UserLock: A Passly alternative for on-prem Active Directory environments
UserLock offers a simple, on-premises-friendly path to MFA, SSO, access controls, and session management, without moving identity to the cloud.
Published May 30, 2025)
)
)
)
Kaseya is retiring Passly by the end of 2025, leaving many organizations searching for a replacement identity and access management (IAM) solution. For teams managing on-premises or hybrid Active Directory (AD) environments, we explore UserLock as a Passly alternative.
With Passly retiring, many organizations need to replace a core part of their multi-factor authentication (MFA), single sign-on (SSO), and user access controls.
For IT teams managing on-premises and hybrid Active Directory setups, choosing a replacement is a strategic decision.
Some organizations may see Entra ID as the next logical step. But not everyone can, or wants to, move identity fully to the cloud. It’s a big shift, with major implications for infrastructure, time, and cost.
If your setup is mainly on-prem, there’s an easier path. UserLock layers Active Directory MFA and SSO around your existing AD identity authentication, keeping IAM simple, cost-effective, and secure.
UserLock is an identity and access management solution built for on-premises and hybrid Active Directory environments. It strengthens access security with MFA, single sign-on (SSO), contextual access policies, session management, auditing, and reporting.
Key highlights:
Active Directory integration: Get visibility on your existing Active Directory, see what’s protected by UserLock, monitor access, and set granular policies by AD user, group, or OU.
MFA at the logon and beyond: Supports Windows logon, RDP, VPN, SaaS, IIS, and run as administrator (UAC prompts). UserLock also maintains MFA in logon scenarios without an outside internet connection, making it ideal for airgapped environments.
Granular MFA policies: Apply MFA differently by connection type and session type, and choose how often to prompt MFA for each.
SSO via SAML federation: Enables secure SaaS access without migrating identities to the cloud.
Contextual access policies: Control access by device, IP address, time, location, or initial access points. Limit concurrent logins.
Real-time session control: Monitor, block, or restrict sessions as needed.
Privileged access management: Enforce MFA on UAC prompts and log admin activity and configuration changes.
Detailed auditing: Set custom views and filter logs of all logins, failed and successful, MFA events, denied access, policy changes, and more.
MSP-ready architecture: Multi-tenant support with a centralized licensing console
Modern user interface: Version 13.0, currently in beta, introduces a redesigned web and desktop experience.
In short, UserLock provides simple, effective AD-centric identity and access security.
Here’s how UserLock compares to Passly across key IAM features.
Capability | Passly | UserLock | Considerations |
|---|---|---|---|
Identity | Passly could handle both directory and identity services | UserLock uses the on-prem AD identity and sits at the AD authentication layer thanks to a custom credential provider. | UserLock works with the identity you already have. This minimizes cost and complexity while delivering effective security. |
MFA | Passly supported push, TOTP, hardware tokens, etc. | UserLock supports push, TOTP (authenticator apps), and hardware tokens (YubiKey, Token2). | Since UserLock deploys on-prem, it works without internet, supports airgapped environments, and maintains MFA in off-LAN logon scenarios. |
SSO | Passly included SSO and federation features | UserLock provides SAML-based SSO, federating AD authentication to secure SaaS access (e.g., Microsoft 365). | Depending on the extent of your SaaS apps, confirm compatibility with UserLock (SAML, OAuth, connectors, etc.). |
Contextual and conditional access | Passly had some conditional logic | UserLock layers contextual access controls: by role, machine, location, IP address, time, session type, simultaneous sessions, and concurrent logons. | UserLock contextual policies may feel easier to set up compared to Passly's conditional logic statements. |
Session management | Passly allowed session oversight | UserLock supports live session monitoring, alerts, and the ability to block and logoff users. | Visibility across and alerts on all sessions allows admins to stop suspicious behavior before damage is done. |
Privileged access management | Passly had some features for privileged account management | UserLock supports MFA across all accounts, privileged and non, as well as MFA on privilege elevation attempts (run as admin requests / UAC prompts). | UserLock supports a zero-trust approach that treats all access as privileged access. |
Auditing and reporting | Passly offered logs and insights | UserLock provides detailed logs for filterable, searchable auditing and reporting. | Strong reporting helps you stay audit-ready and prove compliance. |
Deployment | Passly users likely have integrations set up with Kaseya and partner solutions | UserLock's agent-based software is a single-server solution deployed on-premises. | Closely how the UserLock API and Webhooks can help ease the transition for your particular tech stack. |
Scalability and MSP use | Many MSPs used Passly as part of Kaseya's IT Complete platform | UserLock supports multi-tenant environments and offers an MSP console for license administration. | Validate how your managed environment structure and needs map to UserLock's model. |
With Passly’s retirement approaching, many organizations are looking for a reliable IAM solution, fast.
For AD-based environments, UserLock offers a simple, cost-effective path to MFA, SSO, session control, and privileged access protection, without migrating identity to the cloud.