resources challenge the AD model and require a different approach for user provisioning:

• Systems: Mac & Linux^®
• Applications: SaaS
• Networks: WiFi & VPNs
• Other: Cloud infrastructure & servers

Of course, the remote work model that is taking over the world is also a major challenge for IT organizations. Admins who want to avoid juggling add-ons tailored for each of these resources should seek a universal AD bridge or, if possible, completely eliminate their on-prem AD instance altogether. Using a single and comprehensive federation service limits additional tooling admins need to manage, and it keeps the total cost of ownership of AD as low as possible. If admins use one federation service for Mac machines and another for web app single sign-on (SSO), for example, their costs increase more than if they’d employed a single solution for both. One such comprehensive solution is JumpCloud^® Active Directory Integration for those that seek to extend their AD instance, while JumpCloud’s cloud directory platform can be leveraged to eliminate AD while providing user management and authentication capabilities to a wide range of IT resources.

Benefits of Active Directory Integration

Through JumpCloud’s Active Directory Integration feature, admins can sync their AD identities with virtually all non-Windows and cloud resources and introduce key improvements in user and system management.

1. System Provisioning & Management

Using AD Integration, you can provision AD identities to Mac, Windows, and Linux machines and manage those machines’ security configurations. You can apply cross-OS Policies to lock down machines across your fleet — such as enforcing full disk encryption (FDE) and restricting user changes to system settings. You can also require multi-factor authentication (MFA) to systems, servers, apps, VPNs, and user portals. 

2. Provision Users to Web Apps & Non-Windows Resources

You can provision AD identities to SaaS apps and enable single sign-on for users. JumpCloud features a catalog of hundreds of pre-configured SAML single sign-on (SSO) connectors, as well as a generic SAML connector for use with proprietary or less common SAML apps. You can also automate app account creation with Just-in-Time (JIT) and SCIM provisioning for select apps.

3. Sync with Productivity Suites: Google Workspace & Microsoft 365

With AD Integration, users can access domain-bound resources and their productivity suites (such as Google Workspace and Microsoft 365™) with the same credentials as well. You don’t need to manage Google Cloud™ Directory Sync (GCDS), Azure^® Active Directory (or AAD Connect), or other third-party solutions or middleware. You also avoid needing to manage an asynchronous directory in the productivity suite. 

Securely connect to any resource using Google Workspace and JumpCloud.

Learn More

4. Provision AD Users from a Web Console

You can manage and create AD users either directly in AD or from JumpCloud. Admins can manage certain AD functions from the web-based JumpCloud console, such as suspending user access. 

With this approach, too, users can take charge of their own passwords through the JumpCloud console, and those password changes are written back to AD through a bidirectional sync. Through apps on Windows and Mac systems, these password updates reduce the chances of getting phished.

Benefits of Replacing Active Directory

For some organizations, the chance to completely shift to the cloud is an opportunity not to be missed. Through JumpCloud’s directory platform, IT organizations can unify user management including the provisioning and deprovisioning of accounts to virtually all of their IT resources including Mac/Windows/Linux systems, cloud servers hosted at AWS or others, web and on-prem applications via SAML and LDAP, VPN and WiFi networks through RADIUS, and file servers through Samba. In short, for IT organizations that aren’t tethered to AD, JumpCloud offers the chance to virtually do one touch provisioning and deprovisioning.

Learn More about Active Directory Integration

With Active Directory Integration, admins can maintain AD while federating authoritative credentials to virtually all other resources in their environments and begin to control AD from the cloud. With JumpCloud’s directory platform, IT admins can completely manage the user lifecycle. Click here to learn more about JumpCloud’s Active Directory Integration and the ways you can put it to work in your organization. 

Or, sign-up for JumpCloud Free and give it a try. We’ll give you 10 users and 10 systems with full functionality for you to try out the platform. If you need any help, leverage our 24×7 Premiums in-app chat support during the first 10 days.