It’s 2018. Do we really still need Active Directory?

This blog was originally published by Concerto Cloud Services. Since then, Concerto Cloud Services has become DXC Concerto, the mid-market cloud offering within DXC Technology.

Why do we still need Active Directory? With so many businesses migrating their applications to cloud, the question remains relevant today.

Microsoft has added numerous features under their identity-as-a-service umbrellas, with Azure AD Basic, Azure AD Premium, Premium 2 and Azure AD Domain Services. I’d like to dive into the benefits of each and how various organizations can leverage these solutions based on their cloud goals.

Azure AD Basic

It is important to state that all Microsoft online business solutions leverage Azure AD. If your organization currently uses Office 365 or Dynamics 365, you already have access to Azure AD Basic. Azure AD Basic gives your organization the ability to enable self-service password reset for cloud applications and group-based access management, as well as single sign-on to an extensive set of SaaS applications.

Azure Premium P1

Customers that require more advanced capabilities can leverage Azure AD Premium P1 to deploy a hybrid identity management solution to provide access to both SaaS and on-premises applications. Premium P1 also supports features such as dynamic groups and self-service group management and allows for cloud write-back enabling solutions like self-service password reset for your on-premises AD deployment.

Azure Premium P2

Premium P2 provides all the same benefits of P1, plus adds the capabilities for Identity Protection and Privileged Identity Management. Azure AD’s Identity Protection provides risk-based conditional access to your applications and cloud environment. Azure AD’s Privileged Identity Management solution allows you to discover, restrict and monitor administrators within your Azure AD environment and restrict access to sensitive information and allow for just-in-time access when appropriate.

Azure AD Domain Services

Another feature released in late 2017 is Azure AD Domain Services. With Azure AD DS, you’re able to have a traditional Active Directory experience in Azure without having to manage Domain Controllers. Some may ask “why would you want to do this?” Great use cases are organizations that have applications requiring NTLM or Kerberos authentication. Other use cases allow you to domain join servers/workstations that are deployed within Azure to this domain so when you authenticate to those devices you can authenticate using AD credentials. Azure AD Domain Services is available for cloud native organizations who only have Azure AD deployed, or hybrid organizations that have an on-premises deployment of Active Directory Domain Services.

A few things worth mentioning about Azure AD Domain Services:

  • You will not have Domain or Enterprise Admin privileges on this domain
  • There is no need to manage domain settings like AD replication, sites or patching
  • You won’t be able to extend the Schema, so applications like Exchange or SharePoint wouldn’t be able to support this configuration methodology. (In this case, why wouldn’t you use Office 365?)

Azure AD offers more options over device management and access

You may be thinking, “This is great information, but how will it help my organization?” Many companies today operate in a perimeter-less fashion where users connect from anywhere on just about any device – many times in an effort to provide cross-role access to their employees. Microsoft has made it possible for these organizations to protect company resources and provide a single identity for their users. With options like device-based conditional access, organizations gain a higher level of security over assigned rights policies. With device-based conditional access, you must have the appropriate permissions and connect from a trusted machine.

Organizations have options when it comes to device management within Azure AD. Company-owned devices can be joined to the Azure AD environment, and for Bring Your Own Device (BYOD) scenarios users can register their devices with the company’s Azure AD deployment. A device must be registered or joined in order to deploy a device-based conditional access policy with Azure AD. The added benefit to joining the device to the Azure AD environment is that users authenticate to the device using their organizational account, rather than a local account.

So I’ll ask my question again, do we still need on-premises Active Directory? The answer, as usual, is it depends.

For new organizations and start-ups, Azure AD gives you these abilities:

  • To be a cloud-native enterprise
  • Join your windows 10 workstations to the Azure AD tenant and control access to cloud-native apps like Office 365 or Dynamics 365
  • Run traditional server-based applications within Azure AD domain services still having a single sign-on user experience

However, most organizations have already invested in on-premises Active Directory and will find it best to configure and deploy a hybrid configuration, allowing the organization to leverage the investment in on-premises AD while using Azure AD to provide access control to modern SaaS applications. Combining with the multi-factor authentication capabilities and user self-service password reset makes for a compelling story for any organization.


Rob-Curls-headshotRob Curls is the Sales Solutions Advisor for DXC Concerto.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: