Microsoft Active Directory for IAM

Airlock IAM can be used with MSAD (Microsoft Active Directory) in several ways, depending on how end-users are authenticated.

Authentication setup and MSAD recommendation

  • Username and password-only authentication
    In this case, MSAD can be used as the sole authentication and user persistence back-end. No IAM database is needed.
  • Authentication with second factors
    MSAD should only be used to check the password. Second factors should be checked using the IAM database.
 
Functional limitation

When MSAD is used as the sole user persistency layer, without IAM database, only a limited set of features is supported in a secure manner. See Limitations and security risks for more information.

MSAD plugins and recommended use cases

IAM provides several plugins for connecting IAM with the MSAD. The following table lists these plugins and their corresponding intended usage:

Plugin name

Description

Recommended use cases

Active Directory Connector

General purpose plugin used to connect to MSAD for several purposes.

Usually this is the only IAM plugin required to connect to MSAD.

  • Check user password
  • Change user password
  • Set user password by administrator
  • Check if user account exists
  • Check account state on MSAD
  • Read users' roles/groups
  • Read and write user profile data
  • Import accounts from MSAD into IAM database

Active Directory Password Repository

Used in flow-based authentication for password check and change.

  • Check password
  • Change password

Active Directory Password Policy

(+ Active Directory Connector)

Checks whether a password meets the requirements of the MSAD password policy.

  • Change password
  • Set password by administrator