Microsoft Active Directory has been commercially available for more than 20 years. As noted in Image 1 below, the core appeal of the product is being an effective platform for authentication and providing policies at enterprise scale. However, the core premise of Microsoft Active Directory in providing effective services, is for end users to be onsite. During the time of Covid-19 with more companies shifting to a hybrid work model, Microsoft Active Directory is becoming problematic to end users.
The cornerstone of this issue is the companies relying on VPN access. Most company VPNs operate on the following assumptions:
- The user logs in with cached credentials
- The user periodically establishes a VPN (perhaps in resetting a password)
- Policies are not effectively pushed to the end machine.
Because VPN usage traditionally diminishes the capability of MicrosoftActive Directory, some companies might weigh the options of shifting away from Microsoft Active Directory for the reasons highlighted in Image 2 below.
For customers who are Microsoft centric and are already using Office 365, an option for consideration would be shifting to Azure AD as an identity provider (IdP). From a feature perspective (shown in Image 3), we can see that there is parity in the experience from on premise AD. It should be stressed that Azure AD is global, and as noted in 2020 by Gartner, a “Leader” in Gartner Magic Quadrant for Access Management.
While Azure AD might be a great consideration for those looking to shift away from Microsoft Active Directory, the key roadblocks noted in image 4 should be discussed in more detail.
- Companies might not be able to move all the window’s devices to Azure AD. First the smaller the company, the smaller the friction for the move. Additionally at the time of this blog article, Microsoft only supports Azure AD authentication for servers hosted in Azure. Companies accessing the risk and their current pain points (such as VPN usage) may decide to focus on workstations at this juncture.
- Microsoft has not announced a formalized road map on how to get workstations to Azure AD in bulk. Additionally, there is no commercial tool out which is the equivalent of mature Microsoft Active Directory migration tool, where machines can be migrated and monitored from a single pane of glass. Once again, the size of the company comes into play. Smaller companies will opt for a manual process to “pull the band aid off.”
- Lastly, Intune licenses (now Endpoint management licenses) are needed. This would be an additional cost for many clients.
In summary, Microsoft Active Directory has been tested in recent years due to Covid-19. Companies who are shifting to a remote work force might consider the pros and cons of at least shifting the end user workstations to Azure AD joined to alleviate some authentication and policy pain points. However, in the absence of direct guidance from Microsoft, this can be a considerable challenge in planning and execution. If you are interested to see how Rutter can help, please contact our sales team today.