Quick Answer: Microsoft offers far greater security than we (or any third party) can provide, and they do it at a reasonable price through Azure AD Connect.
At its core, INFIMA develops tools that simplify and automate the management of Security Awareness Training programs. Creating an application that syncs users from an on premises AD to our services seems like an easy candidate, so we need to address why we haven't built one.
And here's the TL;DR:
In order to determine if a feature is a good fit we look at value, security and stability. If we cannot assure all three in any new product or feature, we simply won't build it. Full stop.
Let's take a look at these characteristics individually:
When we assess whether to build a product we look at the value it would provide to our Partners, specifically in comparison to existing alternatives. When we look at AD Sync, it would be incredibly difficult to improve on Microsoft’s Azure AD Connect. Now, if Microsoft were charging a steep price for the functionality, there may be an opportunity to undercut and provide value. Instead, Microsoft provides a free tier of Azure AD that is going to meet most Partner requirements.
At INFIMA, we limit the user data we store to only the minimum required to satisfy our services. In addition, we limit OAuth grants to the minimum required scope to successfully interact with identity providers. We can accomplish this because we have mature APIs to rely on. The same cannot be said for Active Directory. To satisfy the usage scenarios our partners require, there would be a degree of flexibility that would too easily allow for syncing unnecessary or sensitive data to our servers.
We aim to increase the security posture of our clients, so limiting the attack surface is a logical conclusion. If every third party product offered their own AD sync tool for provisioning users to their service, each new integration provides a potential vector for attackers to exploit. It’s our opinion that the more secure solution is to limit AD sync to a single provider (Microsoft) and utilize their mature APIs for accessing the data we need.
The last challenge here is stability, something we consistently hear is a major challenge for other products that do offer an AD sync tool. This does not come as a surprise; AD is an old product. Microsoft faces the challenge of maintaining backwards compatibility while also modernizing identity and authentication for today’s cloud products. As Microsoft pushes changes to AD, there’s a chance each change could break our custom connector (importantly, Microsoft only guarantees their connector backwards compatibility for 18 months). Since we have limited visibility into future changes (only what Microsoft publishes) providing consistent sync stability would be nearly impossible.
INFIMA's Azure AD Sync Solution
Since Microsoft's Azure AD Connect provides manufacturer-level security between your on prem AD to Azure's cloud, INFIMA has built a robust Azure AD sync. This provides daily updates of your client's active/inactive users, and it is available at no extra charge for INFIMA Partners.
And that's all. Thanks for reading as we geek out!