The most difficult aspect of transitioning from traditional management to modern management for Windows 10 is deciding whether to use on-premises AD, Azure AD, or a mix of both. In this article, we will compare AD DS to Azure AD and see what our standard Active Directory can do that Azure AD cannot. We’ll also look at how Microsoft handles installing hybrid solutions and why this method can be beneficial for some companies.
Every Windows company used to be flat. Active Directory was the only container that stored all of your domain data objects. We simply referred to it as AD at the time because it was the only AD form. It was supported by the three pillars: domain controllers, DNS and group policy. It was an architecture that served many companies well for almost two decades. And then along came Azure, and suddenly traditional AD is now referred to as legacy AD in some circles. Azure AD, of course, exists in the cloud, that wonderful destination most companies seem to want to move to. Being cloud-native, it uses various protocols and methods for account authentication and policy implementation. In a way, on-premises AD and Azure AD are like oil and water because they are so different.
See more: What is Azure? Basics, services and prices in 2022
Key Differences Between On-Prem AD, Hybrid Azure AD Join, and Azure AD
The primary limitation of on-premises AD
Many companies started cloud migration years ago. Still, the remote work revolution of 2020 was tantamount to pouring kerosene on an existing flame. That was when the remote work revolution began. Legacy AD’s limitation severely limits its ability to support hybrid working architectures. It requires that computers joined to a domain have a site line to a domain controller. This makes it impossible for employees to log into the corporate network when working from a remote workspace such as their home office or hotel room. The only way to achieve AD connectivity is then via a VPN connection. This makes the onboarding process of a new computer challenging at best. Additionally, your VPN infrastructure can quickly become a bottleneck when many users are using it. VPN then requires remote access and routing policies to enforce least privilege security, preventing remote users from accessing the entire network.
The modern world of complete migration to Azure AD
If you’re a Windows admin, you’re probably familiar with the concept of tombstoning, which helps recover accidental object deletions in AD. Azure AD is a way to permanently tombstone your on-prem AD servers. You no longer have to worry about AD sync or DNS sanitization. Everything is now in the cloud, where users and Azure-connected machines authenticate themselves. Machines connected to Azure only need an internet connection for authentication, eliminating the need for AD connectivity. Users can suddenly work from anywhere without having to worry about a troublesome VPN. Microsoft 365 uses Azure Active Directory (Azure AD) to manage user identities, so employees are automatically signed in to their corporate devices.
The real beauty of Azure AD is seen when provisioning devices. Windows computers that are joined to a cloud domain and configured with Autopilot can be delivered directly from the original equipment manufacturer (OEM) to the on-waiting user, regardless of location. The user opens the box, turns on the device, and signs in with their Azure AD credentials. Once Autopilot has completed the device’s configuration process, Microsoft Endpoint Management, also known as Intune, steps in to deploy all assigned configuration settings, policies, and applications to that computer. Within a few hours, the user is ready to start working. Suppose the machine has a chipset that allows remote access to the BIOS, and technicians can perform remote reboots even when the operating system is not operational. In this case you suddenly have a fleet of computers that can be deployed, implemented and supported without local support. Welcome to the hybrid world.
Not everyone can go directly to Azure AD
Migrating your on-prem AD infrastructure to native cloud is quite a leap, but not everyone can do it overnight. Some of the reasons are as follows:
- They continue to support Windows devices running legacy operating systems such as Windows 7.
- You’re relying on an existing imaging solution to provision and configure devices you don’t want to give up just yet.
- Some of your user devices have Win32 apps based on legacy AD machine authentication.
And finally, there is Group Policy and Group Policy Preferences. Many companies have a large portfolio of Group Policy Objects (GPOs) that they have created to provide managed configuration and security settings for users and computers over the years. The equivalent of Group Policy is an MDM provider like the Microsoft Endpoint Manager mentioned earlier. While MDMs can deliver settings configurations to computers regardless of location, the list of settings available is not as extensive as the combined range of GP and GPP. While Microsoft has made great strides in narrowing the parity gap between the two, the discrepancy between the two remains. For large organizations that rely heavily on Group Policy, MDM’s insufficient coverage of settings may be enough to hold them back for now.
See more: How reversible passwords compromise Active Directory security
Hybrid Azure AD join as a temporary compromise
If you can’t jump directly to Azure AD now, there is a third option called Hybrid Azure AD Join. Hybrid Azure AD join preserves the legacy trust that your client machines have with on-premises AD while at the same time creating a registered trust in Azure AD. This double enrollment makes your device visible in the cloud, allowing users to use single sign-on when accessing their Microsoft 365 applications. It also provides self-service password reset and Windows Hello PIN reset capabilities for your users regardless of location. You can create device-based Conditional Access policies that require devices to meet compliance requirements before allowing them access to corporate resources to increase your security.
Like traditional AD, Hybrid Azure AD Join relies on Group Policy to centrally manage settings configurations, so the Group Policy object portfolio you’ve spent so much time on continues to be used. Unfortunately, Group Policy still relies on AD connectivity, and computers must be privacy-protected to authenticate AD users that do not have cached credentials. You also need to install Azure AD Connect on an on-premises server to sync the data between on-premises AD and Azure AD so that users in both worlds have the same credentials. This means one more thing for your IT team to manage and support. Like any hybrid architecture, it increases the complexity of your network, which increases the complexity of support.
Let’s say you’ve been looking at the Microsoft certification portal for the past two years. If so, you will find that they no longer offer certification paths in their traditional operating systems and local architectures. Everything revolves around the cloud. While you may not be ready to take the leap, there will come a day when you will be forced to begin the transition to Azure AD to access the latest technologies and solution innovations. For some, hybrid Azure AD join might be an edible way to get there.
Which Active Directory solution does your company use? Let us know LinkedIn, Facebook, and Twitter. We’d love to hear from you!