{"id":44286,"date":"2023-01-09T11:01:00","date_gmt":"2023-01-09T16:01:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=44286"},"modified":"2024-08-15T17:50:41","modified_gmt":"2024-08-15T21:50:41","slug":"understanding-aad-pricing-free","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/understanding-aad-pricing-free","title":{"rendered":"Entra ID\u00ae Free"},"content":{"rendered":"\n
Editor\u2019s Note: Given the fast-paced nature of technology, it is possible that some of the information presented in this article is out of date, or incomplete, in some fashion. The author periodically reviews and revises this article to ensure information contained within is as accurate as possible.<\/em><\/p>\n\n\n This article analyzes the features and benefits offered by Microsoft\u2019s Entra ID \u201cFree\u201d edition, as well as the potential drawbacks and challenges of adopting Microsoft\u2019s cloud platform. You\u2019ll also learn more about the impact of these constraints on your overall security posture.<\/p>\n\n\n\n Microsoft provides services to secure devices, extend single sign-on<\/a> (SSO) access to network appliances, and manage entitlements. There are many interwoven, segmented services in the Microsoft 365 and Defender product portfolios. It\u2019s important to understand what each Entra ID SKU provides, and what\u2019s gated off. Making an informed decision about your requirements will determine the value of \u201cfree.\u201d Consider that the ultimate goal for Microsoft is to tie customers to a vertically integrated suite of tools, which can limit flexibility while raising costs and management overhead.<\/p>\n\n\n\n Entra ID is a cloud directory service that extends Active Directory (AD) identities to Microsoft\u00ae<\/sup> Azure, Microsoft web applications (like Microsoft 365\u2122), and external SSO apps. It\u2019s also a cloud directory for organizations that don\u2019t use AD but would like to use Microsoft Office.<\/p>\n\n\n\n Entra ID Free is a cloud directory for Office 365 with limited features and no device management beyond what Active Directory (AD) delivers for Windows endpoints. It notably lacks modern entitlement management. Entra integrates AD users through Azure AD Connect and cloud sync, but the deployment options are limited. Organizations that require managed domain services and don\u2019t have an on-premises Active Directory Domain Service (AD DS) environment must subscribe to Azure Active Directory Domain Services (Azure AD DS). Note that Entra ID isn\u2019t a cloud replacement for on-prem Active Directory. It won\u2019t manage your systems, especially non-Windows OSs.<\/p>\n\n\n\n Note:<\/strong> Premium licenses are a prerequisite to federate with identity providers (IdPs) like Google.<\/p><\/div><\/div><\/div>\n\n\n\n There are several benefits for Microsoft users with simple configurations and few users. Entra ID Free has the following features:<\/p>\n\n\n\n Entra ID Free offers basic SSO functionality that\u2019s essential for organizations using AD to access Microsoft’s portfolio of cloud services. It\u2019s also essential (and prerequisite) for cloud-first organizations to access the M365 suite, but it lacks interoperability with other IdPs. For example, Entra ID Free doesn\u2019t allow AD users to access Google Workspace. That may be acceptable for Microsoft-only infrastructures, but leaves little room to ever change direction.<\/p>\n\n\n\n\n \n <\/p>\n \n Securely connect to any resource using Google Workspace and JumpCloud. <\/p>\n <\/div>\n Microsoft considers AD to be a legacy technology that must be modernized<\/a> and protected, but Entra ID Free lacks the capabilities Microsoft has included in its new enterprise access model<\/a>.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n Significantly, Entra ID omits features deemed necessary<\/a> by security experts for cloud-based identity management. Entra ID Free remains remarkably similar to when it was introduced for limited SSO in 2014. However, the silos between endpoints, data protection, and user identity are dissolving in response to the evolving tactics of sophisticated threat actors. That results in a stagnant security posture that is no longer sufficient to address today\u2019s security concerns as attackers have adapted to move laterally more rapidly than ever. The free edition of Entra ID maintains undesirable boundaries between IT and security operations to mitigate these threats.<\/p>\n\n\n\n Microsoft cordons off Entra ID features that protect identities everywhere they exist in addition to the associated security and compliance controls. It\u2019s impossible to follow Microsoft\u2019s best practices<\/a> for Entra ID without subscribing to either Premium 1 (P1) or Premium (P2) as well as Intune to manage your devices. P1 and P2 are necessary for SSO into on-premise Windows applications. There\u2019s also an extra cost to use identities external to the Microsoft ecosystem. Several identity governance features were removed from P2 and gated off into a separate SKU that\u2019s an add-on to Entra ID\u2019s Premium plans. There\u2019s always an upsell to get specific features.<\/p>\n\n\n\n Many IT shops adopt Microsoft because products \u201cwork well together.\u201d Unfortunately, you must pay to fully integrate Entra ID with AD and Windows Server roles such as NPS for network authentication<\/a> behind the firewall. Even Intune is a separate product<\/a> that has its own console and interface. Navigating your options can be a complicated undertaking that\u2019s even given rise to websites dedicated to demystifying its licensing<\/a>. Further, implementing Entra ID\u2019s enterprise features (and even AD integration) could compel you to hire specialized consultants.<\/p>\n\n\n\n The next section explores how gated licensing impacts your ability to reach your operational and security objectives and manage identities throughout your entire infrastructure.<\/p>\n\n\n\n Organizations must assess what\u2019s feasible to spend per user and balance that reality against productivity gains and security obligations. It can be difficult (and often confusing) to forecast your needs when licensing is complex and required features are gated off into higher licensing tiers. Buying more than your need to obtain a few required features is a Faustian bargain that can significantly impact IT departments and budgets, especially when more services are added. Entra ID, Intune, and Microsoft\u2019s Defender security stack can satisfy complex, exhaustive identity and access management (IAM) use cases and security requirements if the reference architecture is followed. That, however, also makes it nearly impossible to switch to other vendors. Entra ID \u201cfree\u201d is the starting point.<\/p>\n\n\n\n Here are a few examples to consider about how licensing factors in. First, let\u2019s examine authentication and access control for your applications, both on-premise and SaaS:<\/p>\n\n\n\n Image credit: Microsoft<\/em><\/p>\n\n\n\n Identity is the new perimeter, and it\u2019s not possible to protect identities without also managing devices<\/a> through mobile device management<\/a> (MDM) or GPO-like policies<\/a>. The device is a substrate for the user, their activities, and your organization\u2019s data. CrowdStrike found<\/a> that 25% of attacks occur on devices without any endpoint protection and 71% of attacks are malware free once the adversary is in the environment. These types of attacks lack traditional indicators of compromise and are easier to hide among standard IT traffic. Endpoint Detection and Response (EDR) security cannot safeguard against inadequate IAM security practices.<\/p>\n\n\n\n Now, consider that Entra ID Free won\u2019t manage devices. It becomes necessary to enroll in Intune, which accrues significant price increases per user. There are even multiple Intune SKUs and add-ons. It\u2019s easy for admins to suddenly find themselves heavily oriented toward Microsoft.<\/p>\n\n\n\n Overall, Entra ID Free can be a useful tool for admins looking to introduce their organization to cloud-based infrastructure. However, it ultimately requires a number of additional authentication solutions to serve as a core IdP. For instance, Entra ID doesn\u2019t natively authenticate users to their Wi-Fi networks or hardware via RADIUS<\/a> or LDAP<\/a>. That holds true for P1, P2. <\/p>\n\n\n\n Organizations either have to maintain a parallel system for authentication or invest in additional server infrastructure and configurations \u2014 a sequence of activities that isn’t free. Siloed identities complicate identity practices, increase technical overhead, and enlarge the attack surface area. Monoculture also increases the risk of lateral movement during an attack.<\/p>\n\n\n\n As previously noted, Entra costs more when it\u2019s used to govern and manage external IDs through Entra ID. There are additional charges applied for MFA from external IDs. Costs will rise organically as your organization grows and the velocity of authentications increases.<\/p>\n\n\n\n \u201cFree\u201d is a relative term. Entra ID Free helps organizations with a small number of users and devices to manage Microsoft applications and SaaS services, but security is inherently lacking when those resources are being accessed using untrusted devices. Gaps in services and dependencies on the Windows platform may increase your workload and make implementation much more difficult. Then, you\u2019ll have to manage Entra ID or Entra ID + AD in perpetuity.<\/p>\n\n\n\n Working toward Zero Trust security and compliance with ever expanding regulations obligates someone in your organization, or a trusted advisor, to become an expert in Microsoft licensing. Licensing and product bundles change and are rebranded with some regularity. Your team will also have to make many determinations to live within your budget. It\u2019s not strictly about subscriptions \u2014 you\u2019ll also have to account for implementation costs and TCO<\/a>.<\/p>\n\n\n\n The variety of cloud services from Microsoft and challenges of migrating from Active Directory to the cloud have given rise to a cottage industry<\/a> of consultants. This is due to the breadth of enterprise configurations and resulting complexity that many enterprises encounter. The complexity is ongoing: Azure uses role-based access control (RBAC) for security. RBAC can be labor-intensive and requires ongoing maintenance for a least privilege access model. An additional SKU is generally necessary to add automations to lifecycle workflows. Adding Intune into the mix means mastering ConfigMgr<\/a>, due to limitations<\/a> in the Intune web console.<\/p>\n\n\n\n IT teams must also set up best practices<\/a> for Entra ID, some of which are critical due to the potential for phishing to be used to compromise identities. Plan on spending extra time to focus on those critical Entra ID settings, in spite of your subscription level. For example, Entra ID\u2019s default settings permit all users to access the Entra ID admin portal and register custom SSO applets (My Apps). Attackers are actively exploiting this workflow in phishing exploits, which can bypass MFA<\/a> in some circumstances. Entra ID Free is unsuitable for quality security.<\/p>\n\n\n\n This complexity exists due to the amount of scenarios Microsoft supports, down to the granular requirements of large enterprises. It has also woven trials and upsells into admin settings workflows such as self-service password reset (SSPR). This blurs the lines between what\u2019s possible to configure and what\u2019s not within your reach. For example, a \u201cFree\u201d tier admin sees the option to configure SSPR, but will be prompted to assign a premium tier license to users if there\u2019s a desire to have the password write-back to AD. SSPR only works for cloud users.<\/p>\n\n\n\n A small or medium-sized enterprise (SME) should consider whether it\u2019s ready for and can afford this platform.<\/p>\n\n\n\n IT teams that are centered around AD expand Microsoft\u2019s presence in their infrastructure by adopting Entra ID. Any SME that adopts Entra ID and other Azure products becomes more deeply embedded in Microsoft \u201cmonoculture\u201d over time as custom configurations and more integrations occur. This is fine for some organizations that have deeper expertise in Microsoft platforms. They accept the vendor risk of standardizing all essential IT infrastructure and operations with a sole partner.<\/p>\n\n\n\n Sometimes, a combination of Entra ID and third-party services, such as JumpCloud, is more optimal. This next section outlines how JumpCloud integrates with and extends Microsoft systems through its open directory platform.<\/p>\n\n\n\n \n Pricing Options for Every Organization <\/p>\n \n Packages and A La Carte Pricing <\/p>\n <\/div>\n JumpCloud\u2019s open directory platform provides value<\/em> lock-in and enables you to choose any best-of-breed solution you want. For instance, your organization might prefer Google Workspace over M365 or choose identity and endpoint protection from CrowdStrike instead of Defender. You can connect users to any resource, from any location, from trusted devices, with the appropriate permissions, while abiding by Zero Trust principles. The platform provides SSO and device management, as well as compliance and reporting, to access and secure resources.<\/p>\n\n\n\n JumpCloud can modernize AD<\/a> and even offers password write-back to it from the cloud.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n The open directory accepts third-party identities from Google<\/a>, LDAP<\/a>, Microsoft AD<\/a> and Entra ID<\/a>, Okta<\/a>, and a wide variety of authentication protocols. Every authentication method is protected by MFA<\/a> through either Push MFA with the JumpCloud Protect\u2122 app or TOTP options. A phishing-resistant credential<\/a> is also available to secure the user console. Conditional access policies<\/a> are optional, and JumpCloud offers a decentralized password manager and vault<\/a> to protect user credentials for situations when SSO is not an option.<\/p>\n\n\n\n The supported protocols include:<\/p>\n\n\n\n Users are provisioned through either importing accounts or attributes (and even Entra ID group assignments) from another directory or integrations with popular HRIS systems<\/a>. There\u2019s no \u201ctax\u201d placed on having basic interoperability or using external identities. SSPR is also available without raising your license requirements. Access to applications is managed through groups with automated entitlement controls by using attribute-based access control<\/a>. ABAC reduces management overhead and the possibility of introducing errors such as wasting licenses on inactive users. It\u2019s Zero Trust by virtue of continuously verifying user attributes, which serves as a security control to avoid insider threats or forgotten user accounts.<\/p>\n\n\n\n JumpCloud uses dynamic groups to automatically organize users and devices using basic attributes. The next phase<\/a> will include operators to create compound queries, which will increase admin efficiency even further and streamline device and identity lifecycle management.<\/p>\n\n\n\n Device management is included at no added cost for Android, Apple products, Linux, and Windows. It includes MDM, pre-built policies (such as full disk encryption), and a commands queue. Windows admins can even utilize PowerShell scripts<\/a> for batch jobs. Zero-touch deployments are available for Macs and iPads\/iPhones with Windows Out of Box Experience (OOBE) as another option to stage devices and onboard users. Remote Access<\/a> is built into the platform, for several operating systems, providing further cost-savings and value. There are options for remote assistance as well as a remote, interactive command line so that troubleshooting can occur in the background without interrupting your users.<\/p>\n\n\n\n Provisioning devices is streamlined. Users will soon be able to \u201cSign In With JumpCloud\u201d to auto provision and associate their JumpCloud account to their device with default account permissions. The JumpCloud agent will sync their JumpCloud password back to their device.<\/p>\n\n\n\n There\u2019s also the option for cross-OS patch management<\/a>, including browser version control.<\/p>\n\n\n\n All JumpCloud tenants include Directory Insights<\/a> and System Insights<\/a> to provide telemetry that follows identities everywhere they exist and all pertinent user activities. JumpCloud also provides multiple pre-built reports for compliance purposes and management.<\/p>\n\n\n\n Available reports include:<\/p>\n\n\n\n OS Patch Management Policy:<\/strong> Provides a clear view of each of their device’s status relative to the OS policies that they have deployed.<\/p>\n\n\n\n Don\u2019t just think about where you are today, consider where you\u2019re headed. Compare JumpCloud with Entra ID (Azure AD) and Intune<\/a> in more detail.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n Entra ID Free is a prerequisite to access Microsoft cloud apps, extends AD to the web, and can provide an economic choice for SSO into cloud resources. However, it leaves gaps in manageability and security that defers costs, which could become substantial, at a later date. Subscriptions align with features, not use cases, and will make upgrading necessary.<\/p>\n\n\n\n JumpCloud\u2019s device management isn\u2019t an additional cost, but some features are optional. Simply sign up for a trial<\/a> today to get started from a single admin console. Pricing is based on workflows that will help you to get things done, not gated features or upsells.<\/p>\n\n\n\n Entra ID Free is a gateway to use more Microsoft services. It doesn\u2019t control devices and limits entitlement management.<\/p>\n","protected":false},"author":150,"featured_media":73629,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_oasis_is_in_workflow":0,"_oasis_original":0,"_oasis_task_priority":"","inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[2444,2441,2398,2809,2467,2374],"collection":[2779],"platform":[],"funnel_stage":[3015],"coauthors":[2535],"acf":[],"yoast_head":"\n
\n\n\n\nWhat Is Entra ID?<\/h2>\n\n\n\n
<\/p><\/div>
Benefits of Entra ID Free<\/h2>\n\n\n\n
\n
\n <\/div>\n
<\/p><\/div>
Drawbacks of Entra ID Free<\/h2>\n\n\n\n
Gated Licensing<\/h3>\n\n\n\n
SSO and Provisioning Limitations<\/h4>\n\n\n\n
\n
<\/figure>\n\n\n\n
User Provisioning <\/h4>\n\n\n\n
\n
No Device Management<\/h4>\n\n\n\n
Identity Silos<\/h3>\n\n\n\n
Complexity<\/h3>\n\n\n\n
Azure and Vendor Lock-In<\/h2>\n\n\n\n
\n <\/div>\n
An Open Directory Platform<\/h2>\n\n\n\n
<\/figure>\n\n\n\n
<\/p><\/div>
SSO to Everything<\/h3>\n\n\n\n
\n
<\/figure>\n\n\n\n
<\/figure>\n\n\n\n
Device Management <\/h3>\n\n\n\n
<\/figure>\n\n\n\n
Reporting and Data Services<\/h3>\n\n\n\n
\n
Get Started with JumpCloud<\/h2>\n\n\n\n
<\/p><\/div>
<\/p>\n","protected":false},"excerpt":{"rendered":"