What does the future hold for on-premises Microsoft Active Directory services? During a recent discussion with a client, we explored the direction of on-premises directory services and thought it would be worth sharing. Microsoft continues to thrive with their hybrid strategy, which allows for the coexistence of Active Directory with Azure Active Directory to provide customers with more options and interoperability.
In this blog post, we will analyze the purpose of directory services and why Active Directory is still relevant and capable of providing required and unique directory services. We will also look into the differences between Active Directory and Azure Active Directory and explore the challenges of migrating from one to the other – along with insights into what businesses can do to manage migration to cloud platforms.
Defining Directory Services
Let’s start by defining what purposes directory services provide. Fundamentally, a directory must provide authentication and access control to resources. Additional Active Directory features support the adoption of Microsoft products, improve the functionality and authorization to corporate resources, and improve the resiliency and performance of networks with group policies, trusts, and other features.
Microsoft’s Cloud Strategy
Using this definition, we can say that in 2023, Microsoft’s Active Directory, when properly configured, delivers reliable authentication and controlled access to company resources. But the last major changes to the schema were over a decade ago, with Server 2012, when Microsoft facilitated integration with their emerging cloud services.
For new features, what more do we need from an on-premises directory? From a functional perspective, Active Directory is relevant, reliable, and stable, which leads us to the question of why we are concerned about the future of Active Directory, especially since no company would purposely kill a highly successful product.
Speculation, experience, and opinion now come into play. We must acknowledge that Infrastructure-as-a-Service (IaaS) is a huge market and Microsoft has well-positioned itself as a major IaaS and Software as a service (SaaS) provider. Acknowledging this is the key to understanding the conflict between Microsoft’s on-premises product lines and their cloud solutions. In 2023, a pressure to migrate companies to the cloud is pervasive through most of Microsoft’s documentation and marketing.
The Conflict Between On-premises and Cloud Solutions
At this point, we ask the same questions about “direct replacement” solutions for Active Directory in the cloud. Specifically, can Azure Active Directory provide authentication and access control to company resources? Yes, it can.
Are there other directory service providers that also can? Again, the answer is yes.
But, in both cases decades of application development, often with deficient documentation, present a steep challenge for any migration. Even without application challenges, is the functionality and feature set in Azure Active Directory identical enough Active Directory to warrant a purely cost-effective, single directory decision to be made? The answer to that question is no, and that is where we must dive in next.
Active Directory and Azure Active Directory Differences
The contrast is significant and clear between the design principles inherent in Microsoft’s Active Directory security services and Azure Active Directory. Fundamental design principles are different.
- Azure has been built from the ground up to deliver a well-recognized Zero Trust model.
- Active Directory was built with an agnostic security model that allows organizations to implement custom security principles based on requirements.
This is a critical difference that leads to misconceptions about the platforms. It is possible to configure Azure in such a way as to violate Zero Trust principles. It is also possible to implement Zero Trust principles within Active Directory by layering on effective governance solutions. Indeed, the team at IDMWORKS is engaged every day to implement projects specifically to address the security of identities across multiple platforms with various supported products.
Microsoft Active Directory supports classic Windows server operations, and technology refreshes, by maintaining traditional security defaults without a transformative mandate to a Zero Trust model. Microsoft suggests Zero Trust options for Active Directory, but this is not the default.
Thus, many companies continue to use traditional Active Directory security configurations and defer hardening Active Directory until an incident or a compliance requirement compels action. Conversely, there is a misconception that Azure is more secure because it’s built around Zero Trust principles; we continue to see client networks where IT staff work daily as Global Admins.
Zero Trust Model
There are other significant differences between the two platforms. Active Directory utilizes Group Policies to provide configuration management and enforcement of policies. Azure makes use of Intune features to provide similar but not identical ends. The major difference stems from the security principle where Active Directory by default has implicit trust for all domain members, both people and devices, unlike Azure where Zero Trust explicitly implies no initial rights.
Based upon these differences, we can see why Active Directory has a greater number of controls available, since there are so many more rights initially granted to domain members. We can also see a difference between the two when it comes to access control models. As for group memberships, well let’s just say it’s complicated as there isn’t a one-to-one match in capabilities between the platforms.
Managing different security principles has challenges and can introduce complexity. For example, Administrators, accustomed to working with a standard Active Directory tend to build and apply the model they’ve been using on-premises into Azure, which can lead to insecure deployments, or a belief that Azure lacks functionality.
Inverse examples are also common. More importantly, not all applications cannot be shifted between AD and AAD without code revision, often requiring backwards engineering. In most cases, issues should be mitigated with training and planning, enabling businesses to manage migration to cloud platforms.
There remains a set of business-critical systems that are problematic to migrate. This includes workloads that will never be deployed in the cloud, either due to governmental regulations, real-time requirements (think medical or manufacturing control), or security considerations that require air-gapped systems. Other workloads, such as large-scale financial service transaction processing, remain efficient for customer hosting.
To summarize what’s been discussed so far:
- Active Directory is relevant and capable of providing required and unique directory services and can support modern security methodologies.
- Azure Active Directory (and other cloud options) offer a sufficient feature-set to accommodate most directory workloads.
- A serious inquiry into a company’s directory workloads and other requirements should be factored into any enterprise’s architecture strategy, with an application inventory of all active authentication and authorization models.
I believe on-premises Active Directory will appropriately be with us for the foreseeable future. As much as Microsoft’s shareholders would love to have everyone subscribe to Azure E5 licensing, accompanied with 100% of data centers migrated to Azure compute, the reality is that if Microsoft were to announce an end of life for on-premises Active Directory, there would be a swift and harsh market backlash.
Microsoft’s balanced strategy of supporting both AD and Azure compute models remains a smart strategy, enabling customers with choices and options, at least through the end of this decade.
At IDMWORKS we help customers with directory strategies, based on the considerations of agility, cost, time and effort, and unique business factors to ensure sound enterprise architectures.
Author Shawn Jones, IDMWORKS, Senior Consultant