Why would organisations want to do this?
As organisations continue to hunt down new operational efficiencies and the adoption of cloud-based SaaS applications continues to increase, we're now being asked “do I need my on-premises Active Directory anymore? Can I replace it with Azure Active Directory? Is it a viable option? Is anybody actually doing this?”. Let’s explore the option of moving to Azure AD in more detail.
What's the difference between Active Directory and Azure Active Directory?
Active Directory (AD) is a group of on-premises features included in Windows Server:
- Active Directory Domain Services – An on-premises directory service that is used to store identities, groups, computers and other objects. ADDS, enables organisations to provide their employees with a single digital identity to access their on-premises line of business applications and provides IT with a single management domain for the devices and servers in their organisation. ADDS understands the LDAP, Kerberos and NTLM authentication protocols, which are used in on-premises domain joined environments, to allow Single Sign On (SSO) into corporate applications; the above protocols were never built to function over the web.
- Active Directory Certificate Services – An on-premises Public Key Infrastructure (PKI) service, ADCS, can be used to issue certificates to users, machines or services, using strong cryptography methodologies, for authentication, signing (integrity) and encryption purposes.
- Active Directory Federation Services – An on-premises Secure Token Service, ADFS, allows end-users to authenticate into third party services (such as Office 365), using their existing digital identities, via single-sign on, but without having to share their passwords with the third-party applications. ADFS understands claims-based authentication protocols that work over the web, for example; SAML, SWT and JWT.
- Active Directory Rights Management Services – An on-premises rights management service, ADRMS, allows end-users to apply file-level protection, encryption and rights to documents, to provide persistent levels of protection against data loss and unauthorised access.
- Active Directory Lightweight Directory Services – An on-premises LDAP database service, ADLDS is out of scope for today’s discussion.
Azure Active Directory is a cloud-based, identity access management service that has been built for the web. Azure Active Directory performs a similar role to Active Directory Domain Services and Active Directory Federation Services, but does not understand the legacy authentication protocols, that do not function over the web. Additionally, there is a cloud version of Rights Management Services, called Azure Rights Management Services. Azure Active Directory is not a direct replacement for on-premises Active Directory, but if an organisation does not need the missing functionality, moving to Azure Active Directory and decommissioning Active Directory starts to become a functionally viable option. Let's discuss the key considerations and limitations in more detail.
Key considerations and limitations of Azure Active Directory
This list is by no means exhaustive, but the following key considerations and limitations should be considered when organisations remove on-premises Active Directory and replace it with Azure Active Directory:
- To ensure secure access is granted to services, Enterprise Mobility and Security E3 is required as a minimum licensing purchase – You cannot put a firewall around SaaS applications, so a mobile device management solution is required to manage devices when they are joined to Azure Active Directory. Microsoft’s Enterprise Mobility and Security E3 licence includes; MFA, Conditional Access, Intune MDM and MAM and Azure Rights Management Services.
- Azure Active Directory does not understand LDAP, Kerberos or NTLM authentication protocols, therefore any on-premises applications that utilise Integrated Windows Authentication protocols, will cease to function – For example, if the organisation has an on-premises version of Sage installed in their on-premises environment, and employees use their Active Directory credentials to authenticate into Sage, it will no longer be able to process the authentications when on-premises Active Directory is removed.
- Following on from the previous point, the vast majority of an organisation’s line-of-business applications should be delivered in a SaaS model – For example, mailboxes can be delivered via Exchange Online, on-premises file-share services can be migrated to SharePoint Online/OneDrive for Business, and other LOB applications (HR, Expenses, CRM, etc…) can be delivered via cloud-based solutions such as PeopleHR, Concur, Dynamics365 or Salesforce. These complimentary SaaS tools are then federated with Azure Active Directory to ensure end-users can access their SaaS applications using their Azure Active Directory digital identity.
- Device management has some functional limitations, as MDMs are now used in place of Group Policy and Configuration Manager, when devices are joined to Azure Active Directory – For example, micro-management of individual registry settings and installation of complex applications, can be difficult or even impossible when MDMs are used to manage Windows 10 devices.
- On-premises domain joined Windows 10 devices will need to be joined to Azure Active Directory, not the on-premises Active Directory – As the on-premises domain will no longer be available, it is important that all Windows 10 devices are joined to Azure Active Directory, or as a minimum enrolled into the MDM service.
- Azure Active Directory does not provide an equivalent to Active Directory Certificate Services, if your organisation uses client authentication certificates to access the corporate WI-FI, you will need to consider other authentication options – You cannot use certificates for authentication into VPNs or Wireless, however, offerings such as Cisco ISE support direct integration with Intune and will check enrolment and compliance status before granting access to the corporate Wi-Fi.
How do we get there?
If your organisation has the necessary licensing, EM+S E3, in place and can operate within the above limitations, then the following is a high-level overview of the steps required to migrate away from your on-premises Active Directory to Azure Active Directory:
- Configure Azure Active Directory Connect to utilise Password Hash Synchronisation, to ensure Azure Active Directory is able to process end-user authentications once ADFS or Pass-Thru Authentication is turned off.
- If federation is in use, switch the federated domains to managed domains in Azure Active Directory by following this guide.
- Break the connectivity between on-premises Active Directory and Azure Active Directory, by following this guide.
- Once complete, decommission your on-premises Active Directory.
What if my organisation needs to introduce an application that only supports legacy authentication protocols after the migration, is there any way to return to on-premises Active Directory?
Yes, you can perform a reverse-hybrid, which is a fairly complex task, that is detailed in the following series of blog articles. Alternatively, Azure Active Directory Domain Services is a PAAS service that can expose LDAP, Kerberos and NTLM to Azure IAAS VNets, or LDAPS to the internet. This could be used to service the requirements of the legacy authentication application until the point that the application supports SAML or is replaced by a SaaS application.
To conclude this blog article, yes, moving away from on-premises Active Directory to Azure AD is a viable approach, providing your organisation has the necessary licensing in place and understands the limitations of a full cloud approach. If you can operate within the limitations, then your organisation can reduce the complexity of their identities by removing the on-premises directory services and gain the efficiencies associated with this approach.
If you have any questions about removing your on-premises Active Directory Domain and the implications of this to your organisation, please get in touch with your account manager, or send us a message using the button below.