I recently read an article on Okta's blog titled "Why it's time to break up with Active Directory". I pride myself as a somewhat-in-the-loop kind of IT admin, and I had a distinct sinking feeling when I read the title. I am still a huge fan of AD. Am I now an IT dinosaur?
The gist of the article is that AD is old. Like, 20 years in technology kind of old. And old is bad, because technology changes fast! A bunch of jargon like BYOD, Cloud, and ecosystem got thrown around, and lo and behold, there is a new identity kid in town. Time to move on from ye olde AD and onto something newer and better. Something that supports multi-device management, and collaboration tools like Box and Google Drive.
Hold on a second now. First of all, are we trying to say that the AD from 20 years ago never got any feature updates? OK, sure. Maybe the traditional AD, and by this we mean AD DS (read about the different flavours of AD here), is unable to support a modern BYOD landscape. But AD DS is only a small portion of Microsoft's identity management platform. Azure AD (AAD) is the modern version of AD, and it's far simpler an adoption path for any enterprise who had previously managed an AD based environment.
Azure AD Connect, Microsoft's free Cloud connector/identity sync tool is a no brainer if you already run an AD Domain on premise. Never mind that if you went with Microsoft, chances are you've also adopted Office as your productivity suite. Which means, going to Office 365 will also be a no brainer. What about email? Well if you had adopted Microsoft for your on-premise implementation, chances are you had Exchange as well. Migrating from Exchange on-premise to Exchange Online is not a huge deal with Microsoft's supported hybrid configuration. But try and move your Exchange to something like GSuite and you're probably in for some uphill battles. Frankly, in all the clients I've ever worked with, not a single one has ever wanted to move from Exchange on-premise to anything other than Exchange Online.
That's all to say, if you had gone with AD before, you probably will not move away from AD to a different identity provider just so you can support all your Cloud implementations of Office and Exchange.
Now, if you were never an on-premise AD customer, does an IdP like Okta make sense compared to Azure AD?
One of the largest life streams of any business operation is probably the email. Being able to communicate internally and externally with your clients, vendors and staff is essential for any business. Looking online for email service providers, how many can you name off the top of your head? I can personally count 3:
Exchange Online
Google's Gmail (for Business)
Some form of webmail (from ISPs like Telus or Shaw)
I'm just going hazard a guess that the email market is split fairly equally between Exchange and Google, being the two largest.
When you buy your first O365 email account, whether you know it or not, you have already created your AAD environment. Similarly with Google: when you create your Gmail Business account, you are using Google as your directory. Their functionalities are fairly similar as an IdP. They both support SSO via SAML with 3rd party SaaS solution providers (like Asana or Slack), and both features automatic provisioning capabilities.
Azure AD for example has numerous features that support the modern workforce. With 26,000 federated application catalogs that enables Single Sign-On, and automatic user provisioning, AAD is a trusted IdP. Combined with EndPoint Manager (Intune) polices that mimic Group Policy, on-premise administrators will be very familiar with this set up.
Google is not far behind with Chrome and device management (MDM) capabilities starting at their Business tier pricing. But since this article is mainly focused on whether or not we should "break up with AD" we will focus on Microsoft's offerings.
An additional wrinkle is that many 3rd party SaaS applications or collaboration tools, (such as Google's GSuite (Workspace) and Asana) do not have the SAML authentication feature even enabled until you upgrade the licensing to Business or Enterprise. Which makes any identity provider, regardless if it's Okta or AAD rather useless as a SSO IdP. However, AAD functions a lot more than a simple IdP, as it secures your O365 applications, as well as being capable of providing Self-Service Password Reset for your on-premise accounts. For any enterprise already utilizing AD DS, this is a no brainer.
"AD is a thing of the past" - No, it really isn't. Active Directory, being 20 years old has a 20 year head start in the business environment. AD and Azure AD continue to be the identity management platform utilized by enterprises. As much as many businesses, and especially established enterprises, are embracing Cloud, Microsoft's identity management platform Active Directory (and its many flavours) continues to be the market dominator that will not be soon eliminated.
Do you need some additional advice in choosing a provider for your business technology? Talk to us.