{"id":4459,"date":"2023-03-24T11:11:05","date_gmt":"2023-03-24T15:11:05","guid":{"rendered":"https:\/\/www.jumpcloud.com\/blog\/?p=4459"},"modified":"2024-08-15T17:43:42","modified_gmt":"2024-08-15T21:43:42","slug":"need-active-directory-office-365-o365","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/need-active-directory-office-365-o365","title":{"rendered":"Do I Need Active Directory if I have Office 365 (O365)?"},"content":{"rendered":"\n
\"person<\/figure>\n\n\n\n

We frequently hear this question from companies: \u201cWe are shifting our business to the cloud and leveraging Microsoft Office 365. Do I need Active Directory (AD) if I have Office 365?\u201d <\/p>\n\n\n\n

You don\u2019t need to continue to leverage Active Directory as you make the move to the cloud. You have the opportunity to reimagine your infrastructure to meet modern IT requirements by: <\/p>\n\n\n\n

    \n
  1. Making identity the new perimeter.<\/li>\n\n\n\n
  2. Making devices a secure gateway to resources. <\/li>\n<\/ol>\n\n\n\n

    There\u2019s no obligation to continue using AD if you\u2019re migrating IT management to the cloud. Cloud migration can be a confusing topic and there have been some big changes in IT. Microsoft\u2019s identity management plans and licensing can be difficult to understand and are centered around Azure Active Directory (AAD), which is the user management substrate for Office 365 (O365). Microsoft has a wellspring of cloud services that flow from AAD, and the options may not be clear. What is clear is that Microsoft favors cloud-based authentication using its platform. <\/p>\n\n\n\n

    This article outlines Microsoft\u2019s way of doing things versus an open directory approach and how IT teams benefit from the freedom to migrate away from O365 or Microsoft, or to select the subscription that works best for them without paying for unnecessary add-ons.<\/p>\n\n\n\n

    \n
    \n \"JumpCloud\"\n <\/div>\n
    \n

    \n <\/p>\n

    \n Securely connect to any resource using Google Workspace and JumpCloud. <\/p>\n <\/div>\n

    \n Learn More<\/a>\n <\/div>\n<\/div>\n\n\n\n\n

    Active Directory and Office 365 Are Evolving<\/h2>\n\n\n\n

    Active Directory is Microsoft\u2019s on-prem identity management software that has been used for just about two decades now (it was released in early 2000). It dominated as the de facto system to manage Windows\u00ae<\/sup> machines, and gave Microsoft a strong grip on the market. As a result, Active Directory<\/a> is the only directory service that many IT admins have experience with. <\/p>\n\n\n\n

    Microsoft developed AAD in response to a shift to the cloud<\/a>. This product doesn\u2019t share the same code base, and is largely meant to serve as a complement to existing on-prem AD implementations. AAD\u2019s highest cost premium plan extends AD with identity protection and governance and both of its premium tiers integrate cloud identity with legacy Windows apps. Hybrid integrations may meet the requirements of small and medium-sized enterprises (SMEs) that have a need for AD, but it otherwise entwines SMEs more deeply into the Microsoft stack. <\/p>\n\n\n\n

    It\u2019s also possible to leave AD behind. AAD\u2019s not a replacement for AD<\/a> on its own, but it can serve as a standalone directory when it\u2019s paired with several SKUs of add-on Azure services or Microsoft 365 plans. However, this migration isn\u2019t 1:1. For instance, groups work differently in AAD. Concepts such as Organizational Units are replaced with Administrative Units in AAD and tenant-wide management. This shift can be difficult and compel SMEs to dedicate significant resources to AAD\/AD migrations. Admins often require consultants for this transition.<\/p>\n\n\n\n

    These are the available AAD plans (note that full AD integrations require Premium plans):<\/p>\n\n\n\n

    Azure AD\u2019s (AAD) Tiers<\/h2>\n\n\n\n

    AAD Free Tier<\/h3>\n\n\n\n

    AAD\u2019s free tier<\/a> provides single sign-on (SSO) for SaaS applications using your Microsoft identities with multi-factor authentication (MFA). <\/p>\n\n\n\n

    It offers basic reporting on their substrate identity management solution as well as security and usage reports. It leaves out group assignments, omits custom conditional access rules, and limits how users can be provisioned. It doesn’t provide device management, which leaves admins without device management for endpoint security posture (outside of a hybrid AD configuration). The Free edition won\u2019t work with Microsoft Sentinel, Azure\u2019s security information and event management (SIEM) platform.<\/p>\n\n\n\n

    AAD Premium 1 (P1) Tier<\/h3>\n\n\n\n

    Premium (P1)<\/a> adds the ability to configure Intune, provisioning for Windows devices, more advanced MFA configurations, conditional access policies, end-user self-service, advanced group management, and more thorough alerts and reporting. <\/p>\n\n\n\n

    Azure AD Password Protection is also fully enabled versus limited in the Free edition, but it doesn\u2019t extend to AD. Other features are intended to enable hybrid scenarios for on-premises domain controllers that aren\u2019t possible with the free edition.<\/p>\n\n\n\n

    \n

    Microsoft obligates its customer to adopt its Edge browser in order for its conditional access policies to work.<\/p>\n<\/blockquote>\n\n\n\n

    AAD Premium 2 (P2) Tier<\/h3>\n\n\n\n

    Premium 2 (P2)<\/strong><\/a> includes all of the features of P1 but adds identity governance features including risk-based conditional access policies, conditional access based on device state or location and group, privileged identity protection, Windows Defender for Cloud Apps, and more. Privileged Access Management (PAM) to manage, control, and monitor access administrative roles is only available in this SKU, and only this SKU protects AD against identity compromises.<\/p>\n\n\n\n

    Security and compliance reporting is more extensive to audit sign-ins, user risk, and abnormal activity. It\u2019s possible to integrate with SIEMs, perform access certifications and reviews, and investigate risk events. Lifecycle Workflows, a beta lifecycle management service, is also included. P2 is necessary in order to apply identity governance to external directories\/identities.<\/p>\n\n\n\n

    If all of this sounds like too much \u201cstuff,\u201d it just may be. P2 is an enterprise-grade solution that could contain more extensive features than an SME requires or has the capacity to implement and use. You could find yourself paying for services that you don\u2019t need to get the one that you do. The breadth of P2 is significant, and hybrid AD configurations can become expensive.<\/p>\n\n\n\n

    AAD Can Be a Tollbooth for Google Workspace\/Cloud<\/h2>\n\n\n\n

    Suppose you decide to drop MS Office and adopt an alternative such as Google Workspace, but you like using AAD as your directory (maybe it ties back to your old on-prem AD rack). AAD is not all inclusive<\/a> when it comes to integrating with non-Microsoft identities; Microsoft charges extra<\/a> to manage external identities (with more charges for some authentications). Entra is its solution to apply enterprise-grade identity governance<\/a> to external identities. This means you’ll pay Microsoft a premium if you decide to manage another directory using its AAD\/Entra services.<\/p>\n\n\n\n

    It\u2019s possible to use AAD for user provisioning and SSO for Google Workspace, but there\u2019s configuration<\/a> involved. The AAD ecosystem, by default, tethers SMEs to MS Office. AAD is in effect replicating AD\u2019s legacy lock-in. Here\u2019s the billing model<\/a> for AAD External Identities.<\/p>\n\n\n\n

    \"AAD<\/figure>\n\n\n\n

    Microsoft permits federation with Google identities<\/a> (for use on its sign-in pages) for the express purpose of setting up guest users to access Microsoft resources such as O365. AAD\u2019s B2B collaboration places Microsoft apps and resources at the forefront.<\/p>\n\n\n\n

    \"AAD
    All directions point to Microsoft\u2019s apps and services. Image credit: Microsoft<\/em><\/figcaption><\/figure>\n\n\n\n

    Intune Is Required for Device Management<\/h2>\n\n\n\n

    None of the AAD plans include Intune<\/a>, Microsoft\u2019s device management service. It\u2019s only available as an add-on, per user, per month, or bundled with premium Microsoft 365 plans. AD manages Windows devices, but it cannot manage Android, Apple, or Linux based services. Customers have observed usability issues<\/a> such as 8-hour polling for policy refresh internals.\u00a0<\/p>\n\n\n\n

    \"microsoft<\/figure>\n\n\n\n
    \"microsoft<\/figure>\n\n\n\n

    If you\u2019re solely focused on leveraging Azure and don\u2019t need system management for Linux\u00ae<\/sup> and macOS\u00ae<\/sup><\/a> systems, cloud servers at AWS<\/a>\u00ae<\/sup>, Google Workspace integration, or any number of non-Microsoft solutions, then AAD may fit your requirements. However, you\u2019ll pay more in the future if those requirements change. There is no AD equivalent within the Azure ecosystem, as evidenced by the vast expanse of Azure\u2019s identity, device management, and security services.<\/p>\n\n\n\n

    Legacy Office 365 Licensing<\/h2>\n\n\n\n

    It\u2019s important to note that some legacy Office 365 plans only include AAD\u2019s Free tier<\/a>, which limits what\u2019s possible for device management and more. <\/p>\n\n\n\n

    For instance, Office 365 E3 doesn\u2019t include an entitlement for Intune and P1. IT admins must change their license, which can be confusing. M365 plans aren’t the same as O365 plans, and the licenses are also different.<\/p>\n\n\n\n

    Bridging the Gap with an Open Directory Platform<\/h2>\n\n\n\n

    Microsoft isn\u2019t the only directory option, even with O365. IT stacks have become more heterogeneous with devices and apps from other best-of-breed platforms and vendors. SMEs will have to dedicate significant time and money to migrating AAD to AD, which can also serve as an inflection point to pivot away from being a purely Microsoft shop (while still keeping O365).<\/p>\n\n\n\n

    \"import
    JumpCloud syncs with AD and AAD<\/em><\/figcaption><\/figure>\n\n\n\n
    \n