What’s all this talk about Active Directory being obsolete?
You may have heard rumblings that Microsoft Active Directory – lovingly acronymed as ‘AD’ – is “becoming obsolete and should be replaced”. You may have also heard that “you should reduce your on-prem AD footprint” or that “Azure AD is not as capable as Microsoft claims.” Hmmm, interesting.
Let’s start with the value that AD brings to the table. It enables access to many systems critical to companies – the network, Exchange, printers, file shares, line-of-business applications to name a few. And no other single solution covers the breadth of platforms that AD does. With that in mind, let’s take a fresh look at the current state of AD.
If I were to start a business today, I would consider skipping an on-premise AD deployment. Instead, I would explore the possibility of using the functionality of Azure AD and Office 365 for everything from authentication and collaboration to IP storage and of course, email. I would supply company-owned devices that operate everywhere. I would use Azure AD and Office 365, and manage it the ideal way: users would be provisioned, reprovisioned and deprovisioned by automated processes and their access would be granted automagically based on established policies. In this scenario, there’s no place for an on-prem AD deployment and for the majority of use cases, it’s unnecessary.
But most organizations do not have the luxury of such a clean start. They grew up with AD and they can’t easily execute a clean break. It would be a huge – and expensive - disruption to abandon their investments in on-prem Microsoft services, which in turn makes AD de facto a requirement.
Here’s the thing, AD is not broken. Most on-prem deployments are highly functioning, well-tuned systems that ensure accurate access controls for a variety of systems. And if some deployments are in less-than-ideal shape, the obvious answer is to fix the issues. The other option is to throw the whole AD-infrastructure baby out with the on-prem-identity-management bathwater, thus undertaking an arduous journey of starting from scratch with a different and unproven environment.
So does on-prem AD stop embracing new technologies? Not at all. Many organizations have migrated to the cloud and operate in a hybrid mode. They connect on-prem AD to a cloud provider - with AD still very much the central directory. Virtually all business solutions support AD, which means it’s not hindering any digitalization projects. And these organizations find great value in centralizing management of both on-prem and AAD/O365 under a single platform – One Identity Active Roles.
One huge advantage of using AD is that expertise to build, manage and operate AD is readily available. This translates into a large, existing talent pool of AAD/O365-management knowledge that can be tapped as organizations adopt those technologies, too.
Is AD forever?
I do see where on-prem AD will start to fade through attrition. The SSO advantages in a federated world are immense and provide added layers of security beyond anything on-prem AD can provide. Even VPNs will become less relevant as more corporate resources are delivered from the cloud and SaaS, so eventually on-prem AD deployments will dwindle.
But for now, the question is not if and how one should replace AD with something else. The real questions are how to optimize existing AD and AAD deployments, and how to make the most of your investment while continuing your digital transformation.