Azure AD vs Okta Similarities
Okta AD Agent = Azure AD Connect
Okta has an Active Directory agent that can be used to synchronize between Okta and Azure AD; Azure AD has Azure AD Connect. These are each tools that go on servers that sync the domain controller(s) with the cloud. Each take all the users, groups, and passwords from on-premises traditional Active Directory environments and copy them over to Azure AD or communicate back and forth. Both systems are near identical from top to bottom, the setup, installation, functionality, and admin.
Okta desktop SSO = Azure AD Seamless SSO
Okta Desktop SSO enables single sign-on from your Windows domain joined computers. If users are on a Windows computer joined their domain, they don’t need to enter username and password to sign into Okta, it is completed seamlessly. Azure AD similarly has Azure AD Seamless SSO, which works identical to Okta in the background. This functionality provides a lot of convenience to end users when signing into a Windows PC. After opening a browser, all the programs and apps that are tied to users’ Azure AD account are automatically signed in.
Okta Delegated Auth = Azure AD Passthrough Authentication
Okta Delegated Auth does real-time authentication against Active Directory, Azure AD Passthrough Authentication has the exact same functionality and feature set.
SSO Applications
One of the things driving a lot of people to Okta is that they can integrate their own sign-in with a lot of different third-party SAS applications. Utilizing these tools, users can sign into Salesforce, Dropbox, and a plethora of other apps and systems using a single set of credentials. Azure AD has the same functionality, so both Okta and Azure AD can integrate with third-party apps using SAML, Open ID Connect, WS federation, Radius (using an on-prem agent), and/or SCIM protocol for provisioning into third party apps. It is highly unlikely that there is an application out there that can be integrated with Okta that can’t be integrated with Azure AD; but if you do know of one, we would love to know! Additionally, we have seen a lot of customers that love having the portal in Okta where a user can log in and see all the app icons like an iPad, Azure AD has the ‘My Apps Portal’. If users go into the Office 365 portal, they can see all their apps from there, or visit the dedicated my apps portal (myapps.microsoft.com) which lists all the user’s apps in the tile view like what users see in Okta.
Okta Secure Web Authentication (SWA) = Azure AD Password-based SSO
For websites that do not support the different protocols for integrating SSO apps, both systems use a browser extension to store user passwords and then automatically fill the login credentials.
Okta Verify = Azure Authenticator
Each is a mobile app that users install on their mobile devices to authenticate with MFA. Both are near identical apps, they look the same, function similarly, and have the same enrollment setup process and usage. There are very few differences between the two apps. A question we hear a lot about this subject is “Can the authentication apps be extended to on-prem?”. The short answer is yes. There are several different ways to integrate on-prem apps depending on what type of app. One common way is to integrate MFA with the users’ VPN so that users must use MFA to remotely connect into the network via VPN. This can all be done with Azure MFA, usually utilizing the radius extension, and again, it is the same setup integration as it would be with Okta.
Okta FastPass = Azure AD Passwordless Auth
Both programs provide an option to sign-in without having to type in a password, and instead rely on a mobile notification.
Okta Adaptive Auth = Azure AD Conditional Access
Set up different rules and policies to allow or deny authentication or enforce MFA. These rules can be based on criteria like a user’s location or IP address.
Okta Access Gateway = Azure AD Application Proxy
Another way to integrate MFA and SSO with legacy on-premises applications that don’t support newer SSO protocols like SAML. Users can use Azure AD Application Proxy or Okta Access Gateway to publish these applications and make them available over the Internet without a VPN connection and secure them well with MFA and conditional access policies.
Okta Advanced Server Access = Multiple Azure AD options
This Okta tool is for securing RDP and SSH access for administrators into servers, and there are several ways to do this with Azure AD. Both have robust logging capabilities where users can access, view, and search their sign in logs, and generate alerts for different things that they may want to see. They also offer connectivity into SIEM solutions like Splunk or Azure Sentinel. A great use case is when we get customers who want an SQL Server on Azure virtual machine, but they do not want to tie it to the rest of their network. We can add an Azure virtual machine for this client, but don’t recommend connecting RDP over the Internet to Azure. In this situation, what we would instead do is utilize a solution called Azure Bastion. This system allows users to do RDP access through a browser with MFA enforcement and conditional access policies.
Azure AD vs Okta Differences
Azure AD can Completely Replace Traditional AD
With Azure AD, organizations can get rid of their on-premises Active Directory, but are not able to with Okta because it is not a full replacement. Azure AD is very different fundamentally from a traditional Active Directory, but it encompasses all the features. Transitioning and moving completely from a traditional AD into Azure AD in the cloud has its benefits. Azure AD can take your Windows devices/endpoints and join them directly to Azure AD where traditionally a user’s computer joined to AD which allowed them to sign into that computer with AD credentials. Now, users can join that computer to Azure AD and sign into Windows itself using their Azure AD credentials. There is no way to sign into Windows using Okta credentials because Windows cannot be connected and domain joined to Okta the way it can be to Azure AD. Azure AD has Azure AD Domain Services which gives users traditional Active Directory domain controller functionality as a service, so they can get things like LDAP, Kerberos, and domain join for Windows servers and virtual desktops. Users cannot do LDAP queries against Okta, or join a server to Okta, and it lacks the features that would allow IT Admins to completely replace Active Directory. Organizations that have legacy applications and servers that only work with the traditional Active Directory still have some way to connect them to Azure AD using Azure domain services. If a business needs to build a server in Azure once they’ve gotten rid of their on-prem Active Directory, they can extend with Azure AD domain services and join the server to the domain as they would if they had on-prem domain controllers. It is joined to that domain just as if it was joined to a traditional domain, IT Admins can use group policy to manage the server and log in with their Azure AD credentials, but there are no domain controllers to manage, patch, or update; it is all a service that’s provided to you.
Azure AD Connect can only sync 1-way from AD to Azure AD
Azure AD connect is a one-way sync from your local on premises AD to Azure AD. We recommend using Azure AD connect if a business has a traditional on-prem Active Directory that they want to keep around and the business wants to continue to master its users and groups in Active Directory. Creating a user in Active Directory then syncs to Azure AD, but it does not go the other way. The Okta AD agent can sync both ways so users can create and manage users in Okta, and then have them written back to Active Directory. This is however a feature that businesses usually do not need with Azure AD because Azure AD can be a full replacement for traditional Active Directory. If users are mastering their accounts in Azure AD, they have no need to write them back to your traditional AD because all the other functionality is replaced.
Azure AD has Endpoint Manager
Endpoint Manager (Formerly Intune) is a full device management solution that Microsoft has natively integrated with Azure AD. This allows users to manage Windows, Mac, Android, and iOS devices with Endpoint Manager, and users can push applications and enforce settings and policies. Okta has no equivalent to this functionality. Formerly, Okta had a product called Okta Mobility Management which was a basic solution for managing mobile devices but has since been retired. A common scenario that we’re starting to see more and more is that organizations do not want users to have full access to their corporate data from personal devices or devices that are unmanaged/unsecured. Businesses need to be able to choose when and on what device users can access company data. The ID provider needs to know the state of the devices, and if they are compliant, managed, and secure. Okta has no way to know the status of a device without integrating a third-party system. On the Microsoft front, it is all within the same ecosystem. If a user is connecting from a device that isn’t registered, they can sign into Office 365 from a personal unmanaged device through a browser and can access their email, OneDrive, and work on documents in the browser, but they can’t download anything because it is a personal device. Blocking downloads on personal devices is one potential use case, and organizational files and data stay within the businesses compliance perimeter and are not allowed to be extracted to personal devices.
Azure AD Conditional Access can easily check for Windows domain-join status. Okta requires a complex cert-based auth deployment.
Without having your device managed by Endpoint Manager, Azure AD allows users to set up rules based on if the computer is joined to your traditional Active Directory environment. Computers joined to Active Directory can utilize policies to have a different experience from the non-domain joined computers, Okta does not currently have this functionality. For Okta to be able to tell if your computer is joined to the domain, users must set up a complex certificate-based authentication deployment. In Azure AD, this is a simple checkbox to say, ‘Apply this only if the computer is joined to our domain’.
Okta Workflows has no replacement in Azure AD
Workflows is Okta’s low-code solution for building automation around user provisioning and deprovisioning that is wizard/UI driven. IT admins can have different things that happen when a user account get created or terminated, so there is automation where Azure AD does not have a feature that directly compares. There are ways that we can automate things within Azure AD, and we often use Azure Automation for our customers when we’re looking to automate onboarding and off-boarding processes.
