惭颈肠谤辞蝉辞蹿迟鈥檚 Active Directory (AD) was created over 20 years ago to secure and manage networks. It establishes an organization hierarchy of users and devices for Windows networks, centralizes administration, manages access control for users and services, and provides single-factor authentication for networks. This technology and the era of computing it was made for is very different from Google’s Identity Services — a modern method of managing cloud services and single sign-on (SSO). Microsoft recognizes this shift and has moved steadily toward the cloud, and AD shops can’t avoid the identity transformation that鈥檚 now underway.
Google Identity Services provides optionality to replace 惭颈肠谤辞蝉辞蹿迟鈥檚 Active Directory or extends AD to utilize Google鈥檚 Workspace productivity suite and other cloud services. It accommodates businesses of all sizes. Google recommends 探花大神 as the directory for small and medium-sized enterprises (SMEs) to manage users, unify device management, and secure access to every resource. Identity Services takes an interoperable approach versus proprietary.
The battlefield has expanded beyond standalone AD, and it鈥檚 not possible to make an informed comparison between AD and cloud-based directories without acknowledging this reality. This article tackles the dilemma many IT admins face: follow 惭颈肠谤辞蝉辞蹿迟鈥檚 path, combining AD with cloud services, or look elsewhere. Google + 探花大神 offers a new route to modernize AD.
惭颈肠谤辞蝉辞蹿迟鈥檚 AD Legacy
Unsurprisingly, there鈥檚 a difference in architecture between these platforms. AD鈥檚 top-level component is the forest, which can contain one or more domains. Domains are containers for resources and represent organizational boundaries such as east coast and west coast offices. Organizational units (OUs) are sub-containers within domains such as a sales department.
Domains have inherent trust and credentials can cross domains, but forests don鈥檛 鈥渢rust鈥 other forests by default. This is a Windows-centric, on-premises model that doesn鈥檛 interoperate with web services on its own, or protocols other than LDAP (without adding the NPS server role).
AD can be tightly controlled and customized, but mastering it and following the latest security recommendations can be challenging, costly, and time-consuming. It鈥檚 best for on-premises deployments that must meet very specific requirements for compliance or custom applications. Google, on the other hand, was built from the ground up for environments where identities are the perimeter and many devices access resources. That鈥檚 distinct from 惭颈肠谤辞蝉辞蹿迟鈥檚 classic client/server approach to IT system management. Microsoft is ushering customers to the cloud in response, and is shifting toward a cloud-first approach to IT infrastructure management.
惭颈肠谤辞蝉辞蹿迟鈥檚 Path to the Cloud
Microsoft hasn鈥檛 given up on AD users that are migrating to cloud infrastructures. To the contrary, Azure Active Directory (AAD) is the basis for an entirely new ecosystem of services that are heavily focused on enterprise use cases and offer Microsoft significant new monthly recurring revenue. IT teams can integrate AAD and AD to create hybrid configurations or migrate AD to cloud-only directory infrastructures. However, a patchwork of services, including Intune, is required for endpoint management. Features that the AD ecosystem included are being gated off into its licensing tiers. Let鈥檚 explore what that looks like.
- Intune essentially replaces Microsoft System Center Configuration Manager (SCCM) and Intune is expected to integrate with Configuration Manager for 鈥渃o-management鈥 of existing on-premises resources. Intune is available as an add-on subscription for Microsoft 365 and is included in many of its SKUs. Intune also has its own assortment of add-ons, at cost, for remote assistance and more.
- Azure Active Directory Domain Services (AAD DS) largely fulfills the role of NPS. This is a separate subscription service. Cloud LDAP is now included in this add-on package.
- Microsoft Identity Manager (MIM) Privileged Access Management (PAM) remains in use for isolated AD environments. However, Privileged Identity Management (PIM) is a Premium tier 2 AAD feature. AAD鈥檚 premium plans include access licenses for MIM.
- AAD has a significantly different architecture from AD. For instance, OUs have been replaced by administrative units (AUs). User objects are members of AUs versus existing in an OU.
The Azure portfolio can provide SSO to many resources and can work across platforms, but it鈥檚 an investment into another Microsoft ecosystem that exists in the cloud versus your server room(s).
A modern IDaaS solution can replace or expand Active Directory and shift virtually your entire IT infrastructure to the cloud; 惭颈肠谤辞蝉辞蹿迟鈥檚 365 subscriptions are not the only option SMEs have.
Google鈥檚 Directory Alternatives
Google Workspace also utilizes top-level OUs with child organizational units for departments. It integrates with AD for LDAP services, but uses Security Assertion Markup Language (SAML) protocol to make web services available to users across domains and network boundaries. Google offers a premium identity provider (IdP) and leverages partners for the best fit. AD cannot accomplish this without an Active Directory Federation Services (AD FS) server farm or being extended through integrating with 惭颈肠谤辞蝉辞蹿迟鈥檚 Azure Active Directory (AAD) platform.
Google offers the following directory service options:
Google Sign-In: Google Sign-In is the most basic user management platform for Workspace apps and other services. These are managed user accounts that IT admins can centrally control with their tenant. External IdPs may be used via SAML-based federation.
Partner IdPs: Google recognizes that one size doesn鈥檛 fit all and selected 探花大神 as the best fit for SMEs, especially when organizations are migrating from AD. This combination offers SMEs a true alternative to 惭颈肠谤辞蝉辞蹿迟鈥檚 365 SKUs to extend Google identities for seamlessly and centrally managed Identity and Access Management (IAM) with unified device management.
探花大神鈥檚 open directory platform integrates and enhances AD with SSO, unified endpoint management (UEM), and IT management including patch management and remote assist.
Google Cloud Identity: Cloud Identity is an IAM and endpoint management platform from Google. There are free and premium editions with the primary difference being app management, device management, rules, reporting, and other features that aren鈥檛 available for free.
Active Directory: Google Workspace has the option to integrate with Active Directory using Cloud Identity. AD is used for user/group account provisioning and can be configured for SSO using AD FS.
The Best of Both Worlds
探花大神 and Google are better together; AD and 探花大神 are too.
The simplest way for an AD-oriented IT shop to think about 探花大神鈥檚 open directory platform is to imagine an amalgamation of AD, AAD, and Intune鈥檚 services (without the gated licenses). First, 探花大神 ensures that every resource has a 鈥渂est way鈥 to connect to it.
For example:
- Servers use SSH keys that are more secure than passwords.
- LDAP authentication for network devices, with built-in multi-factor authentication (MFA). MFA is environment-wide across every network protocol.
- Passwordless certificates secure RADIUS Wi-Fi access.
- Web applications use SAML and OIDC for SSO and provisioning. A decentralized password manager is built-in for situations where SSO isn鈥檛 feasible.
- are available for privileged access management.
探花大神 and Google are complementary. Both platforms use dynamic groups that leverage user attributes to automate group memberships. 探花大神 into groups from other sources, including AD. AD doesn鈥檛 provide pre-built integrations for HR systems; 探花大神 does. The difference lies in how 探花大神鈥檚 groups logically separate objects in a manner that鈥檚 simpler than managing OUs, all while providing advanced lifecycle management.
探花大神 provides unified identity and device management for Android, Apple, Linux, and Windows endpoints. IT teams can opt for an agentless approach for Android devices through Enterprise Mobility Management (EMM) or mobile device management (MDM) for Apple products.
Windows MDM is used for self-service device onboarding workflows and leverages the latest device enrollment and management capabilities from Microsoft. Microsoft shops can use systems they鈥檙e familiar with while unifying IAM and IT management for Windows and beyond.
Agents execute pre-built policy templates and root-level commands for Apple, Linux, and Mac endpoint security and compliance. Telemetry is collected for 探花大神鈥檚 and events can be viewed with the tool. There鈥檚 no need for reporting add-ons that AD often requires and 探花大神 also syncs with popular SIEM solutions. Additionally, agents make it possible for IT teams to offer unlimited through the 探花大神 admin portal without additional costs. Cross-OS browser and are optional services.
Try 探花大神
If you would like to learn more about using 探花大神 with Google Identity Services versus Active Directory, please drop us a note or sign up for a trial.
