When it comes to purchases or big decisions, there is no shortage of quotes, quips and clichés. "You get what you pay for", "there's no free lunch" and "if it sounds too good to be true, it probably is". Any decision takes careful research and Identity Management decisions are among the most crucial that a business can make. Previous blog posts examined hidden costs for Microsoft ADFS and made distinctions between ADFS and Azure AD, but this one will compare Microsoft's Azure AD directly against PortalGuard for identity management features.
Both products offer large feature sets, so we'll break them down into 4 different categories:
- Web-based Single Sign-On (SSO)
- Multi-Factor Authentication (MFA)
- Self-Service Password Management/Reset (SSPR)
- General – A catch-all category that includes flexibility, pricing, and support
Azure AD authentication has the added complexity of multiple editions or tiers with different prices, so we'll distinguish between those where possible as well. Much of the information on Azure AD is available on its pricing page.
General
Some of the most significant differences are not within the separate feature sets so we'll look at these first. The most glaring disparity is the pricing model. PortalGuard uses a flat licensing structure with a fixed annual subscription and support renewal. The Azure AD editions of any consequence all utilize "per user, per month" models with the Premium P1 weighing in at $6/user/month and the Premium P2 list price tipping the scales at $9/user/month. Please also note the asterisk and fine print revealing both of these price points require annual commitments. The month-to-month option is not published but can only be more costly.
Live technical support for Azure AD is an additional charge starting at $29/month where you must navigate Microsoft's byzantine layers of dispersed engineers and escalation procedures. PortalGuard support is provided directly by our developers and test engineers and is included with the annual renewal.
A final word in this category relates to user interface and customization. PortalGuard allows full control of its entire UI. You brand it the way you'd like it to appear to assure end-users they're at the correct website and make it more usable as you see fit. Azure AD allows some limited UI and logo changes but does not support any structural modifications or changes to labels or run-time messages.
Web-Based Single Sign-On (SSO)
Single sign-on is one of the most recognized benefits of an identity management solution for good reason. The direct benefits to user productivity and security are well-established and nearly irrefutable. Both products support common SSO protocols like SAML, WS-Federation, OAuth and OpenID Connect.
However, differences always emerge when looking at things in finer detail. The Free and Office 365 editions limit SSO to only 10 total applications. Azure AD's support for OAuth and OpenID Connect do not support on-premises apps and the CAS protocol (critical for higher education organizations) is not supported at all. Furthermore, AAD's support for password-based SSO requires a browser extension or mobile app whereas PortalGuard's analogous functionality uses a proxy, so it does not require additional software on client endpoints.
Multi-Factor Authentication (MFA)
Like SSO, the lower editions of Azure AD only support MFA to a limited number of apps, compared with unlimited with PortalGuard. PortalGuard supports 15 different methods for MFA, including Duo Push, Google Authenticator, YubiKey, FIDO2 and biometrics support through BIO-key and VoiceIt. Azure AD supports SMS, voice call, their own mobile authenticator (formerly PhoneFactor?) and "preview" support for Duo in Premium P1 and P2.
If you wish to enforce MFA for VPN access or anything requiring RADIUS, keep in mind that Azure AD only supports this with continuous cloud connectivity from those security devices. PortalGuard's RADIUS server can run completely on-premises.
Self-Service Password Management/Reset (SSPR)
Password management is the most tenured feature in PortalGuard and this is evident in the feature discrepancies with Azure AD. Whether it relates to performing forgotten password resets from a browser, Windows or Mac login screen or its stand-alone mobile app, the usability of this facet of PortalGuard truly shines. Synchronizing secondary passwords or looking up a forgotten username are options in PortalGuard that are not present in Azure AD.
There are similarities between the two in password quality rules, but PortalGuard also allows real-time password verification against the publicly accessible HaveIBeenPwned breach list and the use of Google's reCAPTCHA to prevent bot attacks from targeting SSPR.
PortalGuard supports 14 different OTP methods and multiple challenge question types, giving much-needed flexibility when dealing with larger groups of users.
Azure AD is a formidable product offered by a world-renowned company. As it's said, however, the devil is in the details, and its use of multiple editions often obscures the true Total Cost of Ownership - caveat emptor!
If you are having challenges with Azure AD identity management, or just have more specific questions about how it compares to PortalGuard, please visit our website for a quick Live Chat or reach out to us at sales@portalguard.com.
