Identity is the new perimeter. Cyberattacks are becoming more advanced and cloud-focused. Identity providers (IdP) have responded by offering security controls that make it possible for small and medium-sized enterprises (SMEs) to be proactive and mitigate these threats. Many SMEs use Microsoft’s Azure Active Directory (AAD), which has prescribed best practices to secure identities. Microsoft reserves several features for its most premium subscriptions levels. IT administrators must determine which subscription tiers, or mixture of supplemental services from an open directory, are most appropriate for their unique security requirements. 

This article outlines the fundamentals of securing identities in AAD with emphasis on understanding what options are available and tailoring security controls to your organization. Provisioning and identity and access management (IAM) is the starting point, followed by centralizing the identity management lifecycle, adding appropriate controls, and auditing.

Identity and Access Control

There are three main paths for provisioning in AAD: 

• HR-driven onboarding.
• Federating identity from AAD to cloud apps.
• Inter-directory such as between the Active Directory Domain Services (AD DS) server role to access resources from your on-prem Active Directory domains.

Provision, Manage, and Deprovision Access 

Most Microsoft shops have Active Directory (AD). A sync tool called Azure AD Connect syncs users with AAD. Microsoft also accepts non-Microsoft identities for access control, but additional costs may be assessed. Some organizations may have deployed Active Directory Federation Services (AD FS) prior to the advent of AAD. 

There’s a significant potential for disruptions to system availability when identities are migrated from AD FS to AAD without deliberate planning. Avoid impulsive decision-making when you’re migrating users. Organizations that opt for a hybrid approach should harden Active Directory. This detailed guide offers recommendations about how AD should be managed and maintained for optimal security. Always limit administrative privileges in AD and avoid running day-to-day as a domain administrator.

Familiarize yourself with “join, move, and leave” planning processes and Microsoft’s concepts for identity governance. Automation is possible, but it’s designed for mid-size to large organizations. There’s no default auditing to avoid over-provisioning users or for when individuals leave. Due diligence is necessary to avoid security and compliance issues.

Critically Important AAD Best Practices

Verify that you’ve completed these steps before moving on.

Role-Based Access Control

AAD has built-in and custom user roles, and role-based access control (RBAC) is standard across all subscription tiers. This permits IT to follow the concept of least privilege and helps to establish a Zero Trust security approach, but it relies heavily on manual input and maintenance.

Ensure that you:

• Minimize the number of privileged accounts.
  • Plan to manage, control, and monitor access.
  • Limit global administrator accounts and make use of other roles such as billing administrator, global reader, helpdesk administrator, and license administrator.
• Limit global administrators and never sync high privilege accounts from AD.
• Pay careful attention to external collaboration settings and consider restricting external users from being able to invite guests to shared files; third-party storage; as well as review and adjust global sharing settings for SharePoint Online and OneDrive. These changes impact end users, but make it easier to recognize the “official” channels.

Using security groups for users assists with application security and lowers administrative overhead. Microsoft limits this capability to AAD Premium 1 (P1) and Premium 2 (P2) accounts. However, always try to avoid assigning resources directly to users and use identity protection. Please note that Microsoft has documented multiple limitations to syncing AD groups with ADD groups.  For example, AD primary group memberships will not sync over to AAD.

Multi-Factor Authentication

Multi-factor authentication (MFA) is vital for identity protection. AAD’s free tier only permits the use of the Microsoft Authenticator application. Admins have the option of only protecting the Azure AD Global Administrator versus all accounts, but it’s highly advisable to set up MFA for all users. Protect against MFA self-enrollment attacks by using a Temporary Access Pass (TAP) to secure the initial registration. Avoid mixing per-user MFA with Security Defaults and other settings.

Your budget may impact what’s possible. Microsoft assesses fees for all MFA verifications that happen with non-Microsoft identities and capabilities vary depending upon licensing levels. 

Consider using additional context and “number matching” in Authenticator notifications to include the application name and geographic location in Push MFA prompts. This practice safeguards against “MFA bombing,” where attackers send repeated requests to exploit MFA fatigue. Attackers successfully hijacked Microsoft users’ sign-in sessions to bypass MFA at 10,000 organizations by using advanced phishing toolkits. Microsoft’s mitigation is to use certificate-based authentication and Fast ID Online (FIDO) v2.0 MFA implementations. 

MFA through FIDO 2 devices and Windows Hello requires AAD P1 and P2. Additional hardware costs may apply. Some additional security controls include conditional access (CA).

Conditional Access

Microsoft recommends that all accounts deploy CA, but it’s also an extra cost and only available through P1, P2, or the E3 and E5 tiers for Microsoft 365 (M365) users. The standard M365 tier doesn’t include it. The overall licensing scheme is changing and can be bewildering. 

There’s more than one CA implementation:

• P1 enforces MFA in certain scenarios
• P2 is risk based, learning user behavior to minimize MFA prompts

There are additional steps to consider for password management before we move on.

Configure Password Management

Microsoft has revised its password policy guidance to no longer expire passwords. It’s important to understand that SMEs that are regulated or don’t have MFA and CA configured shouldn’t do that. You may also consider changing passwords if you suspect an ID has been hijacked. CrowdStrike found that 71% of attacks are now malware-less and targeting cloud IDs. 75% of cloud breaches are due to compromised identities. A Zero Trust posture isn’t optional. Consider deploying Extended Detection and Response (XDR) from a vendor of your choosing or paying extra for Microsoft Identity Protection if you prefer the Microsoft stack.

Other best practices are:

• Set up self-service password reset (SSPR) with two authentication methods. Note that using security questions might be risky, because attackers gather intelligence on employees that’s “open source” from the web or obtain information from third-party breaches elsewhere. Microsoft charges extra for on-premises write-back.
• Use the same password policies everywhere (on-prem and cloud-based). Microsoft maintains extensive documentation on an agent-based approach to enforce AAD password protection on AD DS without exposing your domain controller to the web or forcing networking changes. Note that you have to be proficient in modifying AD settings.

Prepare for the Worst

Create an emergency access Global Admin account for when it’s necessary to “break the glass” during network outages and periods of system downtime. This account is excluded from CA and MFA. Always store these credentials appropriately and use a highly complex password.

Following the steps outlined above provides a strong foundation with the appropriate entitlements, attributes, and processes to prepare AAD for application provisioning.

Manage Connected Applications

Application provisioning is on a per user basis by default with group assignment to applications being reserved for P1, P2, or equivalent AAD subscribers. Ensure that applications don’t provision high access through RBAC. There are multiple options, and automation is available for application provisioning. The initial provisioning cycle populates users, followed by programmatic incremental updates that handle updates made through Microsoft Graph or AD.

Microsoft provides several options for attribute mapping from identities that originate from the “three paths” mentioned above via SCIM endpoints to cloud resources or the Azure AD Provisioning agent. The latter must run on the same server as your SCIM application. Microsoft also has options for one-way connections from AAD to LDAP or SQL database user stores, but those have several on-premise prerequisites. Provisioning users into AD DS isn’t supported.

Siloed identities complicate existing identity practices and infrastructure as well as increase technical overhead and the attack surface area. Enable single sign-on (SSO) to centralize identity management either through AAD or a system or service that integrates with it. 

Enable Single Sign-On

SSO will improve security through modern authentication protocols, make life easier for your users, and reduce management overhead. Microsoft has imposed restrictions on the number of SSO applications per user on its free tier, but that policy may be changing. AAD provides pre-built integrations through the Azure AD application gallery in addition to SAML and OAuth 2.0 SSO protocols for manual settings. Microsoft doesn’t support the AAA protocol RADIUS, which many network appliances use for access control, so its SSO doesn’t access all of your resources. Consider using cloud RADIUS or install and configure the Microsoft NPS server role.

It’s possible for all AAD tiers to access native Windows apps via Kerberos, NTLM, LDAP, RDP, and SSH authentication in a hybrid deployment. However, identity protection features such as CA are limited to P1 and P2 products including Azure AD Application Proxy or secure hybrid partnerships integrations. These services will extend modern security to legacy apps.

Phishing Considerations

Microsoft’s default settings permit all users to access the AAD admin portal and register custom SSO applets. Attackers are wise to this workflow and exploit OAuth in phishing exploits, which may bypass MFA. The principle of least privilege mandates that users who don’t need access shouldn’t receive it. Strongly consider restricting user-driven application consent and setting permissions classifications to “low impact.” This also applies to group owners. Compliance boundaries are murkier and should be carefully assessed outside of the Microsoft ecosystem.

AAD can be complex and Microsoft has amassed Azure partners for advanced specialization. Blocks of time with consultants should be a budgeting consideration for any AAD project. This writer, a former IT director, needed consultants even when projects appeared straightforward.

AAD is capable of alerting you to suspicious OAuth authorization requests, but that requires an additional subscription to Microsoft Cloud App security, either standalone or through M365 E5. Other solutions such as CrowdStrike Falcon Identity Protection have this capability. JumpCloud is a CrowdStrike partner and integrates with its solutions through the CrowdStrike Store.

Now that you’re familiar with configuring users, groups, and applications, let’s review reporting. 

Audit Your Security Regularly

You should always look for ways to improve in-house security and processes. If you can’t stop it, you should at least monitor it. Regularly audit your entitlements, users, and review activity reports. Taking this extra step helps make security a process as opposed to relying solely on products and services. 

Ideally, you’ll be monitoring all privilege changes, suspicious activity, and signs of known attacks. AAD will provide you with several reports:

• Basic security and usage reports are included among all subscription tiers
• Advanced reporting is restricted to P1 and P2
• SIEM reporting and Identity Protection require P2 (or equivalent) subscriptions

Some security capabilities may be more accessible and easier to deploy via JumpCloud, which integrates with AD, AAD/M365, Google Workspace, and Okta, or can function as a standalone directory. JumpCloud is focused on managing identities, in all places, as your security perimeter.

How JumpCloud Improves Upon Azure AD Best Practices

JumpCloud is an open directory platform that manages identities, access control, and devices. Devices are a method of granting access to an identity or application, so device management is included by default. That makes it possible to assemble high visibility telemetry data for reporting.

As previously noted, Microsoft requires its users to purchase additional subscriptions (Entra, M365 E3/5, AAD P1/2, and Intune for device management) to meet its recommendations for best practices. Standard AAD deployments fall short of Microsoft’s guidance, but some of its premium offerings may sell SMEs more features than they require or even want to purchase.

JumpCloud can help to fill in some of those gaps, and is easy to deploy, with deepening integrations for exporting AAD user groups. It’s designed for SMEs, so IT teams may benefit from having more control over what they’re buying (as opposed to not using what they pay for). The next section explores the specifics of how JumpCloud can improve AAD and help your organization to build the stack of its choosing out of best-of-breed apps and services.

IAM and SSO

Identities flow into JumpCloud from other directories, HRIS systems, or JumpCloud’s Cloud LDAP. Attributes, such as where users are located, who their supervisor is, or what team they belong to, simplify provisioning user access to IT resources such as applications and networks. 

Group management is provided at no additional cost and leverages attribute-based access control (ABAC), enabling the system to continuously audit entitlements for Zero Trust access control. JumpCloud is introducing the ability to automate and apply membership suggestions to groups. RBAC is more of a manual process, which can lead to mistakes that over or under provision users. Group members can access resources through SSO protocols and more:

• SAML
• OAuth 2.0
• OIDC
• RADIUS
• LDAP

JumpCloud provides delegated authentication that leverages AAD credentials and password policies for RADIUS. This capability extends Azure SSO to network resources such as Wi-Fi networks and VPNs while also reducing technical overhead and eliminating siloed identities. SSO applets launch from within the JumpCloud user console as a security control for phishing.

Environment-Wide MFA

JumpCloud Protect™, an integrated authenticator app for MFA, is designed to be frictionless. It provides application-based Push MFA and TOTP in addition to WebAuthn and U2F keys. More options for biometric authentication and passwordless log-in experiences are being added to the platform. 

MFA can be configured for most SSO, LDAP, and RADIUS logins. It’s also integrated with CA.

Conditional Access

AAD identities can be protected by conditional access through JumpCloud as an add-on without purchasing P1 or P2 from Microsoft. Pre-built rules are available to enforce MFA for privileged user groups, restrict logins to specific locations, and to require device trust. Meaning, any identity + device that isn’t managed by JumpCloud won’t be able to access cloud apps. More granular conditions such as OS version and device encryption status are coming soon.

Password Management

A decentralized password manager and vault is available as an add-on through browser plug-ins and mobile apps to help SMEs implement complex passphrases for users. This feature assists with provisioning and revoking user access to reduce the risk of data breaches. Centralized password management also increases visibility for compliance peace of mind.

Device Management

JumpCloud is cross-OS, supporting:

• Android: Support for policies and application distribution is coming in late 2022 and beyond.
• Apple products: Mobile Device Management (MDM) is available for macOS and iOS devices, providing for application distribution, policies, and commands with the option for Zero Trust deployment. Policies are timely and in-touch with the needs of Mac admins, including addressing “Day 0” OS upgrade controls. 
• Linux: JumpCloud supports multiple Linux distros with multiple deployment options. It provides pre-built policies, including full disk encryption (FDE), and Sudo access for commands (with pre-built security commands through the Admin Console). IAM capabilities aren’t restricted to certain browsers; Microsoft mandates Edge for Intune device enrollment. Intune is an additional subscription beyond standalone AAD. 
• Windows: Anything an admin wishes to do is possible through security commands and a PowerShell module. Commands function through a queue. JumpCloud providespre-built GPO-like policies including fine-grained control over BitLocker, as well as a GUI for custom policies. There’s also software distribution, and more, with Windows Out of Box Experience (OOBE) coming soon to streamline onboarding remote workers.

Patch Management

JumpCloud offers cross-OS patching as an add-on. Patching is an important activity to mitigate the risk of security breaches that leverage 0-Day attacks with a healthy device state. Centralizing patch management helps to reduce costs versus purchasing a third-party patch management solution for Windows and all other operating systems. Browser patch management is arriving in Q4, 2022, and it will extend to reporting for management status.

Remote Assist

IT teams can extend opt-in remote support to users with Remote Assist. It’s free and works cross-OS. The only configuration that’s required is to have JumpCloud agents running on a device that’s bound to an identity from the open directory. It’s possible to:

• Copy and paste between devices
• Work in multi-monitor systems
• Turn on audit logging

Reporting

JumpCloud’s emphasis on making identity the new perimeter is reflected in the telemetry that’s available from built-in reporting tools including Device Insights and Directory Insights. There’s a growing selection of pre-made reports, stored for analysis. SIEM integration is also possible.

Some of those include:

• User to Devices
• User to RADIUS Server
• User to LDAP
• User to Directories
• User to SSO Applications
• OS Patch Management Policy

Cloud Insights is an add-on to monitor Amazon Web Services (AWS) events and user actions. This makes compliance and data forensics easier for SMEs and helps to enforce least privilege in cloud infrastructure. Support for Google Cloud (GCP) will be introduced next for a multi-cloud strategy.

Avoid Vendor Lock-In and Do More with JumpCloud

JumpCloud is available to try with full functionality for 10 users and devices, and with 10 days of complementary chat support before charges are accessed. AAD users benefit from more freedom of choice, simpler deployment workflows, access to more sources, and lower costs.

Sometimes self-service doesn’t get you everything you need. If that’s how you’re feeling, schedule a 30-minute consultation to discuss options for implementation assistance, migration services, custom scripting, and more.

Similarly, managed service providers (MSPs) receive 10 free user accounts within the first organization that they create in the multi-tenant portal, JumpCloud’s dedicated MSP solution.

Microsoft is making a steady push in identity and mobile device management with an expanding array of cloud services. Many organizations, especially managed service providers (MSPs), are considering Azure Active Directory (AAD) with Intune™ for access control and unified endpoint management. It’s primarily focused on supporting the Microsoft ecosystem with add-on options to support other platforms and increase security for enterprises. In order to integrate into existing on-premises Windows domains, however, complex connectors are required. 

JumpCloud takes a different approach through its open directory platform, which can consume identities from multiple providers, through several protocols, to enable frictionless access into different resources. The platform is engineered to follow Zero Trust security principles and automate the user identity lifecycle. The open directory makes it possible for small and medium-sized enterprises (SMEs) and Managed Service Providers (MSPs) alike to provision the best resources, from any vendor, to get work done. It also provides add-ons for deeper system management and security considerations. Microsoft and JumpCloud both provide cloud-based IT management tools for identity management and device management. This article examines how they compare and the best fit for each platform.

What Is Azure AD?

AAD was created for the express purpose of extending Microsoft’s presence into the cloud. It connects users with Microsoft 365 services, providing a simpler alternative to Active Directory Federation Services (ADFS) for single sign-on (SSO). There’s similar nomenclature, but it doesn’t replace all the features of Active Directory and lacks support for key authentication protocols including LDAP and RADIUS. It provides a common identity for Azure, Intune, M365, and other Microsoft cloud products, which permits SSO and multi-factor authentication (MFA) within the Microsoft ecosystem. Cross-domain SSO and MFA are gated behind paid tiers of AAD, once a defined number of integrations per user is surpassed.

Microsoft has a structured gated licensing model with trial subscriptions and a free tier of AAD with some restrictions. For example, there are limits on stored objects and the number of apps a single user can access with SSO and group management with role-based access control (RBAC) costs extra. Microsoft also charges for MFA for external identities, per authentication. AAD’s features, which include a few time-limited trial services when users sign up, are listed on its website.

It also serves as Microsoft’s approach to a multi-tiered portfolio of identity, compliance, device management, and security products. The permutations of accompanying cloud products from Microsoft and challenges of migrating from Active Directory to the cloud have given rise to a cottage industry of consultants. This is due to the breadth of configurations, and resulting complexity, that many enterprise use cases require. However, some organizations may benefit from this approach. Integrations with other paid Microsoft services are possible such as Microsoft Intune Premium Suite, Microsoft 365, automations for management tasks, and reuse of ADMX templates from Windows 10/11.

What Is Intune?

Microsoft’s latest offering is Microsoft Intune Premium Suite. It functions as a mobile device management (MDM) solution to administer features and settings for iOS^®/iPadOS^®, Android^®, and Windows. While it extends to macOS and Linux, it’s historically been less focused on non-Windows platforms. Microsoft is updating its services and is increasing what’s possible on other platforms. For instance, Intune supports custom/templated profiles for macOS, compliance policies, shell scripts, Apple Business Manager (ABM), and user/device enrollment options. Linux support has rolled out slowly and is focusing on compliance policies. Microsoft Edge is obligatory to utilize some of its features, such as conditional access policies for privileged users.

However, Intune bolsters Microsoft products such as Edge and Configuration Manager as first-class citizens. Windows administrators will be familiar with aspects of how it works, such as ADMX templates. Intune is most robust when it is used to manage Windows systems that are hybrid AD-joined, in combination with other services and security solutions. Separate license requirements and costs may impact what services can integrate with Intune.

What is Configuration Manager?

The following provides a quick primer on Configuration Manager:

• Cloud-based MDM to control features and settings; isolation of corporate data
• The Intune admin center offers status updates and alerts as well as device configuration and other administrative settings
• Connectors for Active Directory and certificate-based authentication
• ADMX templates to deploy Windows policies and benchmark group policies and Graph API for scripting, with appropriate licensing in place.
• Integration with AAD, Windows (Win32) LoB apps, and other Microsoft-centric services
• Application deployment and user assignments
• Compliance settings creation and the ability to lock down services with granular conditional access rules based upon group Intuneberships, location, device state, and triggers for specific application access rules (Note: Additional Microsoft products are necessary to protect identities as well as to monitor and control cloud application sessions such as Enterprise Mobility + Security E5)
• Reporting on apps, device compliance, operations, security, and users
• Device-only subscriptions for single-use devices such as kiosks
• Remote support is available as a premium add-on; unlimited federated identity, which provides SSO and MFA environment-wide requires a higher tier of AAD; and Microsoft offers pre-built connectors and SCIM synchronization through its paid SSO SKU.

What’s possible with Intune is somewhat dependent upon what other Microsoft services are being licensed (standalone or bundled), knowledge of Microsoft’s administrative tools, and how invested an organization can become in the Microsoft ecosystem. Intune is a broad product family, and it’s possible to achieve advanced enterprise-level compliance and security by spending more for additional services.

What Is JumpCloud?

JumpCloud is an open directory platform for SMEs and their MSP partners that includes zero trust identity and access control (IAM), cross-OS device management, and more. It simplifies the orchestration of identity management and access control throughout the vendor and open source landscape. Supported platforms include Linux, macOS, iOS/iPad OS, and Windows. Android support is forthcoming. JumpCloud is cloud-based and can be deployed for a domainless enterprise, without the need for AD or AAD, or extend your existing domains with a more straightforward deployment. 

JumpCloud is tailored to the needs of SMEs. Some of its core features include:

• An intuitive user interface and dashboard that makes IT admins more productive and highlights issues that require immediate attention. 
• The capacity to integrate with AAD and Google identities, with delegated authentication available for RADIUS using AAD credentials.
• Unlimited, True SSO that delivers SAML, OIDC, and password-based authentication for any web application, as well as SCIM and RESTful support to manage user onboarding/authorization to third party applications. JumpCloud provides ready-to-consume connectors for many popular services.
• Push and TOTP MFA everywhere, including RADIUS and LDAP connections.
• Built-in MDM, without extra costs; isolation of corporate data.
• Application install and management on remote systems.
• Integrated remote assistance with Remote Assist, free of charge.
• Integrations with popular HRIS systems for rapid user onboarding and provisioning.
• Zero-touch device enrollment and deployment for Apple devices.
• Automated group memberships that leverage attribute-based access control (ABAC) to modernize the user identity lifecycle and enhance security. This provides entitlement management maturity beyond what’s possible with legacy access control paradigms. In contrast, Microsoft’s RBAC is more labor intensive with higher management overhead.
• Cross-OS policies and root-level CLI interfaces for centralized IT management and commands.
• A streamlined dashboard for IT teams and technicians
• Reporting for Device Insights, Directory Insights, and Cloud Insights for AWS.
• A cloud-based LDAP directory with available Active Directory sync tools.

Even more IT management and security essentials are serviced by the following add-on products:

• Pre-built conditional access capabilities that restrict access by location, whether a device is being managed by JumpCloud, and to enforce MFA for specific groups of users
• JumpCloud Patch Management
• Decentralized password management that integrates with the directory platform

Comparing JumpCloud to Azure AD with Intune

AAD and Intune have some overlap with JumpCloud on a feature-by-feature basis, and it makes sense for organizations to evaluate all of their cloud-based identity and system management options. Put simply, the comparison between JumpCloud and Azure AD with Intune is really about adaptability versus maintaining the status quo and vendor lock-in.

The open directory platform solves the challenges faced by modern IT professionals versus simply extending an existing ecosystem into the cloud.

The greatest difference lies in Microsoft engineering its products for the enterprise in service of the Windows ecosystem, tooling, and its accompanying cloud services. There’s deep integrations with Microsoft products and specialized services that mostly benefit larger organizations. If you have an all-Windows^® network, and are already implementing Azure with Active Directory^® on-premises, then Azure AD and Intune could be the right addition for your organization. Using tools created by Microsoft in a Windows environment simply makes sense. Mobile-heavy organizations may also benefit from using Intune’s mobile device management capabilities to manage other operating systems.

JumpCloud is intended for the specific needs of the SME market, as evidenced by how its features are packaged and implemented for ease of use. It was created to address the constraints that arise when a legacy on-prem directory is modified for a new era in computing (that crosses domains). The open directory platform solves the challenges faced by modern IT professionals versus simply extending an existing ecosystem into the cloud.

It also securely connects users to more resources, without the need for additional servers or add-ons. If your organization has AWS, macOS^®, Linux^®, Okta^®, Google Workspaces™, and other non-Windows platforms as core parts of the infrastructure, then you will benefit by choosing JumpCloud’s open directory platform. Organizations can choose the vendors that are best suited for users both now and in the future.

Ease of Use

JumpCloud is simpler and more accessible, with a more intuitive UI and pricing breakdown. A common complaint is that Microsoft’s interface changes frequently and causes confusion. That’s a consequence of product bundling and frequent product family/branding changes. Other issues involve functions such as zero-touch deployments being limited to Windows devices.

Centralized Policy Management

A key component of Active Directory is a feature known as Group Policy Objects (GPOs). GPOs allow IT admins to control the behavior of Windows systems in their environment with great precision. The key here is that Microsoft’s GPOs only work for Windows systems and are not applicable in the cloud via Azure AD, and with the recent rise of Mac^® and Linux^® systems in the workplace, that’s a problem. Microsoft has extended policies to other devices through Intune, which extends Windows administrative methodologies, software, and tooling elsewhere.

JumpCloud offers GPO-like policies for all three major platforms — Windows, Linux, and macOS^® — as well as cloud-based resources. IT admins are able to remotely disable virtual assistants, enforce full disk encryption (FDE), and configure system updates with just a few clicks. When a prescribed policy isn’t going to get the job done, JumpCloud enables IT admins to create and execute their own commands and scripts on all three platforms. JumpCloud also provides optional policies for cross-OS patching.

Open Directory Platform

The JumpCloud platform does not need to fully own an identity to manage it. Rather, it can consume identities from different sources and sits in the middle to orchestrate access and authorization to resources. This simplifies IT management for SMEs by addressing the access control and security challenges stemming from having identities exist in silos. 

For instance, Microsoft doesn’t interoperate with Google Workspace, so IT professionals must tackle authorizing and orchestrating those users between different products. An Azure AD user also won’t be able to use RADIUS to access Wi-Fi without a domain controller or third-party service. SMEs can dramatically improve security as well as save on licensing, headcount, time, and effort by consolidating orchestration into a single directory (that sits in the middle).

Mobile Device Management Capabilities

Intune and JumpCloud have MDM services for managing BYOD and BYOC devices, but the respective value propositions diverge when organizations are cost conscious, have limited resources, or must support heterogeneous environments. 

Microsoft delivers cross-platform support, but Windows is the favored tenant with the capacity for zero-touch onboarding that would benefit Microsoft shops. JumpCloud is easier to adopt, learn, and works better with Mac and Linux systems. The open directory platform also adds additional value for MDM users to import user identities from non-Microsoft platforms to centrally manage or utilize them all.

Android, Apple, and Linux Devices

Intune has Mac and iOS/iPadOS support for the supervision of Apple devices through user login, device enrollment/deployment, configuration management, patch policies, and software distribution. It’s also offering services to manage Android devices and Linux. Microsoft’s full offering requires AAD, Intune, and an understanding of its Windows templates and tooling. It also has extended requirements for other Microsoft products such as Edge to be able to manage Linux users, limiting customer choice.

JumpCloud’s Apple and Linux MDM capabilities are extensive, beginning with a pre-built collection of policies, configuration options, security functions, and culminating in zero-touch device enrollment. MDM is immediately available as a core feature of the platform, and cross-OS patching is available as an add-on service. JumpCloud supports the most popular Linux distros and doesn’t impose any mandates to use a specific browser. 

Affordability and Implementation

With consideration to Microsoft’s extensive stack requirements and gated licensing, JumpCloud’s bundled MDM is more affordable and user-friendly. It’s also easier for IT teams and MSP technicians to learn and manage. 

Configuring Intune is a long and complex process. Intune software deployment and polling works on Microsoft’s schedule, creating management “unknowns.”  The workflow is as follows: upload an MSI, create a package, apply it to a machine … and it will install at some point. This procedure, coupled with a confusing interface, creates a learning curve. Organizations save on costs as a business/MSP by choosing a tool that’s easier to use. Jumpcloud offers more immediate actions for commands and policies.

Platform

Microsoft has devised an extensive cloud services productive portfolio in service of its enterprise customers. It’s a stepwise architecture that enlists adjunct services to build out a broad stack. The Microsoft ecosystem is as broad and comprehensive as a Microsoft shop needs it to be.

JumpCloud is specifically designed for what SMEs need, and sheds the complexity of Microsoft’s ecosystem. It offers far more functionality through one solution that can be bolstered by a mobile-specific MDM, rather than purchasing the entire Microsoft IT stack and everything else required for modern offices to manage users. Organizations that adopt JumpCloud for MDM are more likely to value heterogeneous device management and benefit from its platform approach. Namely, MDM users will obtain greater value by using more of the open directory platform.

Microsoft 365 and Google Workspace Sync

With Microsoft 365™/Google Workspace sync, organizations can access either productivity platform at will with JumpCloud credentials. The open directory platform imports attributes that decorate users with entitlements, streamlining admin workflows, increasing the accuracy of user profiles, and delivering smooth onboarding. IT admins can also manage groups in Workspaces, and the ability to import groups from AAD is launching soon.

Non-System Needs

When evaluating which identity management provider is right for you, you also want to consider your non-system needs. For instance, if you are interested in LDAP, RADIUS, Samba, SSH, and other protocol support, you might consider JumpCloud’s protocol-level hosted services. JumpCloud also implemented MFA for its LDAP and RADIUS services, which is significant when highly regulated industries like cyber insurance companies require MFA to be enabled for network devices. Otherwise, additional servers and services may be needed to be compliant.

Vendor Lock-In

Another core issue for MSPs and IT organizations is vendor lock-in. Microsoft is financially motivated to keep you on the Windows and Azure platform track, which includes its ecosystem of administrative tools and templates. Often, you need a number of additional Microsoft tools on the Azure AD and Intune path. Most organizations with AAD also use AD on-prem, AAD Connect, AAD DS, and other third-party tools to create a holistic IAM and device management approach. That’s a deep investment in budget, training, and dependency on Microsoft.

Intune belongs to an evolving family of IAM products that have undergone multiple re-namings and repackaging. Growing with Intune means licensing Intune as well as other complementary services for security and system analytics. Note that the selections are in flux, making direct comparisons with alternatives more challenging. Buying Intune sinks organizations deeper into the Microsoft stack, which limits their ability to purchase solutions outside the Microsoft domain and customize their stack for their needs. It also introduces some unpredictability in budgeting.

JumpCloud’s open directory platform allows for greater flexibility and shopping around for services, such as adding best of breed XDR integration from Crowdstrike or Sentinel One to secure identities and endpoints, versus a monolithic supply chain from Microsoft.

Total Cost of Ownership

Microsoft’s legacy requirements frequently mandate a hybrid infrastructure configuration. A hybrid infrastructure adds complexity, and complexity correlates to bigger budgets. Managing and licensing your physical servers is expensive (people, hardware, facilities, maintenance, and utilities), and the increase to your potential cyberattack surface area are all factors to consider. These factors combined raise the total cost of ownership for AAD.

A common refrain is that “Microsoft stuff works well together.” In practice, transitioning on-premises Microsoft solutions to the cloud isn’t always straightforward. For example, AD groups don’t all automatically sync over to AAD. This writer recently spoke with an Intune administrator who recounted how his organization, which is invested in Microsoft, was experiencing difficulty transitioning to AAD and Intune from ADFS and Active Directory.

In this example, consultants were brought in to set up Intune. The consultants attempted to turn on “full blown AAD” for the environment. That decision resulted in downstream problems with Virtual Desktop Infrastructure (VDI), because only persistent virtual machines (where every user’s personal desktop settings are set for each virtual desktop) are supported in on-premises ADFS. This scenario may seem arcane, but it illustrates that even migrating to Microsoft’s latest and greatest services isn’t always straightforward. Microsoft has a multitude of legacy components for SSO that tie back to AD, which introduces difficulties that are unique to its ecosystem.

The Intune administrator summed it up perfectly: “I need to focus all my time [elsewhere] but can’t because I get pulled in every direction [due to the complexity of Microsoft’s ecosystem].” Simply put, if your infrastructure’s a mess, everything’s a mess … and costs more than is necessary. The more an organization sinks into Microsoft, the less flexibility it has to go elsewhere.

Service Licensing

Cost of ownership is a key differentiator between AAD + Intune and JumpCloud. AAD is initially a great value — if you’re a heavy user of the Microsoft stack — but costs mount as use increases and third-party services and non-Windows devices are added to your infrastructure. Navigating Microsoft’s complex gated licensing scheme is another driver of rising subscription costs. 

For example, organizations that are considering M365, which can bundle Intune, must assess the differences of all 30 license variations. Some consultants even specialize in demystifying Microsoft’s licensing options. Basic tiers are only the price of admission. There are additional costs involved simply to obtain a few fundamental capabilities such as federated identity in AAD to securely access resources outside of Microsoft’s stack using SSO. That’s the real-world starting point for modern IT, even before Intune or other subscriptions factor in.

Consuming external identities also costs more. Microsoft introduced a separate product family called Entra, which is its solution for decentralized identity, identity verification, and entitlement management. Entra extends Microsoft’s strategy to monetize interoperability that is focused on the enterprise market and the sale of adjacent services. In contrast, JumpCloud’s foundation supports expanding capacity to accept and incorporate other identities into workflows.

IT Infrastructure Consolidation

IT tool sprawl is just one of the many unintended consequences of today’s remote-first workforce. Adopting a consolidated stack is beneficial to avoid overlapping feature sets from many different software products. A Microsoft shop may not need to look elsewhere to meet compliance, IAM, IT management, and highly advanced security requirements with its stack (assuming they have the budget). However, there are downsides.

Smaller organizations may find themselves overextended by the breadth and complexity of Microsoft’s components and services that form its hybrid architecture. Buying, operating, and supporting a datacenter is just the start. It’s very likely that IT teams will have to employ external resources to assist with AAD + Intune implementations. Those decisions involve a substantial and costly long-term commitment.

Azure works best if organizations are fully incorporated into a Microsoft tech stack environment, but not outside of Microsoft’s cloud infrastructure (i.e., it can’t be used to manage non-Windows servers hosted in Amazon or Google clouds).

JumpCloud’s open directory platform enables IT teams to assemble a stack of best-of-breed solutions that are secure, on managed devices, and available through the identity provider of their choosing. Optional products assist with security, IT hygiene, and password management without extensive management overhead or mandates to deploy them successfully.

What’s Best for Your Shop?

If you are locked in to Microsoft solutions, or if you have corporate-owned iOS and Android mobile devices, then Azure solutions may be an acceptable fit. However, its platforms are  intended for the enterprise and extend broadly through gated licensing. Alternatively, if you are an SME that’s invested in other non-Windows platforms and non-Microsoft services and identities, and wish to (or see a path to) consolidate IT resources, then you should consider JumpCloud’s open directory platform. A third option is to use both to obtain the greatest value for your organization.

JumpCloud centralizes user and system management, regardless of platform or where identities reside. This includes our Multi-Tenant Portal (MTP), designed specifically for MSPs to manage multiple client organizations from one pane of glass. JumpCloud offers cross-platform GPO-like capabilities to manage fleets of systems with policies, including local admin system controls, full disk encryption with FileVault 2 and Bitlocker, screen lock regulations, and more. Apple MDM capabilities are available for macOS machines, for machines to execute security functions and distribute configuration policies.

For MSPs, consolidation gives you the chance to proactively manage and monitor your clients’ tech with fewer providers. It decreases your monthly expenditures without sacrificing efficiency or usability, and frees you up to spend more time helping your clients reach their goals. IT consolidation has many benefits for MSPs and their clients, including cost savings, a streamlined user (and management) experience, and an increase in client trust.

The Choice Is Yours

However you choose, all options present benefits to an organization. To learn more about JumpCloud versus Azure AD with Intune, contact us or join our community to engage your peers in conversation.

As always, signing up for the JumpCloud platform is completely free, and includes 10 users and systems to get you started. The best way to learn is by doing. You also get 10 days of premium 24×7 in-app chat support. Sometimes self-service doesn’t get you everything you need. If that’s how you’re feeling, schedule a 30-minute consultation to discuss options for implementation assistance, migration services, custom scripting, and more.

Active Directory (AD) and a domain controller are some of the IT components that are core to organizations using Windows operating systems (OSs). But what’s the difference between them? 

Active Directory is Microsoft’s proprietary directory service. It allows IT teams to manage identity and secure access to various resources on the enterprise network. 

A domain controller, on the other hand, is a server that responds to user authentication requests, allowing the host to access various resources on an enterprise network. 

In this post, we’ll explore the differences between a domain controller versus Active Directory, and how JumpCloud can help you enhance AD or ditch the domain controller altogether. 

Active Directory: Identities and Access

Active Directory is an identity management database that allows IT teams to define what users can do on a network. As a database, Active Directory captures data in the form of objects. An object can be a single resource element, like a user, group, application, or device. 

Each object has associated attributes that allow it to be distinguished from other entities. For example, a user object would have a username, password, and email attributes that distinguish it from other objects. 

Active Directory consists of four essential services that allow it to provide identity and access management:

• Active Directory Domain Services (AD DS). This is the main service within the Active Directory protocol. Besides storing the directory information, it also controls which users can access each enterprise resource and group policies. AD DS uses a tiered structure comprising the domains, trees, and forests to coordinate networked resources.
• Active Directory Lightweight Directory Services (AD LDS). It shares the same codebase and functionality as AD DS. However, unlike AD DS, AD LDS uses the Lightweight Directory Access Protocol (LDAP), allowing it to run on multiple instances on the same server. 
• Active Directory Federation Services (AD FS). As the name suggests, AD FS is a federated identity service that provides single sign-on (SSO) capabilities. It uses many popular protocols such as OAuth, OpenID, and Secure Assertion Markup Language (SAML) to pass credentials between different identity providers. 
• Active Directory Certificate Services (AD CS). This is a service that creates on-premises public key infrastructure (PKI), allowing organizations to create, validate, and revoke certificates for internal use.

Domain Controller: Validate and Authenticate

A domain controller is a server that processes user authentication requests on a particular domain on an enterprise network. While domain controllers are primarily used in AD domains, you can also use them with other non-Windows identity and access management (IAM) systems, such as Samba and FreeIPA.

A domain controller restricts access to enterprise resources within a given domain by authenticating and authorizing users based on their login credentials. For example, in Windows domains, the domain controller obtains authentication information for user accounts from Active Directory. 

While domain controllers can operate as single systems, they are often implemented in clusters to provide high availability (HA) and reliability services. For example, in Windows Active Directory, each cluster can consist of a primary domain controller (PDC) and a backup domain controller (BDC). In Unix and Linux ecosystems, replica domain controllers replicate authentication databases from the PDC. 

Active Directory vs. Domain Controller

It’s common to think that the terms Active Directory and domain controller are synonymous. This is because domain control is a function within Microsoft’s Active Directory, and domain controllers are servers that leverage AD to validate and respond to authentication requests. 

However, the terms are not interchangeable. Active Directory is a database that stores and organizes enterprise resources as objects. You can think of Active Directory as a database that stores users and device configurations in AD DS. A domain controller, in contrast, is simply a server running Active Directory that authenticates users and devices. In this regard, you can think of a domain controller as a custodian, facilitator, or host of Active Directory. 

Since domain controllers mediate all access to the network resources, it is essential to protect them with additional security mechanisms, such as firewalls, encryption protocols, and expedited configuration and patch management solutions.

Deciding What You Need for a Directory and Domain Controller

Many organizations are looking to implement SSO solutions that allow their employees to access all their on-prem and cloud-based applications easily. 

In the recent past, a vital requirement of these solutions was the domain controller, which made it possible to connect applications back to Active Directory as a single source of truth. Organizations have used AD FS as a solution for integrating Active Directory into cloud-based applications. However, while Microsoft markets AD FS as a “free” solution, there are many hidden costs, including hardware purchase, deployment, and ongoing maintenance, that you have to contend with. 

But suppose you were to decide what you need for a directory or what constitutes a complete IAM solution today. Such a solution should provide automated provisioning of resources, lifecycle management, mobile device management (MDM), and reporting from a single console. The IAM solution should also be vendor-agnostic, unlike Active Directory, which excels at managing access to on-prem Windows-based OSs. The IT environments of today simply don’t look like that anymore.

The JumpCloud Directory Platform^® is a low-cost, cloud-based directory management solution that simplifies AD integration, allowing IT teams to unify IAM and consolidate tooling while enhancing Active Directory’s functionality. Organizations can also leverage JumpCloud as an AD replacement tool, reducing the on-prem servers required to set up AD FS and moving to a domainless enterprise. 

Explore JumpCloud Pricing

Packages and A La Carte Pricing

Explore Options

83% of companies have some kind of bring your own device (BYOD) policy in place, which means that understanding and adhering to BYOD best practices needs to be top of mind for IT, security, and upper management. 

Some situations you might find yourself in will require you to either: 

1. Learn about best practices prior to implementing a BYOD policy, and ensure that the practices, rules, and expectations you put together follow those practices, or
2. Retroactively go back into your existing BYOD policy, ensure that it follows best practices, and make improvements wherever necessary.

No matter your situation, you’ll be better off if you’re aware of the challenges and vulnerabilities that accompany BYOD, follow BYOD best practices, and understand what device management tools exist to make managing BYOD easier. This article will dive into each of these topics to help you move forward with your BYOD initiative.

BYOD Vulnerabilities

While many employees expect a flexible BYOD policy at work, there are a handful of risks and vulnerabilities that come along with BYOD implementation. These are often exacerbated by poorly planned and/or poorly executed BYOD implementation, so don’t fret; many of them can be prepared for or avoided altogether by following best practices.

Some of the risks that accompany BYOD in the workplace include:

• Data theft.
• Malware.
• Legal problems.
• Lost or stolen devices.
• Improper mobile management.
• Insufficient employee training.
• Shadow IT.

While each of these poses risk to your organization, the level of risk associated with each can be mitigated through proper training, protocols, device setup, and other strategies. However, they’re still important to keep in mind when you’re establishing or updating your BYOD policy.

There are also challenges that many organizations run into when implementing a BYOD policy. Some of those challenges are:

• Establishing the policy’s scope.
• Figuring out how to separate personal and organizational data.
• Determining how to remain secure and compliant with BYOD devices in the mix.
• Creating sufficient employee security training materials.

Now, let’s get into some BYOD best practices that can help you overcome these challenges and reduce some of the risk that accompanies allowing BYOD in your org.

BYOD Best Practices

While there are many benefits of allowing BYOD in your organization, understanding the risks of BYOD will help you recognize the significance of BYOD best practices. A few of those best practices include:

• Assessing your needs.
• Developing a clear BYOD policy.
• Implementing organization-wide security measures.
• Auditing and blacklisting applications.
• Requiring robust employee training.

Assess Your Needs

In order to create a BYOD policy that will work for your organization and its employees, a best practice is to fully assess your needs. This means answering the following questions:

• What types of working situations (remote, in-office, or hybrid) do you manage? 
• Do you manage part-time, seasonal, or contractor devices?
• How much control do you need over employee devices to maintain your desired level of security/compliance?
• What size is your IT team, and how many BYOD devices will that team be able to manage effectively on top of their other priorities?
• What type of devices and operating systems (OS) do you currently use? What new devices and OSs are you willing to allow with BYOD?
• What policies mustbe on all devices used for work (corporate-owned and personal)?
• How will you ensure BYOD devices are updated in a timely manner and as secure as possible?
• What types of work can or cannot be done on personal devices?
• Are you willing to pay for any maintenance costs or bills associated with BYOD devices in your org?

While this is not an exhaustive list of questions to consider, it’s a great jumping off point for creating a solid understanding of where your organization is at and where it needs to go. This BYOD best practice allows you to take stock of your current device management strategy, understand which teams and parts of the business allowing BYOD will affect, and ensure you create a comprehensive policy moving forward.

Develop a Clear BYOD Policy

Once you’ve assessed the needs and goals of your organization, you can use them to create a clear BYOD policy. The essential parts of this policy include: 

• Which devices and operating systems are allowed or not allowed.
• How they will be managed.
• Expectations for employee use and behavior.
• Security and compliance initiatives, such as what security measures will be implemented across BYOD devices.
• How personal and work data will remain separate.
• How BYOD devices will be onboarded and offboarded.
• BYOD security training policies.

Depending on your organization’s needs, you can add other topics into your policy, or remove some as necessary. The point of creating a clear BYOD policy is not to strictly follow a template that came from someone else, but to mold it into something that perfectly suits your business.

Decide what to include in your remote work policy

Read More

Implement Organization-Wide Security Measures

The next BYOD best practice that we want to touch on is implementing security measures to keep devices, identities, and organizational resources as safe as possible. If not addressed upfront, BYOD can pose new security threats to your organization which can have devastating consequences. 

Some common security measures used in a BYOD policy are multi-factor authentication (MFA), conditional access policies, enforced patch management, and more. By ensuring that personal devices used for work remain secure and productive, you can better protect the identities that use them, as well as the resources that those identities access on them.

It’s important to plan for any potential security threat that can arise due to the use of personal devices for work. Being proactive and establishing clear security guidelines prior to a security event occurring will significantly reduce the amount of risk that BYOD brings to your organization.

Audit and Blacklist Applications

Another BYOD best practice related to security and compliance is constantly auditing and whitelisting or blacklisting applications. It’s essential to keep track of what applications employees need to get work done, how secure they are, and if you should continue using them after a period of time. 

On top of that, with BYOD in particular, it’s important to specifically blacklist certain applications that don’t meet your security standards — this often comes in the form of games, social networking apps, and third-party file sharing apps. Any app that severely compromises organizational resource security on a personal device used for work needs to be inspected and restricted properly.

Invest in Ongoing Employee Training

The last BYOD best practice we want to discuss is both upfront and ongoing employee training. 43% of employees are “very” or “pretty” certain they have made a mistake at work with security repercussions. Not only is this number scary, but it’s also concerning that so many workers are unsure of what type of actions have security repercussions at work. Considering so much business is done and stored digitally and 85% of data breaches are due to the “human element,” this isn’t something to take lightly.

The first step to mitigating these risks is through clear, engaging, and consistent employee training. While this is true across the board, this is a specific BYOD best practice because allowing personal devices to be used for work purposes creates new attack vectors that employees aren’t used to or even aware of. 

To deal with this, consider creating an employee training program specifically catered to BYOD security and best practices for users. This training program should be required, and users should have to re-examine the topics multiple times throughout their tenure to stay aware and up to date on BYOD security.

BYOD and Mobile Device Management With JumpCloud

The best way to monitor and manage BYOD in your organization is through a modern mobile device management (MDM) platform. JumpCloud offers an MDM solution on top of many other capabilities such as MFA, single sign-on (SSO), policy and patch management, and much more! This way, with a single platform, you can allow BYOD while simultaneously securing all devices within your organization.

Try JumpCloud Free MDM

MDM + Cloud Directory

Try Risk Free