Many businesses are moving into the cloud, and with good reason. Cloud infrastructure and apps can make businesses more agile, cost-effective, and efficient.
The cloud can reduce and even eliminate the need for servers. Yet there are still a few business functions that keep the need for servers alive.
One of the main cases is the need for directory services, which for on-premises networks comes via Active Directory. Active Directory requires a server, unless an organization uses Azure Active Directory.
Organizations who are looking for alternatives to active directory often look straight to Azure AD.
Active Directory and Azure AD are two very different platforms, with very different purposes. As organizations seek the move to the cloud, there is a bridge from traditional Active Directory to Azure AD as a full replacement.
But how do we get there? How does central identity management factor into going serverless?
In this post, we’ll explore how a business can navigate from Active Directory on a server to Azure AD. In some cases, this is not possible, which we will also explore.
Table of Contents
What are Directory Services?
Directory services map users and devices to their appropriate addresses in a network.
Essentially, it is the database for a network, but instead of just people and phone numbers, it includes files, folders, groups, peripheral devices, and more.
Directory services like Active Directory store all the information in a single network, along with unique identifiers for each piece of information, or object.
By storing this information, AD can be used to determine access rights for each object, defining what information can be accessed by each other user or device. These types of functions are an example of the services in “directory services.”
Directory services provide administrators with a central database and management system for its organization.
Life becomes easier for users, who become interconnected with everything and everyone they need to get their job done. Things become safer for organizations which can strengthen their cybersecurity.
The database and server functions are processed through a server on the network, called a “Domain Controller.”
Active Directory facilitates the domain controller, which is step one in understanding the differences between AD and Azure AD.
What are access controls?
Access control is the management of conditional access policies – “if, then” statements that govern which users and devices have access to which data.
For example, who should have access to an organization’s payroll data? HR? Finance? The C-Suite? A conditional access policy will only allow these users into your payroll folder if you so choose.
These controls can be put in place for any number of people or resources in an organization to create the safest environment possible.
What is Group Policy?
Group policies allow administrators to organize users into the groups, like those departments listed above, and determining access based on that detail.
Instead of assigning access on a user-by-user basis, users can be added to groups of similar job functions with one click, providing the same level of access.
Admins can also determine group policies based on other details, like device or location.
Why do I Need Directory Services?
Directory services are all about people, or “users,” when on a device. In any organization, these people are going to need access to apps and data.
This is where central identity management, a directory service, comes into play.
Directory services allow for access controls to be rolled into group policies. This reduces the chance for human error going forward, as well as tie critical date to central identity management.
Without central identity management, two main problems arise: fragmentation of users and passwords, as well as off- and on-boarding inefficiencies.
Password Fragmentation
Think of all the passwords you have in your daily life. You probably have one for your email, your bank account, your mortgage, your social media sites, and… you get the picture.
The same thing happens at work. A user has a password for their computer itself, as well as email, any collaboration tools, any additional apps like ERP, etc.
Yet rather than just being annoying, fragmentation within an organization comes with serious risk.
When employees are tasked with remembering too many passwords, they begin to rely on weaker passwords. Weak passwords only become weaker over time, especially if you are following security best practices and forcing password changes every 60 days.
What’s more, if identities are not managed centrally, organizations begin to fragment their multi-factor authentication (MFA) keys as well. Without central identity management, applications that don’t support MFA are left unguarded.
Even some platforms have MFA, but lack direct connection back to the a device without the purchase of another identity management service. This puts you at the mercy of the vendor offering the MFA, with an inability to secure their device against authentication.
Companies without MFA are sitting ducks for data leaks, especially when fragmentation encourages users to collectively let their guards down.
Without a central identity management platform, organizations have to increase spend to avoid fragmentation and sacrificing security.
On-boarding/Off-boarding Inefficiency
Fragmentation of applications in addition to passwords can waste the entire days of new hires. It can also frustrate them and lead to a poor first impression.
On the contrary, the lack of central identity management can cause lapses in off-boarding, where departing employees are forgotten. Without proper off-boarding, organizations could be paying for license waste, or unused licenses dedicated to off-boarded employees.
Fragmented business applications can create operational inefficiencies like Shadow IT. This is when apps are being used without the knowledge of internal IT, skirting perhaps all security policies.
When an organization builds a system that requires extra tools to perform a function, an administrator should always be designated.
The administrator for critical line-of-business applications and data should always be IT, and without proper identity management, this designation will fall through the cracks.
Business applications, as well as identity and device management platforms have too many security settings to count. Someone needs to master all of these settings if an organization is serious about setting a security policy.
If that security policy requires password changes every 60 days, the fragmentation of apps, usernames, and passwords means you will have to change passwords every 60 days on each app.
Finally, organizations must keep in mind that these application vendors are susceptible to their own cybersecurity breaches.
With users and passwords spread out over many different applications, that means you are in charge of monitoring those vendors. How many automated cybersecurity response emails do you want to be in charge of?
If a vendor is breached, either they are going to force every user to change their passwords themselves, or your admin will have to enforce it. Without an admin, you may never hear about the breach.
Without central identity management and directory services, no one person can be put in charge of security. Do you want your organization to be the wild west?
What is a Domain Controller?
Domain controllers are standalone servers that are used to process authentication requests to a domain.
A domain itself is the administrative structure of a location on the internet, like an identifier that maps strings of text to IP addresses.
The domain controller is the hardware that processes these requests, either allowing or denying access based on applied security policies. It also replicates the stored databases to other domain controllers in a network.
Identity management software like Active Directory is how the security policies are applied to the domain controller.
One domain controller server can technically run effectively, though often they are backed up by other severs for reliability.
What is Active Directory?
Active Directory is Microsoft’s directory service for Windows networks, run on Windows Server.
It is used to leverage the domain controller to authenticate and authorize users and computers within the network, mapping the user with the destination resource.
The domain services provided allow administrators to set and enforce security policies like conditional access and group policies. It can also be used to manage software.
What is Azure Active Directory (Azure AD)?
Azure Active Directory, more commonly known as Azure AD, is Microsoft’s version of Active Directory for cloud applications.
Azure AD is not simply “Active Directory, but for the cloud,” however. There are several differences between the two platforms and their capabilities.
While both traditional and Azure AD are similar in that they manage users, Azure AD lacks necessary authentication protocols to protect an organization.
What are Active Directory Domain Services?
Active Directory Domain Services (AD DS) are what organizes users and objects into a hierarchy on Active Directory. This allows administrators to connect and manage the hierarchy of objects.
More simply, AD DS takes the data within AD and makes it more accessible for administrators.
AD DS leverages the domain controller to execute authentication requests, whereas Azure Active Directory Domain Services (AADDS) are like a SaaS domain controller that integrates with Azure AD.
What is Mobile Device Management (MDM)?
At its most basic level, Mobile Device Management (MDM) is a concept that helps to keep an organization’s fleet of hardware within company policy.
Using the correct software, MDM can keep mobile devices updated and secure.
Ideally, MDM is paired with Active Directory and/or Azure AD to map out users and devices most accurately, connecting them with various policies. MDM gives administrators a more streamlined management console to do so.
While Active Directory with MDM configures devices’ access to certain on-premises resources, Azure AD with MDM configures access to resources and applications in the cloud.
Additionally, pairing an MDM solution with Active Directory/Azure AD allows administrators to see each device’s level of compliance.
MDM also simplifies procurement, deployment, tracking, and reporting on devices within your organization.
What is Microsoft Intune?
Microsoft Intune is Microsoft’s proprietary MDM platform, though it is compatible with many operating systems in addition to Windows.
Intune is one half of Microsoft Endpoint Manager, the other being Microsoft Endpoint Configuration Manager.
Whereas Endpoint Configuration Manager focuses on on-premises devices, Intune is meant to manage mobile devices, including laptops.
Otherwise, the two are practically the same, with Intune carrying extra capabilities geared towards mobile.
Alternatives to Active Directory: Can Azure AD Replace it?
Simply, no. Azure AD cannot fully replace Active Directory.
The cloud-specific Azure AD can work for organizations with zero on-premises infrastructure, but not without losing security. Running solely on Azure AD also includes numerous extra steps.
Most notably, Azure AD does not interact with a domain controller like Active Directory does, nor is it simply a directory that is hosted in the cloud.
Active Directory is used to manage users, while Azure AD manages users’ access to cloud applications.
Because Azure AD is designed to manage users and devices on Azure and Microsoft 365, it would not manage users and devices trying to access resources or applications outside of the cloud.
Take for example a shared hard drive. Azure AD is reliant on Active Directory to have these objects already logged.
In this case, users authenticate themselves onto their network using credentials on AD. They need this network access to be able to then authenticate themselves onto Microsoft 365 using Azure AD, unless a business operates fully through Microsoft 365.
The two sets of credentials are not tied together, though they can be fused using software called Azure AD Connect.
Because not all applications or resources can be replicated in the cloud, and specifically through Microsoft 365, many organizations can not function independent of their local networks.
If an organization is insistent on running solely through Azure AD, they will need to run their own virtual machine(s) to host any applications that are not available via software-as-a-service (SaaS) in the cloud and domain controller through Azure.
If the virtual machines used to run applications need to be joined to an organization’s domain, that requires running a domain controller through Azure, or use Azure AD’s Domain Services.
Otherwise, Azure AD does not contain group policies. These policies are based on users and devices being listed as objects within traditional Active Directory.
Azure AD also lacks support for many of the authentication protocols that keep your data safe. Common authentication protocols like LDAP are not recognized by Azure AD.
Things begin to get even more complex when managing non-Microsoft devices. Considering the market share of mobile devices is strongly in favor of non-Microsoft devices, Azure AD needs to be propped up by Active Directory.
It is possible to replace Active Directory with Azure AD in some cases, but because of the lack of authentication protocols in Azure AD, it is never ideal. Doing so requires some concessions in security and is ultimately a lot of additional work.
Real Life Issues
The possibility of abandoning your servers and moving to an Azure AD-only setup can be tempting. As mentioned previously, many organizations would love to do so.
The worst-case scenario would be abandoning your servers only to discover you still need or want them. Here are a few cases of when you may need a local LDAP server and Active Directory proper.
Enterprise Wi-Fi
For some organizations, an enterprise Wi-Fi solution can do wonders. With faster speeds, better coverage areas, and better security, enterprise Wi-Fi empowers an on-premises team to be as productive as possible.
Enterprise requires a device to authenticate to the server to reach the internet, however, so it would be impossible to log into the internet through the internet.
As we’ve learned, Azure AD authentication only determines access to cloud-based resources, this cannot serve as a domain controller for your on-prem Wi-Fi.
An enterprise Wi-Fi solution requires a Network Policy Server (NPS) for connection authentication.
Large Scale File Editing
Working on a document in Google Docs is one thing, but a media company editing large amounts of ultra-high-definition video in real time is another.
Uploading and downloading terabytes of data in a day is realistic for these companies and doing so without a local server will grind production to a halt.
The need for speedy file sharing means these teams need local authentication and file access, made possible by an on-prem server and directory services.
Conclusion
There is no real way to replace Active Directory with Azure AD outside of fully cloud-based operations, as Azure AD can be largely dependent on Active Directory.
Active Directory creates the foundation of an organization’s domain that allows Azure AD to authenticate users in the cloud effectively.
For organizations that have any resources outside of the cloud, Azure AD’s identity management will not be fully capable of authorizing or authenticating users.
For organizations that can fully run in the cloud, Azure AD still sacrifices some security while adding some headache.
There are further limits on Azure AD’s ability to pair with non-Windows devices.
Azure AD is not an inferior offering to Active Directory, rather existing as a completely different platform. Their uses are different and are thus difficult to truly compare.
Together with Azure AD Connect, however, Active Directory and Azure AD can combine to create a highly protected environment for all users and devices on-premises and in the cloud.
The path to optimal identity management can be confusing. Whether you are looking for an on-premises, cloud-only, or hybrid domain, IT Support Guys can help.
If you want expert help in optimizing your Active Directory and/or Azure AD, schedule a time with one of our technical solutions specialists today.