Directory Needs and Considerations<\/h2>\n\n\n\n
The classic AD scenario where an SME is running Windows PCs exclusively with native apps and resources is today\u2019s exception, not the rule. That shop would quickly fail to achieve recommendations for cyber defenses and compliance without substantial risks. Microsoft shops that have been slow to enact proactive security measures to safeguard their data and identities (even for legitimate reasons) should assume that Entra will be their predetermined course. <\/p>\n\n\n\n
Some organizations will do well with Microsoft\u2019s prescribed stacks of cloud services being layered on top of AD. However, AD + Azure may not be the optimal fit for an SME\u2019s technical requirements or budget. Consider that an SME\u2019s general IT requirements should now include:<\/p>\n\n\n\n
- \n
- Single sign-on (SSO) to all IT assets from managed devices<\/li>\n\n\n\n
- Multi-factor authentication (MFA) and\/or modern authentication<\/li>\n\n\n\n
- The capacity to manage identities and access control on any device, anywhere<\/li>\n\n\n\n
- Advanced identity lifecycle management<\/li>\n\n\n\n
- A Zero Trust<\/a> security strategy<\/li>\n\n\n\n
- Meeting rising compliance requirements, including patching and device posture<\/li>\n\n\n\n
- Managing supply chain risks and unifying IT systems<\/li>\n<\/ul>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\"\/)
<\/p><\/div>Note:<\/strong> \nGoogle recommends JumpCloud<\/a> for SMEs to manage IAM and devices.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
SSO to Everything<\/h3>\n\n\n\n
AD<\/strong>: Microsoft provides several options for integrations, but AD cannot provide SSO directly. Protocols such as RADIUS authentication require installing and maintaining the NPS server role, FreeRADIUS, or purchasing a subscription to a stand-alone cloud service.<\/p>\n\n\n\n
- \n
- Active Directory Federation Services (AD FS<\/a>) provides self-managed SSO capabilities, but you\u2019ll encounter a complex setup. It takes a server farm in order to function.<\/li>\n\n\n\n
- SCIM provisioning<\/a> is only available by purchasing an add-on SCIM product or Microsoft DirSync using LDAP. Otherwise, Entra and a hybrid configuration is required.<\/li>\n<\/ul>\n\n\n\n
- \n
- Entra provides SSO, including SAML and OIDC; standalone AD will not.\n
- \n
- A free tier<\/a> is available, but has limited functionality, specifically for group management, provisioning, device management, and security configurations.<\/li>\n\n\n\n
- Premium tiers of Entra are necessary for Application Proxy for on-premises, header-based, and Integrated Windows Authentication. Kerberos, NTLM, LDAP, RDP, and SSH authentication are available from Entra\u2019s free tier. Identity protection that extends to AD is available, but it\u2019s a premium feature.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- AD isn\u2019t capable of managing non-Windows devices without the Intune service, placing identities that reside on those devices and the resources that they access at risk.<\/li>\n\n\n\n
- AD Connect creates a hybrid configuration between AD and Entra with several potential deployment models; a newer cloud-based agent is also available. It\u2019s a premium-level feature beyond 500,000 directory objects such as PCs, groups, and users.<\/li>\n<\/ul>\n\n\n\n
<\/p><\/div>Note:<\/strong> \nUseful features such as password write-back are premium only.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
JumpCloud<\/strong>: JumpCloud features \u201cSSO to everything\u201d as part of its core functionality.<\/p>\n\n\n\n
- \n
- SAML, OIDC, and RESTful API provisioning are included in the platform.<\/li>\n\n\n\n
- SCIM provisioning is included to streamline lifecycle management.<\/li>\n\n\n\n
- Cloud RADIUS<\/a> and LDAP<\/a>, with the option to federate credentials for authentication, are integrated and have MFA. This ensures that network devices don\u2019t become identity silos.<\/li>\n\n\n\n
- JumpCloud syncs with Entra\/Microsoft 365<\/a>, AD<\/a>, Google Workspace<\/a>, and Okta<\/a> identities for SSO at no additional charge. It also syncs user information into Amazon’s IAM Identity Center<\/a>, securing access to your AWS resources.\n
- \n
- Active Directory Integration (ADI) is free to help modernize AD.<\/li>\n\n\n\n
- JumpCloud is making ADI much easier to scale with a new deployment model that uses a member server versus a domain controller to configure syncing. It\u2019s possible to sync multiple domains to JumpCloud at once. JumpCloud is adding delegated authentication (similar to Entra\u2019s passthrough authentication) to leverage existing credentials from AD without forcing password resets.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Identities and assets are protected, because JumpCloud also manages the device.<\/li>\n<\/ul>\n\n\n\n
![\"Active](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/09\/3-1.png\")
JumpCloud modernizes AD without imposing a single stack on its users.<\/figcaption><\/figure>\n\n\n\n\n \n\n![\"JumpCloud\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2023\/04\/Promos_GooglePartnership_290x175-SiteDisplay_GooglePartnershipPage-aspect-ratio-160-110.png\")
\n <\/div>\n \n\n <\/p>\n
\n Securely connect to any resource using Google Workspace and JumpCloud. <\/p>\n <\/div>\n
\n Learn More<\/a>\n <\/div>\n<\/div>\n\n\n\n\nAdvanced Lifecycle Management<\/h3>\n\n\n\n
AD<\/strong>: Advanced Lifecycle Management is only possible through integrations with Entra and Lifecycle Workflows (in preview), third-party services, or extensive customizations.<\/p>\n\n\n\n
- \n
- Workarounds, such as custom PowerShell scripts, are needed to enable or disable user accounts on a schedule.<\/li>\n\n\n\n
- External identities may only be managed through a combination of Entra and Microsoft Entra, another paid Azure service.<\/li>\n\n\n\n
- Default user management is manual, creating the potential to over\/under provision users through human error, or even failure to disable accounts. This is considered \u201cbasic\u201d entitlements management due to the manual and ad hoc nature of user maintenance.<\/li>\n\n\n\n
- Attribute imports from other directories is a manual process, requiring PowerShell and other tools. Entra has dynamic groups with scoping rules, but it\u2019s not a default setting.<\/li>\n\n\n\n
- AD doesn\u2019t manage users on devices beyond Windows \u2014 without additional paid subscriptions to Microsoft\u2019s Intune platform<\/a>.<\/li>\n\n\n\n
- Integrations are possible with third-party lifecycle management systems. That approach requires dedicating users that have administrative privileges to those solutions. AD is popular, so many premium third-party solutions exist for enterprise-grade management.<\/li>\n\n\n\n
- Entra makes it possible for a zero-touch onboarding experience, but not AD.<\/li>\n\n\n\n
- SSO to everything is only available through add-ons to AD and\/or Entra.<\/li>\n\n\n\n
- The Schema Management Microsoft Management Console (MMC) snap-in makes it possible to highly customize AD<\/a> for niche requirements.<\/li>\n<\/ul>\n\n\n\n
JumpCloud<\/strong>: JumpCloud integrates with human resources systems and other sources, automates group memberships, schedules user on\/offboarding events, and provides SSO.<\/p>\n\n\n\n
- \n
- User provisioning\/deprovisioning can be scheduled from the GUI console.<\/li>\n\n\n\n
- JumpCloud is an open directory platform that enables attributes to be imported from other \u201csources of truth,\u201d including AD, Entra, Google, Okta, and more. <\/li>\n\n\n\n
- JumpCloud manages external identities at no additional cost and is adding federation to ensure that you may use the identity provider of your choice.<\/li>\n\n\n\n
- JumpCloud centrally manages identities<\/a> on Apple devices, Android, many popular Linux distributions, as well as Windows through MDM and agents.<\/li>\n\n\n\n
- MDM provisioning package enrollments provide a light touch deployment model where a preconfigured Windows onboarding workflow can be generated for new PCs. You will be able to skip the Windows out-of-the-box experience.<\/li>\n\n\n\n
- Zero-touch onboarding is available for Apple devices.<\/li>\n\n\n\n
- JumpCloud\u2019s dynamic groups for users and devices continuously validate and identify<\/a> entitlement issues (through attributes and rules) to deliver group membership automations and suggestions. That provides a more mature level of security controls and advanced entitlement management without extra effort.<\/li>\n\n\n\n
- SSO is built into the platform, eliminating siloed point tools to manage identity\/user lifecycles.<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/jumpcloud.com\/\/wp-content\/uploads\/2023\/01\/chart.jpeg\")
Image credit: TAG Cyber<\/figcaption><\/figure>\n\n\n\n Compliance and Security<\/h3>\n\n\n\n
AD<\/strong>: Active Directory is well documented and understood. Qualified consultants and solutions are plentiful and can increase its security to comply with compliance regimes or regulations. However, achieving this level of security entails a significant commitment in budgets and people.<\/p>\n\n\n\n
- \n
- AD doesn\u2019t provide MFA everywhere, and \u201cout-of-the-box\u201d Entra or third-party solutions are necessary to extend MFA to common SSO protocols (and beyond).<\/li>\n\n\n\n
- AD wasn\u2019t designed with a Zero Trust security strategy in mind. Features such as conditional access rules<\/a> are only found through Entra or third parties.<\/li>\n\n\n\n
- Achieving a baseline level of hardening and implementing recommended best practices<\/a> requires substantial work and knowledge.<\/li>\n\n\n\n
- AD was designed for the network boundary to be the perimeter.<\/li>\n\n\n\n
- Domain admins represent a potential security risk and additional solutions are necessary to limit access by temporarily elevating privileges or creating a separate forest.\n
- \n
- Security group memberships must be carefully maintained.<\/li>\n\n\n\n
- Delegating tasks to non-administrators should be logged and tracked.<\/li>\n\n\n\n
- The potential for privilege abuse is higher when there\u2019s more admins.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Managing on-premise servers, server roles, and other add-ons increases management overhead and the potential attack surface area.\n
- \n
- AD servers must be patched\/mitigated, secured, and maintained. Privilege escalation attacks, using malware-free techniques<\/a>, have become more common.<\/li>\n\n\n\n
- Physical protection from people, fires, floods, and natural disasters is necessary.<\/li>\n\n\n\n
- Domain controller backups should be encrypted; backups must be performed correctly to ensure \u200b\u200bgranular restores of all the objects or attributes within a forest. <\/li>\n\n\n\n
- AD health monitoring is advisable to analyze the replication status for domain controllers, abnormal behaviors and events, etc., using built-in tools. Azure AD Premium subscriptions are necessary for more robust monitoring of on-premise identity infrastructure.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- AD Group Policies provide intricate control over Windows systems, but only Window systems. Compliance for non-Windows devices requires Intune or third-party services.\n
- \n
- Microsoft and other parties maintain numerous Administrative Templates (.admx).<\/li>\n\n\n\n
- Microsoft provides tools such as Advanced Threat Analytics to monitor AD.<\/li>\n\n\n\n
- Constant VPN connections are necessary to manage remote Windows Devices through Group Policy.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Only basic password policies are available to admins without Entra integration. Microsoft offers even more functionality through Defender for Identity and its security business.\n
- \n
- Selling security solutions on top of the AD ecosystem has become a cash cow<\/a> for Microsoft. Numerous enterprise-grade services are available.<\/li>\n\n\n\n
- Microsoft Defender for Endpoint is also recommended if you to extend monitoring to server threats, which also places Microsoft in control of your Endpoint Detection and Response (EDR).<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Reporting is basic, performed through queries, and may require licensing third-party applications and snap-ins to meet compliance needs.<\/li>\n\n\n\n
- Patching requires add-on components and services, especially for non-Windows devices.<\/li>\n\n\n\n
- The certificate authority (CA), i.e. Windows Server\u2019s Certification Authority role, must be segmented from your primary domain controller, adding another server into your datacenter. Entra also has a certificate-based authentication as an option.<\/li>\n\n\n\n
- The RDS server role for remote system access is limited to domain-joined Windows devices; it shouldn’t run off of your domain controller and requires maintaining a Security Group.<\/li>\n\n\n\n
- The most premium tier of Entra offers robust identity governance; other Microsoft security service subscriptions such as Sentinel, Defender for Servers, Microsoft Defender for Identity, Defender for Cloud, and more provide enterprise-level tooling. Lateral movement<\/a> through the Microsoft stack has been observed when an identity is compromised; some organizations may be compelled to purchase these add-ons. <\/li>\n<\/ul>\n\n\n\n
JumpCloud<\/strong>: <\/strong>JumpCloud assists a Zero Trust approach to security through environment-wide MFA, optional conditional access rules, and device trust. Infrastructure may be cloud-only. Commands, pre-built policies, and reports are included. Reporting tools are standard.<\/p>\n\n\n\n
- \n
- Push or TOTP MFA is present everywhere, including RADIUS and LDAP authentications.\n
- \n
- JumpCloud supports several biometric methods<\/a>.<\/li>\n\n\n\n
- Delegated authentication<\/a> makes it possible to leverage your existing Entra security policies while using JumpCloud.<\/li>\n\n\n\n
- JumpCloud Go, a hardware-bound, phishing resistant credential provides modern authentication.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Optional conditional access policies offer Privileged Access Management (PAM).\n
- \n
- Policies examine location, mandatory MFA prompts, and whether a device is being managed by JumpCloud. Device state, such as full disk encryption (FDE), is also considered.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Very little configuration is necessary to achieve security best practices.<\/li>\n\n\n\n
- Cloud-based infrastructure reduces attack surface area.<\/li>\n\n\n\n
- Pre-built GPO-like policies<\/a> are available for every supported OS for controls such as FDE. MDM provides tamper-proof compliance.\n
- \n
- Sudo console\/terminal and PowerShell commands can be used to deploy compliance benchmarks across your fleet, similar to templates for AD.<\/li>\n\n\n\n
- The full JumpCloud platform manages your devices no matter where they are, no VPN required.<\/li>\n\n\n\n
- JumpCloud manages identity as your perimeter and devices are the gateway to resources.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
- \n
- An optional decentralized password manager and vault<\/a> is integrated into the platform.<\/li>\n\n\n\n
- Basic cross-OS patching policies are included; a premium offering provides greater granularity.<\/li>\n\n\n\n
- Directory Insights<\/a> and System Insights<\/a> offer comprehensive reporting that can be exported to a SIEM. Numerous reports<\/a>, including Users to SSO, are pre-made.<\/li>\n\n\n\n
- JumpCloud offers certificate-based authentication for a passwordless experience<\/a> on RADIUS and will soon function as its own CA, no additional infrastructure required.<\/li>\n<\/ul>\n\n\n\n
Remote system access<\/a> (for support purposes) is provided for free using the JumpCloud desktop client and can be toggled \u201coff\u201d by admins from the console.<\/p>\n\n\n\n
Total Cost of Ownership<\/h2>\n\n\n\n
<\/p><\/div>Note:<\/strong> \nTCO can be a complicated topic. Check out JumpCloud\u2019s TCO calculator<\/a>.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
AD<\/strong>: Active Directory may be free, but it includes inherent infrastructure, licensing<\/a>, and IT talent costs. You may even need to budget for outside consultants. Those associated costs all rise as your setup becomes more extensive or complex. Entra and other services must be licensed in order to manage non-Windows services, SSO, external identities, and enhanced security.<\/p>\n\n\n\n
- \n
- The setup for multiple locations requires regional administrators when multiple domains are grouped together into a forest, creating staff and infrastructure redundancies.<\/li>\n\n\n\n
- AD best practices cost time and money to implement.<\/li>\n\n\n\n
- Account for hardware, network, fire protection, HVAC, power, and other facilities costs.\n
- \n
- Cost will rise as you add server roles and more dedicated servers.<\/li>\n\n\n\n
- High availability (HA) is automatic whenever there\u2019s more than one datacenter. Only that configuration makes it possible to shut down a server for maintenance without impacting your end users and stifling business operations.<\/li>\n\n\n\n
- Backup and disaster restoration planning, simulations, and execution can become a considerable investment in time and resources.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Account for current and future Microsoft licensing costs to modernize identity and access management (IAM) and manage users on non-Windows devices.\n
- \n
- Client access licenses (CALs)<\/a> and core licensing.<\/li>\n\n\n\n
- Azure services such as Entra, AutoPatch, Lifecycle Workflows, Entra, Intune, and more might be required to meet modern IT requirements. These are additional costs on top of AD.<\/li>\n\n\n\n
- Microsoft charges extra to manage and authenticate external identity providers with Entra.<\/li>\n\n\n\n
- Azure licensing is complex and features are gated off into tiers. You can learn more<\/a> about that in an article that explores the TCO for Entra.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Account for patching solutions using either third-party tools, WSUS for Windows, or new AutoPatch (a premium Azure offering) for non-Microsoft OSs.<\/li>\n\n\n\n
- Account for significant IT management overhead and training costs.\n
- \n
- Maintaining domain controllers and other servers.<\/li>\n\n\n\n
- Configuring Microsoft\u2019s synchronization apps for Entra or migrating from AD FS.<\/li>\n\n\n\n
- Responding to zero-day vulnerabilities in Windows.<\/li>\n\n\n\n
- Third-party security solutions such as Extended Detection and Response (XDR) or purchasing Windows Defender from Microsoft.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Vendor lock-in and monoculture creates a high dependence on Microsoft. This makes it more difficult to adopt \u201cbest-of-breed\u201d solutions, limiting your flexibility and ability.<\/li>\n<\/ul>\n\n\n\n
Note: One price does not equal integration. M365 has numerous disparate tools and consoles, and you need to do the integration to make everything work together as well as with AD. It\u2019s more work for you and more ongoing work in terms of management.<\/p>\n\n\n\n
JumpCloud<\/strong>: JumpCloud is cloud-based, which eliminates most infrastructure costs. It integrates advanced lifecycle management and IAM, along with key IT management apps. JumpCloud is an open directory, so there\u2019s no penalty for bringing your own identities.<\/p>\n\n\n\n
- \n
- HA is available by default without any setup.<\/li>\n\n\n\n
- Remote offices can be configured into groups without complex configurations such as organizational units.<\/li>\n\n\n\n
- Licensing is workflow-based<\/a>, versus feature-based. It\u2019s possible to license what you need or adopt the entire platform for advanced lifecycle management with Zero Trust security.\n
- \n
- SSO, MFA, advanced lifecycle management, policies, remote assistance, UEM, and reporting are included in the platform.<\/li>\n\n\n\n
- Conditional access, advanced patch management, and the password manager are optional add-ons, but work seamlessly with the platform.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Services such as RADIUS and LDAP are cloud-based and immediately available.<\/li>\n\n\n\n
- There\u2019s no upcharge for managing external identities or authentication.<\/li>\n\n\n\n
- JumpCloud integrates<\/a> and syncs with AD, but can also function as a standalone directory to enable a domainless enterprise<\/a> configuration.<\/li>\n\n\n\n
- JumpCloud is an open directory platform that assists with unifying IT resources. It\u2019s possible to avoid vendor lock-in and select best-of-breed solutions.<\/li>\n\n\n\n
- The interface is simpler and more streamlined than many AD and Azure features.<\/li>\n<\/ul>\n\n\n\n
Reskilling your existing team and\/or obtaining external resources is often necessary to adopt Entra, Intune, and other M365 services. You should also consider the potential cost of higher salaries to match market levels for speciality admin roles as M365\u2019s advanced features are implemented. Also explore any potential changes to your organizational structure and procedures in order to fully implement all the Microsoft products that you\u2019ll be paying for.<\/p>\n\n\n\n
<\/p><\/div>Note:<\/strong> \nAccounting rules make a distinction between software and services. Using services helps your organization to lower its income taxes<\/a> and free up cash. Services may make it easier to budget when you already know what the ongoing costs will be.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Can I Replace Active Directory with JumpCloud?<\/h2>\n\n\n\n
It\u2019s possible to manage your organization\u2019s IT infrastructure with JumpCloud or to modernize AD to meet the demands of today\u2019s requirements. It\u2019s architectured for small and medium-sized enterprises (SMEs), keeping its complexity low but its value high. <\/p>\n\n\n\n
- Client access licenses (CALs)<\/a> and core licensing.<\/li>\n\n\n\n
- An optional decentralized password manager and vault<\/a> is integrated into the platform.<\/li>\n\n\n\n
- Delegated authentication<\/a> makes it possible to leverage your existing Entra security policies while using JumpCloud.<\/li>\n\n\n\n
- JumpCloud supports several biometric methods<\/a>.<\/li>\n\n\n\n
- Selling security solutions on top of the AD ecosystem has become a cash cow<\/a> for Microsoft. Numerous enterprise-grade services are available.<\/li>\n\n\n\n
- AD servers must be patched\/mitigated, secured, and maintained. Privilege escalation attacks, using malware-free techniques<\/a>, have become more common.<\/li>\n\n\n\n
- Achieving a baseline level of hardening and implementing recommended best practices<\/a> requires substantial work and knowledge.<\/li>\n\n\n\n
- JumpCloud syncs with Entra\/Microsoft 365<\/a>, AD<\/a>, Google Workspace<\/a>, and Okta<\/a> identities for SSO at no additional charge. It also syncs user information into Amazon’s IAM Identity Center<\/a>, securing access to your AWS resources.\n
- A free tier<\/a> is available, but has limited functionality, specifically for group management, provisioning, device management, and security configurations.<\/li>\n\n\n\n
- SCIM provisioning<\/a> is only available by purchasing an add-on SCIM product or Microsoft DirSync using LDAP. Otherwise, Entra and a hybrid configuration is required.<\/li>\n<\/ul>\n\n\n\n