Azure Active Directory a replacement for AD?
-
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
@coliver said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.
I don't think so. They join to an Azure domain which is available on the public internet.
Ah I see. That makes perfect sense.
I was thinking SSO from on-prem to Azure, got mixed up.
That's AD Federation and still exists, but we've been warning people to run away from that for a long time.
Why do you warn against ADFS?
-
@JackCPickup said in Azure Active Directory a replacement for AD?:
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
@coliver said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.
I don't think so. They join to an Azure domain which is available on the public internet.
Ah I see. That makes perfect sense.
I was thinking SSO from on-prem to Azure, got mixed up.
That's AD Federation and still exists, but we've been warning people to run away from that for a long time.
Why do you warn against ADFS?
Risks and cost. It means you have all of the cost of both systems and the cost of keeping them working (which is rather fragile) and risk that they depend on each other and either outage can cause the other to fail. It's an unnecessary coupling that should be avoided when possible. It really doesn't add value, but takes a lot away.
-
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@JackCPickup said in Azure Active Directory a replacement for AD?:
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
@coliver said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.
I don't think so. They join to an Azure domain which is available on the public internet.
Ah I see. That makes perfect sense.
I was thinking SSO from on-prem to Azure, got mixed up.
That's AD Federation and still exists, but we've been warning people to run away from that for a long time.
Why do you warn against ADFS?
Risks and cost. It means you have all of the cost of both systems and the cost of keeping them working (which is rather fragile) and risk that they depend on each other and either outage can cause the other to fail. It's an unnecessary coupling that should be avoided when possible. It really doesn't add value, but takes a lot away.
Is that just in the context given above? Using it for SSO to an Azure VPS DC, or ADFS altogether?
-
@JackCPickup said in Azure Active Directory a replacement for AD?:
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@JackCPickup said in Azure Active Directory a replacement for AD?:
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
@coliver said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.
I don't think so. They join to an Azure domain which is available on the public internet.
Ah I see. That makes perfect sense.
I was thinking SSO from on-prem to Azure, got mixed up.
That's AD Federation and still exists, but we've been warning people to run away from that for a long time.
Why do you warn against ADFS?
Risks and cost. It means you have all of the cost of both systems and the cost of keeping them working (which is rather fragile) and risk that they depend on each other and either outage can cause the other to fail. It's an unnecessary coupling that should be avoided when possible. It really doesn't add value, but takes a lot away.
Is that just in the context given above? Using it for SSO to an Azure VPS DC, or ADFS altogether?
ADFS in the context of Azure AD altogether. And I'm not saying not to have AD and Azure AD, just not to federate them. Microsoft has a simpler, safer method for keeping them in sync that doesn't involve federation.
-
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@JackCPickup said in Azure Active Directory a replacement for AD?:
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
@coliver said in Azure Active Directory a replacement for AD?:
@Tim_G said in Azure Active Directory a replacement for AD?:
The mobile clients would have to be VPN connected (to Azure) wouldn't they? Maybe not before log-in because of cached credentials... but still, they aren't always cached.
I don't think so. They join to an Azure domain which is available on the public internet.
Ah I see. That makes perfect sense.
I was thinking SSO from on-prem to Azure, got mixed up.
That's AD Federation and still exists, but we've been warning people to run away from that for a long time.
Why do you warn against ADFS?
Risks and cost. It means you have all of the cost of both systems and the cost of keeping them working (which is rather fragile) and risk that they depend on each other and either outage can cause the other to fail. It's an unnecessary coupling that should be avoided when possible. It really doesn't add value, but takes a lot away.
Yeah, this is true.
SSO between on-prem AD and Azure AD (Office 365 for example) is great, works great, and is super convenient. (when it works)
But as you said, there's a cost.
When dealing with O365 + On-prem AD, I prefer just the regular User/password/group sync over full SSO + all the infrastructure required for that.
SSO is nice, though.
-
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@JackCPickup said in Azure Active Directory a replacement for AD?:
I think it was more managing group policies still while being able to log into Azure AD from anywhere. Seeing as there wasn't (dunno about now) proper GPOs in a pure Azure AD setup.
This is awesome, I didn't know they were adding GPOs to Azure AD.
-
@Dashrender said in Azure Active Directory a replacement for AD?:
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@JackCPickup said in Azure Active Directory a replacement for AD?:
I think it was more managing group policies still while being able to log into Azure AD from anywhere. Seeing as there wasn't (dunno about now) proper GPOs in a pure Azure AD setup.
This is awesome, I didn't know they were adding GPOs to Azure AD.
They have to, they need to make AD relevant in the modern world. Without GPs in Azure, they were looking at being really left behind.
-
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@Dashrender said in Azure Active Directory a replacement for AD?:
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@JackCPickup said in Azure Active Directory a replacement for AD?:
I think it was more managing group policies still while being able to log into Azure AD from anywhere. Seeing as there wasn't (dunno about now) proper GPOs in a pure Azure AD setup.
This is awesome, I didn't know they were adding GPOs to Azure AD.
They have to, they need to make AD relevant in the modern world. Without GPs in Azure, they were looking at being really left behind.
Now they need to have MDM in there as well.
-
At $9/seat it better do a lot. For around that much you could get a Windows Enterprise license with Intune (or whatever its called now)
The free option would it least be good for controlling logins. The $1 option seems to only add some things like self service password resets.
-
@bigbear said in Azure Active Directory a replacement for AD?:
At $9/seat it better do a lot. For around that much you could get a Windows Enterprise license with Intune (or whatever its called now)
I think it is called Azure AD now
-
@scottalanmiller said in Azure Active Directory a replacement for AD?:
@bigbear said in Azure Active Directory a replacement for AD?:
At $9/seat it better do a lot. For around that much you could get a Windows Enterprise license with Intune (or whatever its called now)
I think it is called Azure AD now
OHHHHHhhhhh - this comes only with an AAD premium account.. yeah that sucks! I thought it was included with the AAD you get as part of O365.
-
Intune looks to still be separate, so Intune Enterprise plus AD Premium $20/user/month?
-
@bigbear said in Azure Active Directory a replacement for AD?:
Intune looks to still be separate, so Intune Enterprise plus AD Premium $20/user/month?
Then O365 from $6 -$30/u/m
-
@Dashrender yeah or like $55 with Cloud PBX + $20 device management. Trying to think of what else we can throw on the Microsoft stack.
When will a Linux desktop go mainstream? If I were an IT Manager or IT Service Company I would spend all my time making that conversion. There are enough web apps and we even used a cloud version of CAD we've been testing for Autodesk for yours.
Whats the hold up?
-
From an end user POV, you still probably need MDM, Perhaps there are free ones you would like?
O365 could be replaced with your own self hosted NextCloud setup. You still need email, and you should be buying it from someone. If you don't need things like ActiveSync/shared calendars, then you can get RS mail for $1/u/m, but really, most want those things, so you're at least at $4/u/m at which point personally I'd still go O365 hosted exchange only (but I wouldn't because I want my storage integrated into my email client. Which I suppose could be done with NextCloud (NextCloud has a built in web front end for any backend email service (for desktop use) - that combined with a mobile sync app I suppose could make that work similar to O365 with Sharepoint).