azure ad and ldap

LDAP Authentication with Azure AD

Sam Metzler Education

LDAP Authentication with Azure AD

Secure user authentication is pivotal for network security because there are dozens of cyber attacks that exploit vulnerabilities of unsecured networks. Cyber crimes are more dangerous than ever with the ability to bankrupt a business in as little as 6 months after an attack. To counteract this, businesses impose password policies that end up depreciating user experience.

Thousands of organizations have realized that cloud computing offers a far better security solution while also improving user experience. Microsoft released their own cloud-based service called Azure which was supposed to help Microsoft customer networks transition their data to the cloud.

Most Microsoft customers keep their data in Active Directory (AD), so admins wanted a solution that could migrate their AD instances into the cloud. Naturally, admins flocked to Azure AD, but soon found out that Azure AD is a lot different (and less versatile) than AD. One of the biggest issues is that Azure AD doesn’t support LDAP, which is vital for AD. The difficulties of implementing Azure AD has left many admins struggling to migrate their environments to the cloud.

Another issue is the subpar security measures used by most Azure AD environments: credential-based authentication. There are simply too many modern cyber attacks that can easily bypass credential-based authentication, entire networks can be compromised by one man-in-the-middle attack.

Fortunately, digital certificates provide a better security measure than credentials. Outfitting every network device (Managed and BYOD) with a certificate encrypts user information so no one outside the organization is able to unlock it. Certificate-based authentication encrypts the connection between the device and server during the authentication process, so no outside threats can infiltrate the connection.

We will cover why on-premise hardware should be left behind for cloud-based services, what’s wrong with Azure AD, and how you can migrate your AD to the cloud with a Managed PKI service and digital certificates.

LDAP wasn’t Designed for the Cloud

AD is one of the most widely used online directory services because it’s been around for so long, but that just might be it’s detriment. To use LDAP for internal applications, organizations need to use legacy servers with their Active Directory, meaning they cannot invest in cloud-based software.

It is possible to configure AD connectors, but hosting your directory in the cloud while maintaining duplicate servers on-premise is simply not a long-term solution.

Luckily, many admins were excited to see Azure AD being rolled out to help migrate their AD instances into the cloud and advance network capabilities, but that’s not exactly the case.

azure ad ldap

AD vs Azure AD: What’s the difference?

It’s understandable to think that Azure AD would provide the same services as the standard on-premise AD, but that’s not actually the case. Azure AD can’t really replace AD and is much more limited in terms of compatibility. The perfect way to contrast the two is listing off what Azure AD doesn’t do:

  • Flat directory structure (less versatile than AD)
    • No forests
    • No organizational units
  • No support for LDAP, Kerberos, or NTLM
  • No Group Policy
  • No native support for Network Authentication (Wi-Fi, VPN)

Both AD and Azure AD provide services for user management, but AD manages on-prem infrastructure while Azure AD is more for managing user access for cloud applications. Azure AD can authenticate users for applications like Azure, Office 365, Dynamic 365, SAML-authenticating Web Apps and more.

No Support for LDAP in Azure AD

LDAP serves as the language AD uses to communicate with other serves and devices. LDAP is able to store data and query it in a way that is easily searchable. With LDAP, servers can easily search for a user in a database and find all the policies attributed to them, and grant them access. LDAP provides security levels for WPA2-Enterprise operations. Without LDAP, users will need to be validated to every page or application that they interact with.

Unfortunately, Azure AD doesn’t support LDAP. Azure AD primarily uses the SAML and OAuth protocols to communicate with applications. So what can you do?

Well, for one, you could leave LDAP authentication for a more secure certificate-based authentication with EAP-TLS. As the most secure authentication protocol, EAP-TLS uses digital certificates for user authentication and the connection sessions are encrypted, eliminating the threat of over-the-air credential theft. Credential-based authentication relies on LDAP, but as technology has progressed, the security of credentials is no match for digital certificates. Certificates allow you to use SAML instead of LDAP, making it easy to support network authentication with Azure. So how can you deploy digital certificates to every single network device?

Supporting Certificate-Based Authentication with Azure AD

azure ad pki integration

Digital certificates require a Public Key Infrastructure (PKI), but many admins may fear it too difficult to implement a PKI. Luckily, that’s not the case because integrating Azure AD with our Managed Cloud PKI, admins can get it up and running in no time and start issuing certificates to all network users. Our onboarding software installs a user profile onto every device (including non-Windows devices) so users can self-service their devices with a certificate and 802.1x settings. Our Cloud PKI can integrate with any LDAP provider and admins can leverage AD or ditch it completely.

With certificate-based authentication, admins can easily roll out WPA2-Enterprise Wi-Fi for their office or VPN authentication so remote workers can access the office network.

Our Cloud PKI is built to authenticate with EAP-TLS, the strongest and only certificate-based 802.1x authentication protocol. It’s stronger than any other protocol because EAP-TLS requires that both the server and the client be equipped with certificates making them both easy to validate. Server Certificate Validation ensures that the client is connecting to the right network server and not a malicious actor impersonating a legitimate server.

For a more in-depth guide, check out our article on configuring WPA2-Enterprise with Azure AD.

Secure User Authentication for Azure AD with SecureW2

Authenticating users with digital certificates protects networks from numerous security threats, including the brute force and man-in-the-middle attacks. Configuring your network for certificate-based authentication eliminates any over-the-air credential theft. Our Managed Cloud PKI comes with a dynamic RADIUS server and can integrate with any LDAP provider. Our services come at an affordable price so it’s available for organizations of all sizes.

Learn About This Author

Sam Metzler

Sam (aka Slammin Salmon, Street Hustler Sam, Samilstilskin) is a copywriter within the marketing team and a man of many nicknames. He has a degree in Marketing from the University of North Texas with previous experience in mortgage marketing and financial services.