{"id":6137,"date":"2023-03-27T09:57:35","date_gmt":"2023-03-27T13:57:35","guid":{"rendered":"https:\/\/www.jumpcloud.com\/blog\/?p=6137"},"modified":"2024-11-14T17:53:21","modified_gmt":"2024-11-14T22:53:21","slug":"on-prem-domain-controller-to-the-cloud","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/on-prem-domain-controller-to-the-cloud","title":{"rendered":"Is There a Cloud Domain Controller Alternative to AD?"},"content":{"rendered":"\n

Domain controllers (DC) have been the workhorse of Microsoft-centric networks for over 20 years, but the IT landscape has shifted as technologies and how we work have evolved. Cloud-based alternatives to domain controllers<\/a> and Active Directory\u00ae<\/sup> became available to solve modern IT challenges by positioning devices, not the network, as the gateway to resources. Microsoft offers a virtual infrastructure of services through its Azure platform<\/a>, but still has dependencies on Windows Server roles to provide authentication and authorization into every IT resource. Azure also introduced a complicated licensing scheme that cordons off key features.<\/p>\n\n\n\n

黑料海角91入口 is another option that takes a different approach via its open directory platform that eliminates the need for many on-prem systems. Its open directory consumes external identities and has workflow-based pricing. This article overviews how each of these cloud platforms makes it possible to reduce or eliminate dependence on DCs for a domainless enterprise<\/a>.<\/p>\n\n\n\n

Domain Controllers at Large<\/h2>\n\n\n\n

Domain controllers were predicated on the concept of a network serving as the perimeter. Microsoft\u2019s approach was to create a \u201cdomain\u201d where all of an organization\u2019s IT assets would live. These would all be Microsoft assets<\/a>, and would all be located on-prem as well.<\/p>\n\n\n\n

This enclosed area or \u201cdomain\u201d was thought to be more secure than the more open network alternative. Plus, once a user was within the domain, a directory service such as Active Directory\u00ae<\/sup><\/a> could control what a user had access to. This approach made it simple to appoint one central identity management platform<\/a> as the control point for user access.<\/p>\n\n\n\n

The IT landscape has changed with the inclusion of non-Windows resources and remote work. The original concept of the domain no longer satisfies requirements for many small and medium-sized enterprises (SMEs). Microsoft originally provided add-ons for DCs, such as AD FS<\/a>, to include single-sign on (SSO) for web applications. It\u2019s since embraced the new normal that Android, Apple, Linux, and Windows devices are all being used to perform work beyond traditional network boundaries. Organizations that use DCs require an assortment of AD add-on solutions such as identity bridges, web app SSO platforms, multi-factor authentication (MFA) solutions, and more. All of this increases IT management overhead and network expenses.<\/p>\n\n\n\n

However, it\u2019s now possible to utilize a combination of Azure Active Directory (AAD), Entra, and Intune<\/a> to manage identities and devices that aren\u2019t part of the Microsoft stack. Let\u2019s explore those options in more detail, because usage is dependent upon a gated licensing model.<\/p>\n\n\n\n

Microsoft\u2019s Cloud Domain Solutions<\/h2>\n\n\n\n

Azure Active Directory Domain Services, coupled with Intune for device management and Entra to manage external identities, is the Microsoft-centric answer to cloud domain controllers. Azure was built with the enterprise in mind with complex<\/a>, but extensive, deployment options. It spawned an ecosystem of consultants and add-on services for compliance, security, and more. It continues to build out its cloud offerings. For instance: Microsoft has shipped Azure AD certificate-based authentication (CBA), which eliminates the need to run AD FS for CBA. However, many of the services that a DC once provided for free are now being monetized.<\/p>\n\n\n\n

Azure AD\u2019s Role<\/h3>\n\n\n\n

AAD is a cloud-based identity and access management service that was originally created to ferry users into Office 365. Its capabilities are heavily dependent upon which licensing tier you\u2019re paying for. Microsoft gates off features into three tiers: free, Premium 1, and Premium 2. The tier that\u2019s available to you is dependent upon which Microsoft 365 package you\u2019ve purchased, but it\u2019s also possible to add Premium tiers to your Office 365 services at an additional cost per head. Every AAD tier obligates paying more to govern and authenticate external identities with Entra. In addition, only AAD licensing that\u2019s Premium 1 and above will permit you to work with it.<\/p>\n\n\n\n

\"Azure<\/figure>\n\n\n\n

AAD Subscription Levels<\/h4>\n\n\n\n

Free<\/strong><\/a>: AAD\u2019s free tier provides SSO for SaaS applications using your Microsoft identities with MFA. It offers basic reporting on their substrate identity management solution as well as security and usage reports. It leaves out group assignments, omits custom conditional access rules, limits how users can be provisioned, and won\u2019t work with Intune. This leaves its subscribers without device management for endpoint security posture. The Free edition won\u2019t work with Microsoft Sentinel, the Azure security information and event management (SIEM) platform.<\/p>\n\n\n\n

Premium 1 (P1)<\/strong><\/a>: P1 adds the ability to configure Intune, provisioning for Windows devices, more advanced MFA configurations, conditional access policies, end-user self-service, advanced group management, and more thorough alerts and reporting. Azure AD Password Protection is also fully enabled versus limited in the Free edition. Other features are intended to enable hybrid scenarios for on-premises DCs that aren\u2019t possible through the free edition. <\/p>\n\n\n\n

\n

Microsoft obligates its customer to adopt its Edge browser in order for its conditional access policies to work.<\/p>\n<\/blockquote>\n\n\n\n

Premium 2 (P2)<\/strong><\/a>: P2 includes all of the features of P1 but adds identity governance features including risk-based conditional access policies, conditional access based on device state or location and group, privileged identity protection, Windows Defender for Cloud Apps, and more. Privileged Access Management (PIM) to manage, control, and monitor access administrative roles is only available in this SKU.<\/p>\n\n\n\n

Security and Compliance reporting is more extensive, to audit sign-ins, use risk, and activity. It\u2019s possible to integrate with SIEMs, perform access certifications and reviews, and investigate risk events. Lifecycle Workflows, a beta lifecycle management service, is also included. <\/p>\n\n\n\n

P2 is an enterprise-grade solution that could contain more extensive capabilities than an SME requires or has the capacity to fully implement and use. The breadth of P2 is significant.<\/p>\n\n\n\n

AAD\u2019s Features and Limitations<\/h4>\n\n\n\n

Operating without a domain controller will obligate you to license Azure Active Directory Domain Services (Azure AD DS) to use managed domain services to migrate legacy on-premises applications. Other solutions, including Microsoft Identity Manager for lifecycle management, require a DC to be installed on-premises. Lifecycle Workflows is being previewed for Azure, which will require either standalone P2 subscriptions or purchasing a higher M365 service tier.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Best practices<\/strong>: There are many steps<\/a> necessary to configure AAD to be safer from phishing and other credential harvesting attacks. Microsoft has prescribed best practices<\/a> to secure identities, but reserves several key features for its most premium subscriptions levels.<\/p>\n\n\n\n

Devices<\/strong>: AAD lacks cross-OS device management, unless Intune is included within your license tier. Intune is a separate cost<\/a> from AAD, but requires P1 or P2. Microsoft Autopatch, which includes Windows Update for Business, also has dependencies on Premium licensing. Microsoft has partitioned remote assist off as a premium add-on to Intune.<\/p>\n\n\n\n

Interoperability<\/strong>: A domain controller and server running the Network Policy Server (NPS) role is required to utilize common network protocols including RADIUS and LDAP. You\u2019ll also have to install and configure sync tools to connect AAD with your on-premise directory. AD DS also includes LDAP, but that\u2019s also an additional charge beyond your regular AAD subscription.<\/p>\n\n\n\n

Intune and AutoPatch for Devices<\/h3>\n\n\n\n

Device management is charged separately from AAD, but it\u2019s dependent on Azure AD Premium subscriptions to function. Standalone licenses (AAD Premium, Intune) or Microsoft 365 E3\/E5, Business Premium, or Enterprise Mobility and Security licensing is required. Intune uses ADMX and ADML templates for policy deployment, which may be a familiar approach for AD admins.<\/p>\n\n\n\n

\"Prerequisites\"<\/figure>\n\n\n\n

Windows Autopatch is available as a system to update the Microsoft stack on Windows, exclusively. Windows Update for Business has been folded into that offering. It requires enterprise-level Windows licensing, AAD Premium, and Intune in order to function.<\/p>\n\n\n\n

\"Microsoft
Admins will now pay for what WSUS delivered for free with the addition of Microsoft\u2019s suite of Defender cloud security services.<\/em><\/figcaption><\/figure>\n\n\n\n

Difficulties with Intune<\/h4>\n\n\n\n

Microsoft admins have experienced some difficulty<\/a> getting Intune to work for them, such as:<\/p>\n\n\n\n