Balancing a “cloud-first” approach while maintaining on-premises systems is a common challenge for organizations as they shift to using cloud services. One of the questions we often hear at PSM is, “Do I still need to keep my Active Directory (AD) if I move to Microsoft 365 and Azure?”.
Well, the easy answer is that is, it depends (another commonly heard phrase in our world).
However, easy is not always simple, and vice versa, and the decision to keep or leave AD behind should be based on a careful evaluation of your organization’s needs, compliance requirements, the technology you currently have, and business goals. It requires a deep understanding of your organization’s unique characteristics with a good understanding of how fully shifting to the cloud changes the dynamics of your environment and people.
This article assumes that you are somewhere amid your cloud journey and maintain some level of hybrid connectivity between your on-premises AD and Microsoft 365.
What is Active Directory?
Active Directory (AD) is a directory service developed by Microsoft that provides centralized management and authentication for network resources, including users, computers, and other objects. It plays a crucial role in managing and securing Windows-based networks.
AD emerged in the year 2000 with Windows 2000, revolutionizing network management. It replaced Windows NT domains and introduced a hierarchical structure for more efficient resource management, accommodating users, groups, and computers. Subsequent versions like Windows Server 2008, 2012, and 2016 brought security enhancements, fine-grained access control, and cloud integration capabilities, evolving AD into a robust identity and access management tool.
In the modern era, Windows Server 2019 continued AD’s evolution with hybrid cloud support and integration with Azure services. Azure Active Directory (Azure AD) emerged, enabling cloud-based identity management and single sign-on for cloud applications.
It’s important to note that Microsoft is focusing its efforts on growing its Microsoft 365 and Azure platforms. Therefore, we will continue to see more hybrid integration between on-premises AD and Microsoft cloud services until Microsoft decides to phase out Active Directory in its entirety.
What is required to run Active Directory?
Active Directory (AD) has always depended on servers called Domain Controllers (DCs). A DC is a crucial component of the AD service in a Microsoft Windows-based network environment. It serves as the central authority for authentication, authorization, and directory services within a Windows domain.
Most organizations will run at least two DCs for redundancy at their main location, and additional servers for each branch office, if they have multiple locations, to help facilitate AD services closer to the users.
Additionally, AD heavily relies on the Domain Name System (DNS) for name resolution and service location. In most organizations, the DCs are also the DNS servers, although more mature and security-conscious organizations will tend to have dedicated DNS servers for endpoints.
Without going too deep into the functionality of Active Directory and Domain Controllers, we all know that like everything else, AD and its DCs require maintenance, patching, backup, auditing, and security controls.
Speaking of security controls, Domain Controllers should be one of the most guarded resources in an organization’s infrastructure as they hold the keys to the kingdom and are a prime target for bad actors.
Securing domain controllers is an ongoing effort, mitigating new and old vulnerabilities while ensuring that end-users can leverage the services they provide. This can be quite an effort regardless of whether you are a small business or a large, technically mature organization.
Why do some organizations keep On-Premises Active Directory?
In preparation for drafting this article, extensive discussions were held with various CIOs and industry experts to address a fundamental question. While a range of responses were received, some lighthearted, like “I’m keeping it because I like seeing the blinking lights in the server closet,” there are consistent concerns shared by organizations. The primary concern frequently raised most often is that many organizations have legacy systems and applications that are tightly integrated with their on-premises AD infrastructure. Migrating these systems and applications to a cloud-based identity solution can be complex and costly. It may require significant redevelopment or customization, which some organizations are not willing to undertake.
In some cases, certain industries have strict compliance and regulatory requirements that mandate the use of on-premises infrastructure (requiring AD) or require data to be stored within specific geographical boundaries, making on-premises AD a more suitable choice. Another quite common concern is the security of data and identity information when using cloud-based solutions. They may prefer to maintain full control over their AD infrastructure and data by keeping it on-premises, where they can implement their security measures and access controls.
Additionally, CIOs are concerned with customization and control, cost considerations, and lastly, performance and latency (not always in that order).
These are all valid concerns and must be given careful consideration as an organization looks forward to the future of its IT infrastructure. However, this does not mean that your journey to the cloud must stop. It simply means you need to find a way to “hurdle” or detour these obstacles in a strategic way.
How can On-Premises AD, Microsoft 365 and Azure AD work together?
As you already know, Microsoft 365 and Azure AD
are not one-to-one replacements for on-premises Active Directory. However, Microsoft 365 and Azure AD can augment existing on-premises AD by extending AD’s capabilities into the cloud, enabling a more unified and secure user experience, and simplifying administrative tasks. This hybrid identity and access management approach allows organizations to leverage the benefits of the cloud while maintaining control and security over their on-premises resources.
Microsoft 365 enables seamless collaboration and productivity, allowing users to access their tools and data from anywhere, promoting real-time collaboration, and adapting to the demands of remote and mobile work.
Centralized management through Azure AD simplifies user identity, access, and security management by offering a single console, making administration more efficient and reducing the need for complex on-premises infrastructure.
User convenience is paramount, with single sign-on (SSO) streamlining access to services and self-service capabilities empowering users to manage their accounts. Microsoft 365 also integrates effortlessly with applications and services, fostering innovation and business growth. Organizations can leverage modern methods of making their on-premises applications accessible to their workforce.
Security is enhanced through features like Multi-Factor Authentication (MFA), conditional access policies, and identity protection, providing layers of protection against unauthorized access and threats. Scalability and flexibility are achieved by supporting hybrid scenarios, enabling organizations to balance on-premises and cloud services to match changing business requirements. Additionally, Microsoft 365’s pay-as-you-go model and auto-scaling features can lead to cost savings and efficient resource allocation.
What if my organization is already in the cloud, do I need On-Premises AD then?
Once again, the answer to this question is, it depends. However, in many cases, your organization does not need to build out a Microsoft Active Directory infrastructure, unless you are or become subject to some regulatory compliance that requires a more controlled environment on-premises or in a private cloud. Even in those situations, there are likely modern solutions that may be leveraged to your advantage.
Can I migrate my On-Premises Active Directory to Azure or Microsoft 365?
In a recent engagement with one of our clients, they faced a situation where they wanted to discontinue the practice of investing in capital for hardware and maintenance. This decision was primarily driven by the impending end-of-life status of their server and storage hardware. Complicating matters, they had two legacy applications that needed to be maintained for historical and compliance reasons, in addition to the Active Directory services required to access these applications. The challenge was finding a way to sustain these critical systems without justifying the upfront hardware costs.
Fortunately, our client had already integrated Microsoft 365 into their operations for email and collaboration needs. This established foundation made transitioning to the cloud a more feasible option rather than starting from scratch. After conducting thorough discovery work and engaging with our client’s team to gain a comprehensive understanding of their environment, the optimal solution became evident.
We proceeded to extend their on-premises network into Microsoft Azure, which enabled us to seamlessly migrate their physical and virtual servers
. Leveraging the inherent high availability and resilience features of Azure allowed us to eliminate some redundant servers. For instance, we were able to reduce their server count from 24 to 14. Furthermore, we optimized the configuration of their virtual machines to run more efficiently within Azure, all the while ensuring a seamless end-user experience.
The results of this engagement were highly positive, as our client successfully transitioned their on-premises Active Directory and legacy applications to the cloud environment. This not only resolved their immediate hardware challenges but also positioned them for improved efficiency and cost savings in the long run.
On Premise AD to Azure AD: Cloud Migration Services from PSM Partners
The above example is one of dozens of solutions that we at PSM Partners have implemented just over this past year alone. Our recommendation is to start having focused conversations with your team about the direction of your organization and how to keep your IT aligned with your goals. Next, determine any compliance requirements and security concerns that may affect you. Finally, consider engaging with a trusted Microsoft Solutions Partner like PSM Partners, which has a successful record of migrating to, and deploying Microsoft 365
and Azure solutions
in small, mid-size, and enterprise organizations, to help you plan and execute your vision for a cloud-first environment.
Note: Microsoft Entra ID
is the new name for Azure Active Directory (Azure AD)