Contact Us

The Top 3 CMS (Credential Management System) Options for Azure and Active Directory

Top 3 CMS for Azure and Active Directory
09 Aug 2023

What is a CMS?

A credential management system (CMS) is the primary way to manage user credentials. Modern CMS help organizations manage the whole credential lifecycle of the user; from creation, credential resets, to deprovisioning. The primary purpose of a CMS is to enhance security and streamline access management processes. Ultimately, it helps ensure that users have appropriate access privileges to the resources they need while maintaining the confidentiality and integrity of sensitive credentials. With the move to zero-trust, organizations must implement a CMS that supports passwordless onboarding methods; here are the 3 best CMS for Azure:

EZCMS by Keytos


EZCMS by Keytos is considered the best CMS for Azure and Active Directory for a reason. What’s so great about EZCMS? Well, with EZCMS, you get:

  1. - FIDO2 AAD integration

  2. - FIDO2 and Smartcard seamless onboarding (both identities at the same time)

  3. - Azure CBA support

  4. - One click Azure deployment

  5. - Face ID validation

  6. - Truly passwordless onboarding

  7. - PIN requirements

  8. - YubiKey integrity attestation

  9. - Logistics software and services

  10. - ADCS integration

  11. - Transparent pricing

  12. - Start with as low as one (1) user

As you can see by the list above, EZCMS is a very complete CMS, it does not stop at the credential provisioning, it also helps organizations ship and handle the logistics of distributing hardware keys to their geo-distributed workforce. EZCMS does not only make the life of IT administrators easier, it also makes it easier for users to onboard and reset their credentials if they are locked out. Keytos achieves this by leading the industry with being the first and only CMS to seamlessly onboard users to Azure AD FIDO2 and SmartCard on the same experience, removing the complexity for users to manages multiple PINs.

Last but not least, they have designed the tool to help organizations with remote workers by enabling self-service onboarding by using AI to match the user’s face with the government ID provided and matching this with the information stored on the HR database as well as industry-leading cryptographic attestation that protects you from supply chain attacks.


The only real con of using Keytos is that you need a PC to enroll the keys. Meaning that a new employee must have a working computer to enroll their identity before being able to join their computer to the corporate network.

  1. - Need a PC



Coming in at number 2, we have Axiad. Axiad also offers cloud deployment, which is a great add-on to take advantage of. Finally, Axiad offers both smartcard onboarding as well as self-service onboarding by “Trusted Circles,” where you can have other people in the team able to onboard you. While this self-service onboarding helps organizations relief some of the IT Helpdesk request by having teammates help each other onboard, it does waste valuable time of other employees.

  1. - Smartcard and FIDO2 deployment

  2. - Self-service onboarding

  3. - ADCS integration

  4. - Azure CBA support


The pros of Axiad are all great pros; however, the cons are numerous and hard to ignore. First, Axiad is the only one on this list that created their own FIDO2 “Axiad cloud” for FIDO2 Authentication, instead of onboarding users to the true and tested Azure AD FIDO2, where Microsoft protects your login experience and creates integrations with their other products and experiences. Not to mention, Axiad’s deployment process is unnecessarily complicated, and their pricing plans are about as transparent as Instagram models are about using Photoshop. All in all, it is easy to see why Axiad is a distant second place in the CMS game.

  1. - No native Azure AD FIDO2

  2. - No true self onboarding

  3. - No supply chain attestation

  4. - No transparent pricing



Versasec rounds out our top 3 CMS options for Azure and Active Directory ranking. One of the nicest things about Versasec is that their pricing structure, much like at Keytos, is completely transparent. Transparency is a key part of security and trust, and that starts with pricing – good on you, Versasec! Versasec also avoided re-inventing the wheel and onboards users to AAD FIDO2 integration by giving the user a TAP and making them go register on their own. Giving you most of the basic functionality needed to get started with passwordless authentication.

  1. - Smartcard and FIDO2 deployment

  2. - FIDO2 AAD integration (they give the user a TAP for the user to enroll in the Microsoft portal)

  3. - ADCS integration

  4. - Azure CBA support


Unfortunately, Versasec too has its fair share of cons. First, Versasec CMS is the tool on this list with the worst user onboarding experience; missing a the face validation from Keytos or the trusted circles from Axiad. Versasec also fails to provide hardware shipping software or services, which just means yet another pain point for you, the customer. Last, they also miss the extra attestation done by Keytos to protect you against supply chain attacks.

  1. - One time passwords still required

  2. - No PIN policy control

  3. - "Self-service" onboarding requires users to have an AD password

  4. - No hardware shipping software or services

  5. - No supply chain attestation

  6. - Require user registration with TAP

You Might Also Want to Read