探花大神

A question we鈥檝e heard many IT admins ask is, 鈥淐an I move my Active Directory to the cloud?鈥�

This question has become even more relevant due to the ongoing desire of employees to (at least part of the week) on a regular basis. Likewise, some admins want to bring Active Directory (AD) into their cloud resources, because it鈥檚 the User Access Management system that they’re most familiar with.

Unfortunately, it鈥檚 not that easy to move AD to the cloud, nor have it function properly if you do. Microsoft sought to address this problem by modernizing Active Directory with a for cloud identity and access management (IAM) and security services. It positions AD as legacy technology that鈥檚 鈥渂aked in鈥� but vulnerable to attack 鈥� without adding multiple Microsoft services. The Entra ID directory service, which extends AD to the cloud, is at the center of it all.

Modernizing AD to support remote workers, all of the devices that they use, and cloud resources can be done without locking you into Microsoft鈥檚 expansive new architecture. This article describes how Microsoft says AD can work with cloud environments, but also outlines how you can meet those requirements (and more) with 闯耻尘辫颁濒辞耻诲鈥檚 open directory platform. 探花大神 syncs/federates with AD and all of the cloud providers where your workloads run.

You Can鈥檛 Easily & Fully Move Active Directory to the Cloud

Let鈥檚 examine some use cases for running AD in the cloud. AD can run as a managed service or as infrastructure-as-a-service in a virtual private cloud, which is a private environment that鈥檚 isolated within a public cloud. It can solve problems in a familiar way, but keep in mind that AD was never intended to work for the cloud. The approach has numerous pros and cons:

• Pros:
  • AD can be automatically configured and managed, from replication and recovery to software updates. Cloud providers will optimize it for cloud workloads such as custom .NET and SQL Server-based apps, or even hosted instances of SharePoint. that offer AD, such as AWS, make it possible to create a trust relationship with your on-prem AD.
  • AD is familiar and many admins believe that it鈥檚 faster and simpler to get started with it. It鈥檚 something that鈥檚 worked for them in the past, so why not?
  • You can manage remote users and Windows endpoints without breaking the bank to build out your server room and network hardware.
  • Many legacy apps and systems support AD, and it鈥檚 tempting to 鈥渓ift and shift鈥� the resources that you already have into the cloud to avoid refactoring or replacing them with cloud services.
• Cons:
  • AD doesn鈥檛 provide universal endpoint management (UEM), no matter where it鈥檚 being hosted. A Zero Trust security strategy doesn鈥檛 separate device management from IAM, and unmanaged devices present a serious security risk because they cannot be verified before they鈥檙e used to access your resources.
  • Cloud providers operate under a shared responsibility model to address security. Using AD as a cloud IAM solution adds management overhead and risks, because the same problems that exist on-premises carry over to your cloud VM.
  • AD doesn鈥檛 support single sign-on (SSO) to non-Windows resources, even if it鈥檚 hosted in the cloud. It won鈥檛 work with web protocols such as OIDC and SAML, and cannot automate user/group authorizations into web apps using SCIM. 
  • It can鈥檛 perform multi-factor authentication (MFA), let alone passwordless modern authentication or conditional access for privileged users. This can place identities and device credentials at risk, same as on-premises.
  • It also lacks integrations with other cloud directories and HR systems for lifecycle management. Its classic group management, which was designed for on-premises environments two decades ago, carries over. Modern directory features that automate the identity lifecycle, such as dynamic groups, aren鈥檛 available in AD.
  • AD must integrate with existing RADIUS infrastructure to access network devices or to be used as a second factor for authentication.
  • A modern cloud directory and UEM solution may be more cost-effective for managing users and devices. 
  • Cloud providers integrate with cloud identity providers (IdPs) with less management overhead and less risk and responsibility for IT infrastructure. AD cannot do this on its own, even if it鈥檚 in the cloud.
  • Using AD to enable legacy apps kicks the can down the road for cloud migrations and better security practice adoption. That can be a cloud adoption anti-pattern.

We get it. It seems easier to fire up a VM in AWS and use AD to manage your users there. Microsoft publishes a lot of guidance that isn鈥檛 followed in real-world IT environments. It can be difficult to keep up with all of those recommendations, and you鈥檝e got other priorities. We  suggest that you consider how this approach increases your attack surface area through AD鈥檚 server infrastructure and neglects to secure identities with Zero Trust controls. Microsoft isn鈥檛 wrong to call out AD鈥檚 vulnerabilities, which are well understood and exploited by bad actors. The optimal approach is to avoid the risks without taking on new costs and complexities.

Microsoft鈥檚 Reference Architecture

Microsoft鈥檚 enterprise access model supersedes and replaces AD鈥檚 tier model where there鈥檚 a logical separation among AD assets within a single domain. The new model spans AD installations, is multi cloud, and includes users from several IdPs. Microsoft鈥檚 path to running AD in the cloud always includes Entra ID, in order to extend AD to support cloud apps and remote users. Microsoft recommends that you use Entra ID when you run cloud instances of AD, but its guidance doesn鈥檛 stop at access control.

Tiering off domain controllers from application servers and end users systems is a legacy model. This is Microsoft’s new model for enterprise access control. Image credit: Microsoft.

Running AD in the cloud may be more than you bargained for, or at the very least, a much more cumbersome way to manage your digital estate. IT admins want the flexibility to choose what solutions are best for their team. This starts with either modernizing AD by integrating it with a cloud directory that has UEM, or replacing Active Directory as the control point.

Gaining Flexibility with Your Directory

闯耻尘辫颁濒辞耻诲鈥檚 open directory could be thought of as Active Directory in the cloud that meets modern IT requirements. It鈥檚 focused on giving IT admins back control over enterprise IAM by creating a directory that can manage all major systems (Android, Mac, Windows, Linux), cloud and on-prem servers (e.g., AD, AWS, GCP, internal data centers, etc.), networks (Cloud RADIUS), data through physical and virtual file servers, single sign-on to applications (web and on-prem), and more through one central web platform. 探花大神 provides:

• Active Directory Integration (ADI) for your on-premise domains
• UEM for your devices with options for browser and OS patch management
• Dynamic groups for automation and lifecycle management
• OIDC, SAML, a RESTful API for web apps, and a password manager for instances where SSO isn鈥檛 a possibility
• 探花大神 Go, a phishing resistant, hardware-bound credential for passwordless logins
• Cloud RADIUS and LDAP
• Environment-wide MFA
• Option conditional access policies
• Reporting and telemetry

Through a unified cloud directory, admins, and perhaps more importantly, their end users have the ability to choose their solutions again.

Try 闯耻尘辫颁濒辞耻诲鈥檚 Open Directory Platform

Don鈥檛 use a legacy on-premises approach in the cloud if you don鈥檛 have to. AD raises security risks, increases management overhead, and could potentially lock you into a suite of vertically integrated tools if you follow Microsoft鈥檚 recommendations.

If you want to learn more about how you can regain control over your IT infrastructure with a more flexible directory platform, drop us a note or . We鈥檇 be happy to talk you through the capabilities and solutions that a cloud directory platform can provide.