Many organizations that want to innovate and migrate from on-premises applications to software as a service (SaaS) and cloud services are held hostage by their legacy Active Directory (AD). Microsoft did a good job taking over from Novell back in the late 90s, but its hooks into businesses are so deep that many have become dependent on AD services to manage devices and users, when in fact AD falls far short of needed capabilities, restricting innovation and progress.

Despite Microsoft’s Azure becoming prominent in the world of cloud services, Azure AD is not a replacement for on-premises AD. While Azure AD is a secure authentication store that can contain users and groups, that is where the similarities end. In fact, Microsoft itself has an architecture to mitigate the shortcomings of Azure AD by recommending organizations migrate to a hybrid model, especially for businesses that have an in-house footprint of servers and applications.

If you are a greenfield business and intend to take advantage of software, infrastructure, and platform as a service (SaaS, IaaS, and PaaS), as well as Microsoft 365 in Azure, then Azure AD is for you and you don’t have to worry about the need for AD.

John Donovan
Principal Director, I&O Practice
Info-Tech Research Group

When Microsoft built AD as a free component for the Windows Server environment to replace Windows NT before the demise of Novell Directory Services in 2001, it never meant Active Directory to work outside the corporate network with Microsoft apps and devices. While it began as a central managing system for users and PCs on Microsoft operating systems, with one user per PC, the IT ecosystem has changed dramatically over the last 20 years, with cloud adoption, SaaS, IaaS, PaaS, and everything as a service. To make matters worse, work-from-anywhere has become a serious security challenge.

Many applications built in the past had built-in AD components for access, using Kerberos and NTLM. This dependency has prevented organizations from migrating away from AD. When assessing new technology and applications, consider SaaS or cloud-native apps rather than a Microsoft-dependent application with AD ingrained in the code. Ensure you are engaged when the business is assessing new apps. Stop the practice of the business purchasing apps without IT’s involvement; for example, if your marketing department is asking you for your Domain credentials for a vendor when you were not informed of this purchase.

Economically, Microsoft has no interest in replacing AD anytime soon. Microsoft wants that revenue and has built components like Azure AD Connect to mitigate the AD dependency issue, which is basically holding your organization hostage. In fact, Microsoft has advised that a hybrid solution will remain because, as we will investigate, Azure AD is not legacy AD.

You are looking to lose your dependency on Active Directory, and you need to tackle infrastructure technical debt, but there are challenges.

• Legacy apps that are in maintenance mode cannot shed their AD dependency or have hardware upgrades made.
• You are unaware of what processes depend on AD and how integrated they are.
• Departments invest in apps that are integrated with AD without informing you until they ask for Domain details after purchasing.

• Legacy applications can prevent you from upgrading servers or may need to be isolated due to security concerns related to inadequate patching and upgrades.
• You do not see any return on investment in AD maintenance.
• Mergers and acquisitions can prevent you from migrating away from AD if one company is dependent on AD and the other is fully in the cloud. This increases technical debt.

• Remove your dependency on AD one application at a time. If you are a cloud-first organization, rethink your AD strategy to ask “why” when you add a new device to your Active Directory.
• With the advent of hybrid work, AD is now a security risk. You need to shore up your security posture. Think of zero trust architecture.
• Take inventory of your objects that depend on Kerberos and NTML and plan on removing that barrier through applications that don’t depend on AD.

• Active Directory replaces NT and takes over from Novell as the enterprise access and control plane.
• With slow WAN links, no cellphones, no tablets, and very few laptops, security was not a concern in AD.

• In 2004, email becomes business critical.
• This puts pressure on links, increases replication and domains, and creates a need for multiple identities.

• Collaboration becomes pervasive.
• Cross domain authentication becomes prevalent across the enterprise.
• SharePoint sites need to be connected to multiple Domain AD accounts. More multiple identities are required.

• Exchange resource forest rolls out, causing the new forest functional level to be a more complex environment.
• Fine-grained password policies have impacted multiple forests, forcing them to adhere to the new password policies.

• There are powerful Domain controllers, strong LAN and WAN connections, and an increase in smartphones and laptops.
• Audits and compliance become a focus, and mergers and acquisitions add complexity. Security teams are working across the board.

• Cloud technology doesn’t work well with complicated, messy AD environment. Cloud solutions need simple, flat AD architecture.
• Technology changes after 15+ years. AD becomes the backbone of enterprise infrastructure. Managers demand to move to cloud, building complexity again.