Choosing the most cost-effective directory services solution means understanding your requirements. Modern directory solutions will manage your digital estate across every device type and resource, using stronger authentication methods than were previously available. Standalone Microsoft Active Directory (AD) is firmly baked into many organizations鈥 IT infrastructures, but it doesn鈥檛 accomplish those objectives.
AD is a legacy technology that must be secured in order to function for the foreseeable future.
惭颈肠谤辞蝉辞蹿迟鈥檚 prescribed approach to AD modernization entails combining AD with cloud services to manage a 鈥渉ybrid of everything鈥 estate. Your infrastructure could span IoT, multi-cloud, on-premises, and operational technologies, and a directory provides access to everything. Costs and complexity will vary depending upon requirements, licensing, and implementations.
There are notable differences between solutions like a hybrid deployment of AD and 惭颈肠谤辞蝉辞蹿迟鈥檚 Entra ID (formerly Azure AD) service and alternatives for modernizing AD, such as 黑料海角91入口鈥檚 open directory platform. That can make comparing the cost more challenging, especially considering that not all directory services are 鈥渙ne size fits all鈥 when it comes to ensuring an organization gets the best value for the money and time they鈥檒l put into setup and ongoing management.
This article explores the true costs of running AD, more than two decades after it first shipped, and how to modernize it for effective identity and access management (IAM) and better security.
Check out the Ultimate Active Directory FAQ.
Hidden Hardware Costs of Active Directory
Let鈥檚 start with the essentials of operating server rooms. You must account for expensive hardware servers, which becomes costly if multiple servers are needed or if a company has multiple geographical locations that require their own fleet of servers. AD servers must be dedicated systems and meet very specific hardware requirements. This is a particular challenge for distributed environments which require multiple AD servers at each physical location.
Cloud solutions either help reduce server room sprawl by providing services and scalability on demand, or can replace AD when the requirements are appropriate for a total migration.
Software Expenses
It鈥檚 not uncommon for a server that meets your to cost five figures; although, it鈥檚 not due to inflated hardware costs. It鈥檚 because Microsoft has modified its licensing scheme to be based on a . Client Access Licenses (CALs) are an additional fee. Here鈥檚 what Windows Server licensing can cost for an 8-core server:
Credit:
The licensing is complex (depending upon your agreement) and can be difficult to understand. Microsoft periodically audits customers to ensure they are compliant with its licensing terms. And that鈥檚 just the server operating system costs. You also need to purchase virtualization management software. Here’s an example of a real invoice that was once paid:
AD is focused exclusively on Windows devices, so a company needs add-on, third-party software to manage Mac and Linux devices. This is often licensed per device per user.
黑料海角91入口 is an open cloud directory that can reduce or eliminate these costs when it鈥檚 used to modernize AD. Google recommends 黑料海角91入口 for small and mid-sized enterprises to manage users and devices.
Microsoft Cloud Service Subscriptions
Hardening AD isn鈥檛 a throwaway suggestion. 惭颈肠谤辞蝉辞蹿迟鈥檚 literature and Microsoft Learn collateral urge customers to never sync on-premise admins to Entra, because AD can be compromised. A Microsoft shop should use Entra ID 鈥渙nmicrosoft.com鈥 domain admins to 鈥渂reak the glass.鈥
惭颈肠谤辞蝉辞蹿迟鈥檚 (MCRA) prescribes cloud security solutions to protect AD against threats. That means subscribing to Entra ID Premium 2 (P2) for Identity Protection as well as licensing Defender for Identity. Defender for Identity can prevent lateral spread and privilege escalation. IT admins will first have to establish a hybrid configuration using Microsoft Azure AD Connect directory synchronization tool.
Other suggested subscriptions and steps for hardening AD include:
- Entra ID P2, which provides Identity Protection, and costs $9.00 user/month
- Defender for Identity, which is priced a la carte. Advanced Threat Analytics (ATA), an on-premise solution, ended mainstream support on January 12, 2021, leaving Defender as the only option if your organization goes all in with Microsoft.
- Microsoft Defender for Endpoint is also recommended if you to extend monitoring to server threats, which also places Microsoft in control of your Endpoint Detection and Response (EDR).
- Windows Defender Credential Guard is included in Microsoft 365 E3 and E5. It protects AD against brute force attacks against AD.
- Azure Bastion as a jumpbox for RDP and SSH into Windows Server.
- Setting up a Windows secure admin workstation (SAW).
Network Equipment Expenses
A percentage of a company鈥檚 data center space needs to be allocated for networking equipment, as well as software that allows IT admins to manage and monitor the equipment.
You should account for:
- Network overhead, including support agreements for firewalls and switches
- High-speed internet
- Back-up power
- Disaster recovery
- Special hazards fire protection and HVAC equipment
- Physical security controls
An inert gas system requires sealing a room and having dedicated HVAC. Other solutions for special hazards, including in-rack fire suppression, are also costly. The following serves as an example:
黑料海角91入口 provides web SSO (OIDC, SAML), in addition to RESTful API-based provisioning, privileged identity management through conditional access, cloud LDAP and RADIUS. It reduces your data center footprint by eliminating the need for the NPS server role and AD FS.
Admin and Maintenance Costs
Installing, configuring, and maintaining an AD server, or servers, takes time and effort. A sizable portion of costs are put into resources, people trained and skilled to maintain the AD hardware and software, as well as the network equipment. When choosing a directory services solution, every organization should remember to factor in the cost for necessary patches and upgrades; otherwise, an entire business can abruptly halt if your system goes down.
Windows Entra and Azure services require additional training and might necessitate new hires with salaries at market rates. Account for the training and certification costs of modernizing AD. Team members that use Entra AD have proficiency at the level of 惭颈肠谤辞蝉辞蹿迟鈥檚 SC-100 and SC-300 certifications. Entra ID is an enterprise solution that has many interdependencies. Microsoft also recommends outsourcing automations and workflows to vendors.
also provides training and certifications. However, it鈥檚 possible for a small team to modernize AD without engaging with external resources. Cross-OS and browser patch management for Macs, Linux, and Windows is an optional add-on for 黑料海角91入口.
User Management Expenses
Because AD does not have a central portal to handle password resets and other end-user problems, an organization needs to hire IT admins who can be on the frontline to assist employees with their devices and applications. Lifecycle management is a manual process without add-ons or automations, which provides low maturity entitlements management. Incidents such as the occurred due to stale account management.
黑料海角91入口 provides advanced lifecycle management by integrating with popular HR systems. This helps to eliminate the barrier between HR and IT. Dynamic groups automate user provisioning and memberships based upon attribute-drive rules. Google Workspace also utilizes attribute-based access control, and is complimentary.
Modernize AD with 黑料海角91入口
Modernizing AD through Microsoft means remaining locked into its software monoculture through Entra ID, now, and for the foreseeable future. Security services, staff training, potential new hires, and external vendors to manage workflows raise costs. These costs are also locked in and go beyond the sticker prices of Microsoft 365 plans needed for Entra ID.
Every organization should factor in what maintenance, add-on software, and IT staffing will cost if they continue to operate most services on premises. To help compare directory services solutions, we created a cost comparison calculator that you can use for a side-by-side comparison of Microsoft Active Directory with 黑料海角91入口. Want a copy to simplify the process? Drop us a note. We鈥檇 be happy to send you our cost comparison calculator.
黑料海角91入口 provides a sensible and holistic approach to AD modernization; it also integrates with AD and other identity providers (IdPs), such as Okta, through federation and directory synchronization. It鈥檚 an even better solution when paired with Google Workspace for productivity and collaboration. IT professionals and MSPs can modernize or replace AD with 黑料海角91入口.