{"id":4500,"date":"2023-10-09T11:10:04","date_gmt":"2023-10-09T15:10:04","guid":{"rendered":"https:\/\/www.jumpcloud.com\/blog\/?p=4500"},"modified":"2024-01-29T16:43:43","modified_gmt":"2024-01-29T21:43:43","slug":"costs-microsoft-active-directory","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/costs-microsoft-active-directory","title":{"rendered":"The Hidden Costs of Choosing Microsoft Active Directory"},"content":{"rendered":"\n

Choosing the most cost-effective directory services solution means understanding your requirements. Modern directory solutions<\/a> will manage your digital estate across every device type<\/a> and resource, using stronger authentication methods than were previously available. Standalone Microsoft Active Directory (AD) is firmly baked into many organizations\u2019 IT infrastructures, but it doesn\u2019t accomplish those objectives. <\/p>\n\n\n\n

AD is a legacy technology that must be secured in order to function for the foreseeable future. <\/p>\n\n\n\n

Microsoft\u2019s prescribed approach to AD modernization<\/a> entails combining AD with cloud services to manage a \u201chybrid of everything\u201d estate. Your infrastructure could span IoT, multi-cloud, on-premises, and operational technologies, and a directory provides access to everything<\/em>. Costs and complexity will vary depending upon requirements, licensing, and implementations.<\/p>\n\n\n\n

There are notable differences between solutions like a hybrid deployment of AD and Microsoft\u2019s Entra ID (formerly Azure AD) service and alternatives for modernizing AD, such as JumpCloud\u2019s open directory platform. That can make comparing the cost more challenging, especially considering that not all directory services are \u201cone size fits all\u201d when it comes to ensuring an organization gets the best value for the money and time they\u2019ll put into setup and ongoing management.<\/p>\n\n\n\n

This article explores the true costs of running AD, more than two decades after it first shipped, and how to modernize it for effective identity and access management (IAM) and better security.<\/p>\n\n\n\n

<\/p><\/div>

Note:<\/strong> \n

Check out the Ultimate Active Directory FAQ<\/a>.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n

Hidden Hardware Costs of Active Directory<\/h2>\n\n\n\n

Let\u2019s start with the essentials of operating server rooms. You must account for expensive hardware servers, which becomes costly if multiple servers are needed or if a company has multiple geographical locations that require their own fleet of servers. AD servers must be dedicated systems and meet very specific hardware requirements. This is a particular challenge for distributed environments which require multiple AD servers at each physical location.<\/p>\n\n\n\n

Cloud solutions either help reduce server room sprawl by providing services and scalability on demand, or can replace AD when the requirements are appropriate for a total migration.<\/p>\n\n\n\n

Software Expenses <\/h2>\n\n\n\n

It\u2019s not uncommon for a server that meets your sizing and specification requirements<\/a> to cost five figures; although, it\u2019s not due to inflated hardware costs. It\u2019s because Microsoft has modified its licensing scheme to be based on a per core basis<\/a>. Client Access Licenses (CALs) are an additional fee. Here\u2019s what Windows Server licensing can cost for an 8-core server:<\/p>\n\n\n\n

\"Software<\/figure>\n\n\n\n

Credit: <\/em>WintelGuy.com<\/em><\/a><\/p>\n\n\n\n

The licensing is complex (depending upon your agreement) and can be difficult to understand. Microsoft periodically audits customers to ensure they are compliant with its licensing terms. And that\u2019s just the server operating system costs. You also need to purchase virtualization management software. Here’s an example of a real invoice that was once paid:<\/p>\n\n\n\n

\"licensing\"<\/figure>\n\n\n\n

AD is focused exclusively on Windows devices, so a company needs add-on, third-party software to manage Mac and Linux devices. This is often licensed per device per user.<\/p>\n\n\n\n

<\/p><\/div>

Note:<\/strong> \n

JumpCloud is an open cloud directory that can reduce or eliminate these costs when it\u2019s used to modernize AD. Google recommends JumpCloud<\/a> for small and mid-sized enterprises to manage users and devices.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n

Microsoft Cloud Service Subscriptions<\/h3>\n\n\n\n

Hardening AD isn\u2019t a throwaway suggestion. Microsoft\u2019s literature and Microsoft Learn collateral urge customers to never sync on-premise admins to Entra, because AD can be compromised. A Microsoft shop should use Entra ID \u201conmicrosoft.com\u201d domain admins to \u201cbreak the glass.\u201d<\/p>\n\n\n\n

Microsoft\u2019s Cybersecurity Reference Architecture<\/a> (MCRA) prescribes cloud security solutions to protect AD against threats. That means subscribing to Entra ID Premium 2 (P2) for Identity Protection as well as licensing Defender for Identity. Defender for Identity can prevent lateral spread and privilege escalation. IT admins will first have to establish a hybrid configuration using Microsoft Azure AD Connect directory synchronization tool.<\/p>\n\n\n\n

Other suggested subscriptions and steps for hardening AD include:<\/p>\n\n\n\n