Do not fill in this field

Enter no text in this field

Get Instant Access
to This Blueprint

Business Email

Full Name

Company

Phone

Job Title

You are looking to lose your dependency on Active Directory (AD), and you need to tackle infrastructure technical debt, but there are challenges:

Legacy apps that are in maintenance mode cannot shed their AD dependency or have hardware upgrades made.
You are unaware of what processes depend on AD and how integrated they are.
Departments invest in apps that are integrated with AD without informing you until they ask for Domain details after purchasing.

Our Advice

Critical Insight

Remove your dependency on AD one application at a time. If you are a cloud-first organization, rethink your AD strategy to ask “why” when you add a new device to your Active Directory.
With the advent of hybrid work, AD is now a security risk. You need to shore up your security posture. Think of zero trust architecture.
Take inventory of your objects that depend on Kerberos and NTML and plan on removing that barrier through applications that don’t depend on AD.

Impact and Result

Don’t allow Active Directory services to dictate your enterprise innovation and modernization strategies. Determine if you can safely remove objects and move them to a cloud service where your Azure AD Domain Services can handle your authentication and manage users and groups.

Legacy Active Directory Environment Research & Tools

1. Legacy Active Directory Environment Deck – Legacy AD was never built for modern infrastructure. Understand the history and future of Active Directory and what alternatives are in the market.

Build all new systems with cloud integration in mind. Many applications built in the past had built-in AD components for access, using Kerberos and NTLM. This dependency has prevented organizations from migrating away from AD. When assessing new technology and applications, consider SaaS or cloud-native apps rather than a Microsoft-dependent application with AD ingrained in the code.

Legacy Active Directory Environment

Kill the technical debt of your legacy Active Directory environment.

Analyst Perspective

Understand what Active Directory is and why Azure Active Directory does not replace it.

It’s about Kerberos and New Technology LAN Manager (NTLM).

The image contains a picture of John Donovan.

Many organizations that want to innovate and migrate from on-premises applications to software as a service (SaaS) and cloud services are held hostage by their legacy Active Directory (AD). Microsoft did a good job taking over from Novell back in the late 90s, but its hooks into businesses are so deep that many have become dependent on AD services to manage devices and users, when in fact AD falls far short of needed capabilities, restricting innovation and progress.

Despite Microsoft’s Azure becoming prominent in the world of cloud services, Azure AD is not a replacement for on-premises AD. While Azure AD is a secure authentication store that can contain users and groups, that is where the similarities end. In fact, Microsoft itself has an architecture to mitigate the shortcomings of Azure AD by recommending organizations migrate to a hybrid model, especially for businesses that have an in-house footprint of servers and applications.

If you are a greenfield business and intend to take advantage of software, infrastructure, and platform as a service (SaaS, IaaS, and PaaS), as well as Microsoft 365 in Azure, then Azure AD is for you and you don’t have to worry about the need for AD.

John Donovan
Principal Director, I&O Practice
Info-Tech Research Group

Insight Summary

Legacy AD was never built for modern infrastructure	When Microsoft built AD as a free component for the Windows Server environment to replace Windows NT before the demise of Novell Directory Services in 2001, it never meant Active Directory to work outside the corporate network with Microsoft apps and devices. While it began as a central managing system for users and PCs on Microsoft operating systems, with one user per PC, the IT ecosystem has changed dramatically over the last 20 years, with cloud adoption, SaaS, IaaS, PaaS, and everything as a service. To make matters worse, work-from-anywhere has become a serious security challenge.
Build all new systems with cloud integration in mind	Many applications built in the past had built-in AD components for access, using Kerberos and NTLM. This dependency has prevented organizations from migrating away from AD. When assessing new technology and applications, consider SaaS or cloud-native apps rather than a Microsoft-dependent application with AD ingrained in the code. Ensure you are engaged when the business is assessing new apps. Stop the practice of the business purchasing apps without IT’s involvement; for example, if your marketing department is asking you for your Domain credentials for a vendor when you were not informed of this purchase.
Hybrid AD is a solution but not a long-term goal	Economically, Microsoft has no interest in replacing AD anytime soon. Microsoft wants that revenue and has built components like Azure AD Connect to mitigate the AD dependency issue, which is basically holding your organization hostage. In fact, Microsoft has advised that a hybrid solution will remain because, as we will investigate, Azure AD is not legacy AD.

Executive Summary

Your Challenge	Common Obstacles	Info-Tech’s Approach
You are looking to lose your dependency on Active Directory, and you need to tackle infrastructure technical debt, but there are challenges. Legacy apps that are in maintenance mode cannot shed their AD dependency or have hardware upgrades made. You are unaware of what processes depend on AD and how integrated they are. Departments invest in apps that are integrated with AD without informing you until they ask for Domain details after purchasing.	Legacy applications can prevent you from upgrading servers or may need to be isolated due to security concerns related to inadequate patching and upgrades. You do not see any return on investment in AD maintenance. Mergers and acquisitions can prevent you from migrating away from AD if one company is dependent on AD and the other is fully in the cloud. This increases technical debt.	Remove your dependency on AD one application at a time. If you are a cloud-first organization, rethink your AD strategy to ask “why” when you add a new device to your Active Directory. With the advent of hybrid work, AD is now a security risk. You need to shore up your security posture. Think of zero trust architecture. Take inventory of your objects that depend on Kerberos and NTML and plan on removing that barrier through applications that don’t depend on AD.

Your Challenge

Common Obstacles

Info-Tech’s Approach

You are looking to lose your dependency on Active Directory, and you need to tackle infrastructure technical debt, but there are challenges.

Legacy apps that are in maintenance mode cannot shed their AD dependency or have hardware upgrades made.
You are unaware of what processes depend on AD and how integrated they are.
Departments invest in apps that are integrated with AD without informing you until they ask for Domain details after purchasing.

Legacy applications can prevent you from upgrading servers or may need to be isolated due to security concerns related to inadequate patching and upgrades.
You do not see any return on investment in AD maintenance.
Mergers and acquisitions can prevent you from migrating away from AD if one company is dependent on AD and the other is fully in the cloud. This increases technical debt.

Remove your dependency on AD one application at a time. If you are a cloud-first organization, rethink your AD strategy to ask “why” when you add a new device to your Active Directory.
With the advent of hybrid work, AD is now a security risk. You need to shore up your security posture. Think of zero trust architecture.
Take inventory of your objects that depend on Kerberos and NTML and plan on removing that barrier through applications that don’t depend on AD.

Info-Tech Insight

The history of Active Directory

The evolution of your infrastructure environment

From NT to the cloud

AD 2001	Exchange Server 2003	SharePoint 2007	Server 2008 R2	BYOD Security Risk	All in Cloud 2015
Active Directory replaces NT and takes over from Novell as the enterprise access and control plane. With slow WAN links, no cellphones, no tablets, and very few laptops, security was not a concern in AD.	In 2004, email becomes business critical. This puts pressure on links, increases replication and domains, and creates a need for multiple identities.	Collaboration becomes pervasive. Cross domain authentication becomes prevalent across the enterprise. SharePoint sites need to be connected to multiple Domain AD accounts. More multiple identities are required.	Exchange resource forest rolls out, causing the new forest functional level to be a more complex environment. Fine-grained password policies have impacted multiple forests, forcing them to adhere to the new password policies.	There are powerful Domain controllers, strong LAN and WAN connections, and an increase in smartphones and laptops. Audits and compliance become a focus, and mergers and acquisitions add complexity. Security teams are working across the board.	Cloud technology doesn’t work well with complicated, messy AD environment. Cloud solutions need simple, flat AD architecture. Technology changes after 15+ years. AD becomes the backbone of enterprise infrastructure. Managers demand to move to cloud, building complexity again.

Organizations depend on AD

AD is the backbone of many organizations’ IT infrastructure

73% of organizations say their infrastructure is built on AD.

82% say their applications depend on AD data.

89% say AD enables authenticated access to file servers.

90% say AD is the main source for authentication.

Source: Dimensions research: Active Directory Modernization :

Info-Tech Insight

Organizations fail to move away from AD for many reasons, including:

Lack of time, resources, budget, and tools.
Difficulty understanding what has changed.
Migrating from AD being a low priority.

Active Directory components

Physical and logical structure

Authentication, authorization, and auditing

The image contains a screenshot of the active directory components.

Active Directory has its hooks in!

AD creates infrastructure technical debt and is difficult to migrate away from.

The image contains a screenshot of an active directory diagram.

Info-Tech Insight

Due to the pervasive nature of Active Directory in the IT ecosystem, IT organizations are reluctant to migrate away from AD to modernize and innovate.

Migration to Microsoft 365 in Azure has forced IT departments’ hand, and now that they have dipped their toe in the proverbial cloud “lake,” they see a way out of the mounting technical debt.

AD security

Security is the biggest concern with Active Directory.

Neglecting Active Directory security

98% of data breaches came from external sources.

Source: Verizon, Data Breach Report 2022

85% of data breach took weeks or even longer to discover.

Source: Verizon Data Breach Report, 2012

The biggest challenge for recovery after an Active Directory security breach is identifying the source of the breach, determining the extent of the breach, and creating a safe and secure environment.

Info-Tech Insight

Neglecting legacy Active Directory security will lead to cyberattacks. Malicious users can steal credentials and hijack data or corrupt your systems.

What are the security risks to legacy AD architecture?

It's been 22 years since AD was released by Microsoft, and it has been a foundational technology for most businesses over the years. However, while there have been many innovations over those two decades, like Amazon, Facebook, iPhones, Androids, and more, Active Directory has remained mostly unchanged. There hasn’t been a security update since 2016.
This lack of security innovation has led to several cyberattacks over the years, causing businesses to bolt on additional security measures and added complexity. AD is not going away any time soon, but the security dilemma can be addressed with added security features.

AD event logs

84% of organizations that had a breach had evidence of that breach in their event logs.

Source: Verizon Data Breach Report, 2012

What is the business risk

How does AD impact innovation in your business?

It’s widely estimated that Active Directory remains at the backbone of 90% of Global Fortune 1000 companies’ business infrastructure (Lepide, 2021), and with that comes risk. The risks include:

Constraints of AD and growth of your digital footprint
Difficulty integrating modern technologies
Difficulty maintaining consistent security policies
Inflexible central domains preventing innovation and modernization
Inability to move to a self-service password portal
Vulnerability to being hacked
BYOD not being AD friendly

AD is dependent on Windows Server

Even though AD is compliant with LDAP, software vendors often choose optional features of LDAP that are not supported by AD. It is possible to implement Kerberos in a Unix system and establish trust with AD, but this is a difficult process and mistakes are frequent.
Restricting your software selection to Windows-based systems reduces innovation and may hamper your ability to purchase best-in-class applications.

Azure AD is not a replacement for AD

AD was designed for an on-premises enterprise

The image contains a screenshot of a Azure AD diagram.

Despite Microsoft’s Azure becoming prominent in the world of cloud services, Azure AD is not a replacement for on-premises AD.
In fact, Microsoft itself has an architecture to mitigate the shortcomings of Azure AD by recommending organizations migrate to a hybrid model, especially those businesses that have an in-house footprint of servers and applications.
If you are a greenfield business and intend to take advantage of SaaS, IaaS, and PaaS, as well as Microsoft 365 in Azure, then Azure AD is for you and you don’t have to worry about the need for AD.

"Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the exact same capabilities with AD. It actually provides many more capabilities in a different way.

That’s why there is no actual ‘migration’ path from Active Directory to Azure Active Directory. You can synchronize your on-premises directories (Active Directory or other) to Azure Active Directory but not migrate your computer accounts, group policies, OU etc."

– Gregory Hall,
Brand Representative for Microsoft
(Source: Spiceworks)

The hybrid model for AD and Azure AD

How the model works

The image contains a screenshot of a hybrid model for AD and Azure AD.

Note: AD Federated Services (ADFS) is not a replacement for AD. It’s a bolt-on that requires maintenance, support, and it is not a liberating service.

Many companies are:

Moving to SaaS solutions for customer relationship management, HR, collaboration, voice communication, file storage, and more.
Managing non-Windows devices.
Moving to a hybrid model of work.
Enabling BYOD.

Given these trends, Active Directory is becoming obsolete in terms of identity management and permissions.

The difference between AD Domain Services and Azure AD DS

One of the core principles of Azure AD is that the user is the security boundary, not the network.

Kerberos is the default authentication and authorization protocol for AD. Kerberos is involved in nearly everything from the time you log on to accessing Sysvol, which is used to deliver policy and logon scripts to domain members from the Domain Controller.

Info-Tech Insight

If you are struggling to get away from AD, Kerberos and NTML are to blame. Working around them is difficult. Azure AD uses SAML2.0 OpenID Connect and OAuth2.0.

Feature	Azure AD DS	Self-managed AD DS
Managed service	✓	✕
Secure deployments	✓	Administrator secures the deployment
DNS server	✓ (managed service)	✓
Domain or Enterprise administrator privileges	✕	✓
Domain join	✓	✓
Domain authentication using NTLM and Kerberos	✓	✓
Kerberos-constrained delegation	Resource-based	Resource-based and account-based
Custom OU structure	✓	✓
Group Policy	✓	✓
Schema extensions	✕	✓
AD domain/forest trusts	✓ (one-way outbound forest trusts only)	✓
Secure LDAP (LDAPS)	✓	✓
LDAP read	✓	✓
LDAP write	✓ (within the managed domain)	✓
Geo-distributed deployments	✓	✓

Source: “Compare self-managed Active Directory Domain Services...” Azure documentation, 2022

Impact of work-from-anywhere

How AD poses issues that impact the user experience

IT organizations are under pressure to enable work-from-home/work-from-anywhere.

IT teams regard legacy infrastructure, namely Active Directory, as inadequate to securely manage remote workloads.
While organizations previously used VPNs to access resources through Active Directory, they now have complex webs of applications that do not reside on premises, such as AWS, G-Suite, and SaaS customer relationship management and HR management systems, among others. These resources live outside the Windows ecosystem, complicating user provisioning, management, and security.
The work environment has changed since the start of COVID-19, with businesses scrambling to enable work-from-home. This had a huge impact on on-premises identity management tools such as AD, exposing their limitations and challenges. IT admins are all too aware that AD does not meet the needs of work-from-home.
As more IT organizations move infrastructure to the cloud, they have the opportunity to move their directory services to the cloud as well.
- JumpCloud, OneLogin, Okta, Azure AD, G2, and others can be a solution for this new way of working and free up administrators from the overloaded AD environment.
- Identity and access management (IAM) can be moved to the cloud where the modern infrastructure lives.
- Alternatives for printers using AD include Google Cloud Print, PrinterOn, and PrinterLogic.

How AD can impact your migration to Microsoft 365

The beginning of your hybrid environment

Businesses that have a large on-premises footprint have very few choices for setting up a hybrid environment that includes their on-premises AD and Azure AD synchronization.
Microsoft 365 uses Azure AD in the background to manage identities.
Azure AD Connect will need to be installed, along with IdFix to identify errors such as duplicates and formatting problems in your AD.
Password hash should be implemented to synchronize passwords from on-premises AD so users can sign in to Azure without the need for additional single sign-on infrastructure.
Azure AD Connect synchronizes accounts every 30 minutes and passwords within two minutes.

Alternatives to AD

When considering retiring Active Directory from your environment, look at alternatives that can assist with those legacy application servers, handle Kerberos and NTML, and support LDAP.

JumpCloud: Cloud-based directory services. JumpCloud provides LDAP-as-a-Service and RADIUS-as-a-Service. It authenticates, authorizes, and manages employees, their devices, and IT applications. However, domain name changes are not supported.
Apache Directory Studio Pro: Written in Java, it supports LDAP v3–certified directory services. It is certified by Eclipse-based database utilities. It also supports Kerberos, which is critical for legacy Microsoft AD apps authentication.
Univention Corporate Server (UCS): Open-source Linux-based solution that has a friendly user interface and gets continuous security and feature updates. It supports Kerberos V5 and LDAP, works with AD, and is easy to sync. It also supports DNS server, DHCP, multifactor authentication and single sign-on, and APIs and REST APIs. However, it has a limited English knowledgebase as it is a German tool.

What to look for

If you are embedded in Windows systems but looking for an alternative to AD, you need a similar solution but one that is capable of working in the cloud and on premises.

Aside from protocols and supporting utilities, also consider additional features that can help you retire your Active Directory while maintaining highly secure access control and a strong security posture.

These are just a few examples of the many alternatives available.

Market drivers to modernize your infrastructure

The business is now driving your Active Directory migration

What IT must deal with in the modern world of work:

Leaner footprint for evolving tech trends
Disaster recovery readiness
Dynamic compliance requirements
Increased security needs
The need to future-proof
Mergers and acquisitions
Security extending the network beyond Windows

Organizations are making decisions that impact Active Directory, from enabling work-from-anywhere to dealing with malicious threats such as ransomware. Mergers and acquisitions also bring complexity with multiple AD domains.
The business is putting pressure on IT to become creative with security strategies, alternative authentication and authorization, and migration to SaaS and cloud services.

Activity

Build a checklist to migrate off Active Directory.

Discovery	Assessment	Proof of Concept	Migration	Cloud Operations
☐ Catalog your applications. ☐ Define your users, groups and usage. ☐ Identify network interdependencies and complexity. ☐ Know your security and compliance regulations. ☐ Document your disaster recovery plan and recovery point and time objectives (RPO/RTO).	☐ Build a methodology for migrating apps to IaaS. ☐ Develop a migration team using internal resources and/or outsourcing. ☐ Use Microsoft resources for specific skill sets. ☐ Map on-premises third-party solutions to determine how easily they will migrate. ☐ Create a plan to retire and archive legacy data.	☐ Test your workload: Start small and prove value with a phased approach. ☐ Estimate cloud costs. ☐ Determine the amount and size of your compute and storage requirements. ☐ Understand security requirements and the need for network and security controls. ☐ Assess network performance. ☐ Qualify and test the tools and solutions needed for the migration.	☐ Create a blueprint of your desired cloud environment. ☐ Establish a rollback plan. ☐ Identify tools for automating migration and syncing data. ☐ Understand the implications of the production-day data move.	☐ Keep up with the pace of innovation. ☐ Leverage 24/7 support via skilled Azure resources. ☐ Stay on top of system maintenance and upgrades. ☐ Consider service-level agreement requirements, governance, security, compliance, performance, and uptime.

Discovery

Assessment

Proof of Concept

Migration

Cloud Operations

☐ Catalog your applications.

☐ Define your users, groups and usage.

☐ Identify network interdependencies and complexity.

☐ Know your security and compliance regulations.

☐ Document your disaster recovery plan and recovery point and time objectives (RPO/RTO).

☐ Build a methodology for migrating apps to IaaS.

☐ Develop a migration team using internal resources and/or outsourcing.

☐ Use Microsoft resources for specific skill sets.

☐ Map on-premises third-party solutions to determine how easily they will migrate.

☐ Create a plan to retire and archive legacy data.

☐ Test your workload: Start small and prove value with a phased approach.

☐ Estimate cloud costs.

☐ Determine the amount and size of your compute and storage requirements.

☐ Understand security requirements and the need for network and security controls.

☐ Assess network performance.

☐ Qualify and test the tools and solutions needed for the migration.

☐ Create a blueprint of your desired cloud environment.

☐ Establish a rollback plan.

☐ Identify tools for automating migration and syncing data.

☐ Understand the implications of the production-day data move.

☐ Keep up with the pace of innovation.

☐ Leverage 24/7 support via skilled Azure resources.

☐ Stay on top of system maintenance and upgrades.

☐ Consider service-level agreement requirements, governance, security, compliance, performance, and uptime.

Related Info-Tech Research

Manage the Active Directory in the Service Desk

Build and maintain your Active Directory with good data.
Actively maintaining the Active Directory is a difficult task that only gets more difficult with issues like stale accounts and privilege creep.

SoftwareReviews: Microsoft Azure Active Directory

The Azure Active Directory (Azure AD) enterprise identity service provides SSO and multifactor authentication to help protect your users from 99.9% of cybersecurity attacks

Define Your Cloud Vision

Don’t think about the cloud as an inevitable next step for all workloads. The cloud is merely another tool in the toolbox, ready to be used when appropriate and put away when it’s not needed. Cloud-first isn’t always the way to go.

Bibliography

“2012 Data Breach Investigations Report.” Verizon, 2012. Web.
“2022 Data Breach Investigations Report.” Verizon, 2012. Web.
“22 Best Alternatives to Microsoft Active Directory.” The Geek Page, 16 Feb 2022. Accessed 12 Sept. 2022.
Altieri, Matt. “Infrastructure Technical Debt.” Device 42, 20 May 2019. Accessed Sept 2022.
“Are You Ready to Make the Move from ADFS to Azure AD?’” Steeves and Associates, 29 April 2021. Accessed 28 Sept. 2022.
Blanton, Sean. “Can I Replace Active Directory with Azure AD? No, Here’s Why.” JumpCloud, 9 Mar 2021. Accessed Sept. 2022.
Chai, Wesley, and Alexander S. Gillis. “What is Active Directory and how does it work?” TechTarget, June 2021. Accessed 10 Sept. 2022.
Cogan, Sam. “Azure Active Directory is not Active Directory!” SamCogan.com, Oct 2020. Accessed Sept. 2022.
“Compare Active Directory to Azure Active Directory.” Azure documentation, Microsoft Learn, 18 Aug. 2022. Accessed 12 Sept. 2022.
"Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services." Azure documentation, Microsoft Learn, 23 Aug. 2022. Accessed Sept. 2022.
“Dimensional Research, Active Directory Modernization: A Survey of IT Professionals.” Quest, 2017. Accessed Sept 2022.
Grillenmeier, Guido. “Now’s the Time to Rethink Active Directory Security.“ Semperis, 4 Aug 2021. Accessed Oct. 2013.
“How does your Active Directory align to today’s business?” Quest Software, 2017, accessed Sept 2022
Lewis, Jack “On-Premises Active Directory: Can I remove it and go full cloud?” Softcat, Dec.2020. Accessed 15 Sept 2022.
Loshin, Peter. “What is Kerberos?” TechTarget, Sept 2021. Accessed Sept 2022.
Mann, Terry. “Why Cybersecurity Must Include Active Directory.” Lepide, 20 Sept. 2021. Accessed Sept. 2022.
Roberts, Travis. “Azure AD without on-prem Windows Active Directory?” 4sysops, 25 Oct. 2021. Accessed Sept. 2022.
“Understanding Active Directory® & its architecture.” ActiveReach, Jan 2022. Accessed Sept. 2022.
“What is Active Directory Migration?” Quest Software Inc, 2022. Accessed Sept 2022.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.