Editor’s Note: Given the fast-paced nature of technology, it is possible that some of the information presented in this article is out-of-date, or incomplete, in some fashion. The author periodically reviews and revises this article to ensure information contained within is as accurate as possible.

Microsoft^® Azure^® is an umbrella for a variety of cloud services, including Azure Active Directory (AAD). On its face, Azure AD might seem like a replacement for on-prem Active Directory (AD) or a cloud-based solution for organizations in need of a directory service, but more factors come into play for IT admins making purchasing decisions, including complicated SKUs and licensing. This article examines the total cost of ownership (TCO) of AAD for the type of configuration that a small and medium-sized enterprise (SME) would require for its identity management lifecycle.

AAD was created to extend on-prem AD identities to Azure in order to provide user management for Microsoft Office applications, and now single sign-on (SSO) for service providers (SP). It’s available as a standalone product, but is also bundled with Microsoft 365 (M365) subscriptions. Microsoft has positioned AAD as the connective tissue within a broader identity and access management (IAM) ecosystem. That extends from users and devices to its security portfolio. Add-ons and integrations are almost inescapable, because AAD is very interwoven with those products. It’s not even possible to implement Microsoft’s best practices for AAD without paying more.

A Codependent Approach

Significantly, Microsoft manages endpoints separately from identities even though experts recommend making identity the new perimeter in cybersecurity. Device management (outside of AD) is only bundled with some of its premium M365 SKUs, but not AAD. Organizations that aren’t using M365 will have to purchase a separate subscription to manage their devices.

Microsoft’s reference architecture suggests an array of Microsoft-based tools to fully leverage AAD, so even Microsoft-heavy IT shops will encounter more IT infrastructure and maintenance costs. You’ll have limited administrative capabilities if you use AAD without on-prem AD, or aren’t subscribed to premium tiers and add-on services. For example, you won’t be able to employ the suite of group policy objects (GPOs) to on-prem Windows devices, and you’ll struggle with authenticating local IT resources such as applications and file servers. 

AAD is also not an open directory, so working with external identities from other identity providers (IP) and connecting users to IT resources (RADIUS, LDAP) requires even more solutions. Some are cloud-based, but others expand its footprint on-premise, and are reliant on AD.

Costs of Azure Active Directory

To fully assess the TCO of Azure AD, it’s necessary to account for tangential, but necessary, costs. Fortunately, we’ve developed an equation to help you understand the TCO of AAD:

Costs of Azure Active Directory = Azure AD Premium Package + Add-Ons for device management + External Identities + Azure AD DS + Active Directory + LDAP Server + RADIUS Server + Integration/Management Time for your implements

Let’s begin by assessing AAD’s pricing and then branch outward to the other components.

Standalone Azure AD and M365

Standalone AAD has three SKUs:

• AAD Free – AAD Free provides SSO to Microsoft apps and federation to other SAML/OIDC services. This version is feature-limited with no group management, limited MFA configurations, limits on directory objects per user, and various other restrictions.
• Premium 1 (P1) – P1 introduces SSO sign-in page customizations, conditional access rules, role-based group assignments to applications, end-user self-service for passwords and MFA, additional cloud security, and options for authenticating users into local Windows apps. 
• Premium 2 (P2) – P2 adds risk-based identity protection, more self-service capabilities, as well as identity governance and compliance such as privileged access and entitlements management. Logging and reporting is also more comprehensive.

M365 subscriptions also bundle AAD. It’s not even possible to use M365 without AAD, which serves as its substrate for managing your users. Some admins encounter AAD through Office.

Its directory features are gated off into multiple tiers:

• M365 Business Premium – This includes device management and security services to protect identities.
• M365 E1 – Device management isn’t included and AAD is limited.
• M365 E3 – This edition includes device management and AAD P1.
• M365 E5 – This edition includes device management and AAD P2.
• M365 F3 – This edition includes device management and AAD P1.
• Enterprise Mobility + Security (EMS) E3 – This edition includes device management and AAD P1.

EMS E5 – This edition includes device management and AAD P2.

Device Management

AAD sounds a lot like AD, but it doesn’t perform the same role; for example, it won’t manage your devices. Microsoft established its Intune product lineup to manage Android/Chrome, Apple, Linux, and Windows endpoints. It uses AAD to manage identities, Configuration Manager (formerly SCCM), in addition to Windows Defender for security and Autopilot for onboarding Windows devices. Intune may be bundled with M365, depending upon your subscription level. However, Intune is not included with AAD P1 or P2, and that omission will increase your monthly costs per user.

Intune includes enterprise-grade features and can be a useful tool for compliance and managing non-Windows devices for organizations that have many remote workers. However, it also has documented downsides. SMEs that are accustomed to AD may be unfamiliar with its quirks:

• Unpredictable time spent importing the provisioning of devices, assigning profiles, and deploying apps.
• Simple mistakes can cause actions to fail, such as a Registry key requirement rule filtering out devices.
• Problems with assigning available licenses to new users.
• Configuration changes taking a long time to go into effect.
• Debugging events and sync logs requiring additional third-party tooling.
• Loss of internet connectivity causing Windows Autopilot to fail.

The cost of learning, implementing, and supporting Intune is another TCO consideration.

Azure Active Directory Domain Services

Intune is not the only option for Microsoft shops. Azure Active Directory Domain Services (Azure AD DS) is billed as a domain controller-as-a-service for virtual machines and legacy applications. It’s charged for the hour, and the price is based on the number of directory objects.

Per Microsoft, “Azure AD DS provides a managed domain for your users, applications, and services to consume. This approach changes some of the available management tasks you can do, and what privileges you have within the managed domain.”

Azure AD DS differs from on-prem AD in a number of ways, including its lack of domain or enterprise administrator privileges. You also cannot add on-prem domain controllers to the managed domain.

If you use AAD and Azure AD DS in conjunction with on-prem AD — which is necessary if you want full AD capabilities — you’ll have to factor in the associated costs for that as well.

Managing External Identities

Microsoft Entra is necessary to manage external (non-Microsoft) identities and devices. There’s a charge for every single MFA authentication for non-Microsoft identities such as Google Workspace. In addition, AAD P1 or P2 licenses are necessary to work with external identities.

Complex Licensing

If you think that AAD is the right solution for your organization, you’ll have to dig through the pricing and SKUs outlined above. It goes without saying that the pricing model is complicated, and non-system access needs may also obligate you to purchase more CALs. You should begin by understanding your current situation. If you have a Microsoft Enterprise Agreement, Open Volume agreement, or are part of the Cloud Solutions Program, you will have a right to certain functionality (Basic and Premium depending upon your specific agreement).

If your IT organization isn’t a part of any of those programs, yet you’ve purchased Azure or M365, you can purchase the right Premium Azure AD services. It’s possible for SMEs to overspend on AAD or be upsold by a Microsoft partner due to the complexity of its licensing, so it’s important to take the time to understand your requirements versus what you’re paying for.

Complicated Setup and Migrations

The breadth of potential configurations, critical need to understand security best practices, and overall complexity can make adopting AAD a major initiative. Most SMEs aren’t experts in Microsoft licensing and seek assistance for their implementations. For instance, AAD’s default settings can place your users at risk of phishing attacks that can even bypass MFA. IT teams that are migrating from products such as AD FS or have multiple domains in a forest will face some technical considerations that may be unclear and unfamiliar. Microsoft’s guidance states:

“If you have multiple on-premises domains in a forest, we recommend storing and synchronizing information for the entire forest to a single Azure AD tenant. Filter information for identities that occur in more than one domain, so that each identity appears only once in Azure AD, rather than being duplicated. Duplication can lead to inconsistencies when data is synchronized. For more information, see the Topology section below.” 

That can be significant work for an SME.

The realization that adopting AAD can be very cumbersome has given rise to a cottage industry of consultants, and many organizations purchase blocks of hours to support their deployments. In-house resources may not be enough. Factor implement costs into your TCO calculations.

Cost of Active Directory

Active Directory represents a number of costs for organizations, including servers, software, and licensing. SMEs will also have to maintain a server room, which can add significant costs.

Servers: Domain Controllers

If you use Azure AD with on-prem AD, servers are an obvious cost. You either need to maintain a server room or spin up AD in a virtual environment, both of which must factor into the TCO of Azure AD. You need to budget for the costs of redundant servers, too, in case your primary domain controller (DC) fails. High availability (HA) is automatic whenever there’s more than one DC. That makes it possible to shut down a server for maintenance without impacting your end users.

Objects are automatically replicated throughout the server cluster and administration is more complex: e.g., add-on apps must be installed and updated on each DC. Adding additional servers to achieve HA may increase licensing, management, and other infrastructure costs.

Software: Windows Server

Beyond the cost of the servers themselves, you’ll need to purchase the software to be installed on them. Since 2016, Windows Server licensing has been on a per CPU core pricing structure, rather than the previous per socketed CPU structure. Admins can purchase those licenses in 2- or 16-packs. You may need to stand up multiple servers for all of the required server roles.

Licensing: Client Access Licenses

Another important cost to consider is client access licenses (CALs), which you purchase based either on user count or device count. Core licensing has become even more expensive.

Hardening AD for Security

It can take more than a work week to secure AD to recommended best practices. Maintaining AD alongside AAD could dramatically increase IT overhead and administrative costs.

Advanced Identity Lifecycle Management

AD isn’t Zero Trust and identity lifecycle management is a manual process unless SMEs develop automations or use third-party solutions. That increases the risk that users may be over or under-provisioned, or that inactive accounts remain in use. Managing users in AD can be a disjointed, error-prone process. The risk of data exfiltration is higher with manual processes, which creates a financial risk as laws and regulations are treating violations more seriously. AAD’s advanced identity management policies can extend AD and improve upon it, but only with P1, P2 subscriptions. Azure AD Connect is required to sync identities between AD and AAD.

Server Rooms

An accumulation of hardware, servers, and network equipment means you’ll be spending more for your server room. Eventually, you’ll require a more powerful core switch or better firewall. “Better” translates to more expensive and potentially unplanned downtime on your network as well as new annual support costs, change management, and backups of your configurations.

Then, you’ll have to establish physical security controls and ideally, fire suppression. An inert gas system requires sealing a room and having dedicated HVAC. Other solutions for special hazards, including in-rack fire suppression, are also costly. See here for an example:

Microsoft promises consolidation, but its solutions can be a wellspring of added administration.

This next section explores non-systems requirements and challenges AAD creates for SSO.

LDAP Server

AAD and AD lack SSO to everything, especially the core protocols that network devices or Wi-Fi networks use. This can lead to identity silos and duplicate authentication flows. Microsoft promises consolidation, but its solutions can be a wellspring of added administration.

If you aren’t hosting all your server infrastructure in Azure, you’ll also need to manage the associated identity management costs to manage user access to other cloud infrastructure providers such as AWS^® and GCP. Some of these platforms offer their own managed Active Directory services, so you can potentially leverage those managed AD services, but you’ll need to make sure that they can connect back to your other AD infrastructure and/or with Azure. None of this work is easy, and it can add a great deal of fragility to your IAM environment.

Azure AD doesn’t come with cloud LDAP functionality, so you’ll need to maintain an LDAP server, as well as service on-prem LDAP applications and MFA solution, if required. Azure AD DS is also required to sync passwords and group memberships from Active Directory. Azure AD DS allows organizations to migrate legacy applications to Azure entirely, but that service represents an additional cost as well as the work around the migration of applications which is not an easy task in most instances.

RADIUS Server

Azure AD does not come with cloud RADIUS functionality either. Instead, you’ll need to spin up a RADIUS server, use the NPS server role or another cloud service to have the capability of managing Wi-Fi and VPN access. You’ll also require a secondary authentication method. JumpCloud makes it possible to leverage AAD credentials for delegated authentication. Many network devices use RADIUS for authentication, and the lack of support makes initiatives such as compliances more difficult. Auditors often want devices, down to switches, protected by MFA.

Vendor Lock-In

This level of platform integration may be beneficial for “all Microsoft and Azure” organizations. However, the lack of interoperability through an open directory and continued reliance on AD adds costs, complexity, and administrative overhead. That level of monoculture and high dependence on a single vendor makes it more difficult to adopt “best-of-breed” solutions.

With the changing IT landscape, the good news is that IT organizations are leveraging a wider range of platforms. This requires a different set of IT management tools, and specifically, it involves the core identity provider. Using Azure AD encourages the use of Azure throughout your entire environment. AAD, like AD, obligates the use of Microsoft infrastructure and services/applications. This strategy has been successful for Microsoft in the past, and the company is employing it again to work to lock-in customers into Microsoft platforms.

Microsoft’s promotion of IT consolidation has been successful from a sales perspective, but it doubles down on vendor lock-in. In contrast, an open directory platform provides value lock-in.

Evaluating Azure Active Directory

Azure AD might be the solution for a Microsoft shop that already has AD established and needs to extend their IT resource management to the cloud. However, organizations should assess their existing stack and whether Azure AD will address all their needs before making the purchase. Beyond Azure AD, organizations will likely need to purchase Intune for device management. Azure AD DS is also necessary to maintain Azure AD Connect (along with their on-prem AD instance), as well as RADIUS and LDAP instances and other add-ons. These all represent cost centers. Azure AD is not an all-in-one solution, but does meet certain use cases.

Resource to Calculate TCO

JumpCloud released a TCO Guide and TCO Calculator to help IT admins understand the complete costs of different solutions used in their environment. We also invite you to try JumpCloud, which is free and full-featured for 10 uses and devices. It may help extend AD in the way that your organization needs to adapt to change or meet compliance requirements without hassle. JumpCloud is 

JumpCloud’s open directory platform delivers select features found in AAD, Entra, and Intune with an emphasis on what’s best for SMEs. Those capabilities are available without gated licensing, tethering your team to legacy systems, or complicated workarounds. It’s priced to enable workflows, versus charging more for advanced identity lifecycle management. JumpCloud enables IT unification, as opposed to consolidating with a single vendor.

Its benefits include:

• AAD and AD integration with group syncing
• The ability to import identities from your HR systems at no additional cost
• Attribute-base groups that makes suggested changes and automate memberships
• Mobile Device Management (MDM) and pre-built policies for Apple products, Android (soon), Linux, and Windows endpoints
• SSO to everything, including integrated cloud RADIUS and LDAP
• Environment-wide Push MFA and TOTP; certificate-based authentication (soon)
• Optional conditional access policies for privileged access management (PAM)
• Interoperability with M365, Google Workspace, and Okta
• Integrated, pre-built reporting on directory and system activities
• Optional cross-OS patch management and a decentralized password manager

JumpCloud also offers a variety of Professional Services to help ease the load your employees face. Learn more or schedule a free 30-minute technical consultation.

Software renewals come out of the capital expenditures (CAPEX) budget, which is a major long-term expenditure versus operating expenses (OPEX), the day-to-day operational budget. Accounting makes a distinction between software and services. Using services helps your organization to lower its income taxes and free up cash. Services may make it easier to budget when you already know what the ongoing costs will be.