The most difficult aspect of transitioning from traditional management to a modern one for Windows 10 is deciding whether to utilize on-premises AD, Azure AD, or a hybrid of the two. In this article, we will compare AD DS to Azure AD and see what our standard Active Directory can accomplish that Azure AD cannot. We will also look at how Microsoft conducts hybrid solution installation and why this way may be beneficial for some businesses.
Once upon a time, every Windows enterprise was flat. Active Directory was the sole container that stored all your domain data objects. We simply referred to it as AD back then because it was the only AD form. It was supported by the three pillars: domain controllers, DNS, and group policy. It was an architecture that served many enterprises well for nearly two decades. And then came Azure, and suddenly, traditional AD is now referred to as legacy AD in some circles. Azure AD, of course, exists in the cloud, that wonderful destination to which it seems most organizations want to transition. Because it is cloud-native, it utilizes different protocols and methodologies for account authentication and policy implementation. In some ways, local AD and Azure AD are like water and oil because they are so different.
Key Differences Between On-Prem AD, Hybrid Azure AD Join & Azure AD
The primary limitation of local AD
Many companies had begun their cloud migration journeys years ago. Still, the remote work revolution in 2020 was equivalent to pouring kerosene on an existing flame. That was when the remote work revolution began. Legacy AD’s limitation greatly inhibits its ability to support hybrid work architectures. It requires domain-joined computers to have line-of-site to a domain controller. This makes it impossible for employees to log onto the corporate network when operating from a remote workspace such as their home office or hotel room. The only way to attain AD connectivity then is through a VPN connection. This makes the onboarding process of a new computer challenging at best. Moreover, your VPN infrastructure can quickly become a bottleneck when many users use it. VPN then requires remote access and routing policies to enforce the least privilege security so that remote users don’t have access to the entire network.
The modern world of fully transitioning to Azure AD
If you are a Windows admin, you are probably familiar with the concept of tombstoning, which helps recover accidental object deletions in AD. Azure AD is a way to tombstone your on-prem AD servers permanently. No more having to worry about AD synchronization or DNS scavenging. Everything now exists in the cloud, where users and Azure-joined computers go to authenticate. Azure-joined computers only need an internet connection to authenticate, thus nullifying the necessity for AD connectivity. Suddenly users can work from anywhere without the hassle of a problematic VPN. Microsoft 365 uses Azure Active Directory (Azure AD) to manage user identities, so employees are automatically signed in on their corporate devices.
The real beauty of Azure AD becomes vivid when provisioning devices. Windows computers that are cloud-domain joined and autopilot configured can be shipped directly from the original equipment manufacturer (OEM) to the waiting user, regardless of location. The user opens the box, powers the device and logs in using their Azure AD credentials. Once autopilot completes the configuration process of the device, Microsoft Endpoint Management, otherwise known as Intune, steps in to deliver all the assigned configuration settings, policies, and applications to that machine. Within a couple of hours, the user is ready to start working. Suppose the machine has a chipset that allows remote access to its BIOS and technicians to perform remote reboots even when the OS isn’t operational. In that case, you suddenly have a computer fleet that can be deployed, implemented, and supported without local support. Welcome to the Hybrid World.
Not everyone can transition directly to Azure AD
Migrating your on-prem AD infrastructure to the native cloud is quite a leap, but not everyone can take it overnight. Some of the reasons include the following:
- You still support Windows devices with legacy operating systems, such as Windows 7.
- You rely on an existing imaging solution to deploy and configure devices you aren’t ready to abandon yet.
- Some of your user devices have Win32 apps that rely on legacy AD machine authentication.
And finally, there is Group Policy and Group Policy Preferences. Many enterprises have a large portfolio of group policy objects (GPOs) they created to deliver managed configuration and security settings for users and computers over the years. The equivalent of Group Policy is an MDM provider such as Microsoft Endpoint Manager mentioned earlier. While MDMs can deliver setting configurations to computers regardless of location, the list of available settings is not as vast as the combined array of GP and GPP. While Microsoft has made great strides in reducing the parity gap between the two, the disparity between the two remains. For large enterprises that extensively depend on Group Policy, the insufficient setting coverage of MDM may be enough to hold them back for now.
Hybrid Azure AD – join as a transitory compromise
If you can’t make the direct leap to Azure AD right now, a third option called Hybrid Azure AD join. Hybrid Azure AD join retains the legacy trust relationship that your client machines have with on-prem AD while simultaneously creating a registered trust relationship in Azure AD. This dual registration gives your device visibility in the cloud so users can utilize single sign-on when accessing their Microsoft 365 applications. It also provides self-service password reset and Windows Hello PIN reset capabilities for your users regardless of location. You can create device-based conditional access policies requiring devices to meet compliance requirements before being granted access to enterprise resources to enhance your security.
Like traditional AD, Hybrid Azure AD join relies on group policy to centrally manage setting configurations, so the group policy object portfolio you spent so much time on will still be utilized. Unfortunately, group policy still relies on AD connectivity, and computers must be line-of-sight to authenticate AD users that don’t have cached credentials. You will also need to install Azure AD Connect on an on-prem server to synchronize the data between on-prem AD and Azure AD so that users have the same credentials in both worlds. This means one more thing that your IT team will have to manage and support. Like any hybrid architectureit adds complexity to your network, which adds complexity to supporting it.
Suppose you’ve looked at the Microsoft certification portal in the past two years. In that case, you’ll notice that they no longer offer certification paths in their traditional operating systems and on-prem architectures. Everything is about the cloud. While you may not be ready to leap yet, there will come a day when you will be forced to begin the transition to Azure AD to access the latest technology and solution innovations. For some, Hybrid Azure AD join may be an edible path to get there.
MORE ON MICROSOFT AZURE