Active Directory (AD) is the most prolific identity platform in the world. Like many companies already using AD on-premises, you may now be considering extending your identity environment to the cloud to create a hybrid landscape. There are many reasons behind this: resource constraints, strategy evolution, merger, acquisition or otherwise. Independent of the reason for migration to the cloud, there are many considerations that will streamline the process and help you achieve a more successful, beneficial outcome.
On August 29, 2024, AWS Directory Service announced the availability of AWS Managed AD with Active Roles - an innovative solution that helps you simplify AD security and management, particularly when extending your identity environment to the cloud or attempting to reduce identity sprawl to protect your cloud identity ecosystem.
This blog will cover the value that AWS Managed AD with Active Roles provides, the risks it mitigates or eliminates, and the efficiencies that it brings to the table.
- Consolidate all AD domains and Entra ID tenants onto a single console without having to create trusts. In addition, synchronize identities from one system to another, increasing your visibility and control while reducing identity sprawl.
- Streamline AD and Entra ID security and management through the consolidation of identity management onto a single console, creating an efficient pathway to hybrid and cloud identity deployment.
- Reduce your attack surface by decreasing standing privilege and consolidating or minimizing the number of identities to manage, thereby lessening your risk of cyberattack.
View and manage all domains and tenants from a single console
AWS Managed AD enables you to create and manage new domains whenever you need them and for many purposes, including organic growth, acquisitions and divestitures. While you often need to create domains for different purposes, having multiple domains creates an administrative burden that puts a strain on your resources and administration, as your team must manage them across multiple consoles.
With the addition of Active Roles to an AWS Managed AD instance you can manage all of your Entra ID tenants and AD domains from a single console.
This consolidation provides an often-dramatic improvement in efficiency while also allowing you to view and manage all the identities across your environment and to apply and enforce policies with consistency across the domains and tenants. Managing your identity environment from a single pane of glass ensures your administrators always know who has access to what resources. Active Roles also provides automated workflows to apply and enforce policies consistently across the organization.
Aggregate identities and migrate from AD to Managed AD
It’s possible that you have multiple AD domains, all of which you want to move to AWS Managed Microsoft AD. This process is typically complex, as it requires you to create trusts between AD domains. Adding to the complexity, you may have many identities for the same object or individual, with names that differ across domains. This makes synchronization a challenge, at best.
AWS Managed Microsoft AD with Active Roles simplifies this complex AD migration process. In this scenario, you would use a shared Active Roles account to synchronize your existing users and groups from multiple domains onto a single AWS Managed Microsoft AD instance. And you can accomplish this without having to create trusts.
AD Trusts are a burdensome additional step that is required when embarking on the traditional AD migration process. A trust can only be established by connecting domains directly and cannot resolve duplicate domain or NETBIOS names.
When you use Active Roles, your domains do not need to be directly connected, and names can be similar or overlap without issue. Active Roles connects your domains and synchronizes your users, objects and attributes between them. Not only does this simplify the process, but it also reduces identity sprawl, thereby reducing your attack surface.
In addition, AWS Managed Microsoft AD with Active Roles provides automation to streamline your workflows, helping you deploy and enforce policies consistently across your domains to increase security while reducing the risk of human error.
Synchronize disconnected domains
Your non-production environments such as QA, sandboxes and development environments are likely intentionally distinct – disconnected from production to ensure any errors or issues do not carry over to your production environment. Authentication between these isolated domains is not a simple task. Your options include either assigning permissions to the isolated domains or creating duplicate directories, which is more than just a headache. Creating duplicate directories is not just expensive, it results in redundant infrastructure and duplicate identities, contributing to higher management costs and identity and privilege sprawl that will expand the attack surface of an organization.
AWS Managed Microsoft AD enables you to quickly create new domains while providing the necessary monitoring and management. However, without synchronization and identity lifecycle management, you will face the challenges and risks explained above. Adding Active Roles to the equation provides directory synchronization and identity lifecycle management without requiring you to create trusts or to directly connect disparate domains that are otherwise isolated.
These synchronization capabilities improve multiple scenarios beyond simply connecting your disconnected domains. Consider the challenges of adding partner and supplier domains with objects and identities that are potentially connected to a single corporate ERP, CRM and other Line-of-Business (LOB) applications. The synchronization capabilities of AWS Managed AD with Active Roles can help you safely connect and sync identities, streamline your workflows, and protect your environment. Mergers, acquisitions and other corporate initiatives may also result in the need for identity and domain synchronization between systems, which Active Roles can provide.
In summary, AWS Managed AD with One Identity Active Roles provides synchronization, automation, visibility and consolidation that help you reduce the risk of identity sprawl, synchronize identities across AD domains and streamline your identity security and management efforts. This combined solution is the latest innovation formed through the One Identity partnership with AWS.
To find out more about how AWS Managed AD with Active Roles can help your organization streamline identity security and management, or to implement it in your environment, visit the Active Roles page on the AWS Marketplace.