True Hybrid Active Directory Management Solutions: The New Standard | A Three-Part Blog Series
Part 1: Understanding Hybrid Active Directory
What is Active Directory and Azure Active Directory?
To truly understand hybrid Active Directory, it’s necessary to quickly review how Active Directory has progressed over the years and the different types. The term Active Directory can be confusing, as over time it has been used to describe relatively similar concepts but in different environments. The landscape of the Microsoft environment has also greatly developed, especially in the past 10 years.
Microsoft Active Directory (AD) has long been the heart of many enterprises, becoming a crucial component in IT infrastructures, managing access (authentication and authorization) for users, groups and computers within their organization. The Windows Server that holds a copy of the AD database is referred to as a Domain Controller, although technically the Domain Controller may be one of many Windows Servers on the network that uses AD to centrally manage access for users, computers, and servers. Think of Active Directory as a database that contains all the necessary information to verify identity (AD Authentication), through network logins called single sign-on (SSO), and to grant, or not grant, access (AD Authorization) to the appropriate software or files on the server. To distinguish between AD and AzAD, most people use the term on-premises AD to refer to the legacy AD and Azure AD to indicate the newer cloud directory.
For decades, on-premises AD worked as described above, and according to Microsoft it was used by 95% of business organizations around the world. In 2010, a paradigm shift occurred when Microsoft released its’ SaaS Cloud Platform, Microsoft Azure. This cloud-based system featured Microsoft Azure Active Directory (Azure AD or AzAD) to fill the function of identity and access management. What the industry quickly realized was Azure AD wasn’t simply a cloud version of its on-premises predecessor, it was new. Although Azure Active Directory performs some of the same functions, it has some quite substantial differences in how it operates, making it difficult for both customers and vendors to efficiently transition from on-prem to cloud.
Comparing On-Prem AD to Azure AD
Many companies have identified the need to move to Azure AD, as a traditional on-premises authentication
Lightweight Directory Access Protocol (LDAP)
Kerberos & NTLM
Organizational Units (OUs), Domains, & Forests
Admins or Data Owners Assign Users to Groups
No Mobile Device Management
Governed by Group Policy (GPOs)
Managed by GPOs or Other On-Prem Server Management System
Representational State Transfer (REST) APIs
Flat Structure of Users & Groups
Admins Organize Users Into Groups
Mobile Device Management
Windows Desktops Can Join Endpoint Management
Uses Domain Services to Manage Servers
infrastructure doesn’t support a modern, cloud-based environment that is becoming the standard. While the benefits to Azure Active Directory have been well documented and it’s great for managing cloud applications, the problem is that Azure AD doesn’t completely replace AD when it comes to traditional on-premises infrastructures and applications, especially in large companies who have used AD for quite some time as their hierarchal source of data. There are several barriers to entry and when comparing legacy Active Directory architecture to Azure AzAD, it differs in a few critical ways: Azure AD doesn’t integrate with many on-premises applications and Azure AD has a flat structure with no Organizational Units (OUs) containers, which were the main way objects were organized in the legacy AD hierarchical structure.
What is Active Directory Management?
In order to deploy and operate Active Directory properly, organizations often implement Active Directory Management systems, these platforms are different from identity and access management (IAM) platforms in that they only target Active Directory rather than other connected systems. Although Microsoft Active Directory is one of the most powerful tools a network administrator can deploy, it can often be error-prone and time-consuming to maintain. Despite being incredibly powerful and forming a crucial part of an organization’s network infrastructure, native administration and management tools lacks automation, useful delegation, user-friendly interfaces, reporting and auditing features, security measures, and requires deep knowledge of complex command-line scripting language like Powershell, to extend operates beyond what is provided.
Full Identity Management systems are often considered complex, expensive, and seen to have a great amount of risk associated with them mostly from seeing failed implementations. Because of this, these systems are out of reach for most organizations. Experts in this field began forming companies specializing in Active Directory management, developing software and systems to better manage an Active Directory-centric IAM model.
These third-party Active Directory Management tools provided convenient solutions to help organizations more efficiently operate their AD. From delivering methods to automate and streamline their Active Directory, without IT administrators having to navigate the complex native tools or having to devote internal resources to maintaining the scripts necessary to allow Active Directory to function properly. Over time, Active Directory Management vendors began adding additional features to their products, giving system architects more security and recovery functionalities, typically by requiring purchase of another product. You will also see some providers who specialize in only one of these areas, like backup products that don’t include a management tool.
These Active Directory tools became a staple to help many organizations and their IT administrators manage their on-premises Active Directory and were praised for doing so. But with the release of Microsoft Azure AD and Microsoft 365, formerly Office 365, these tools immediately became outdated. Existing AD tools, also known as legacy AD management tools, were built to function with on-premises Active Directory and its legacy architecture, and as such, didn’t have the ability to maintain cloud systems.
The Shift to Hybrid Active Directory (Hybrid AD)
Hybrid Active Directory is a term used to describe a modern approach to identity and access management, where an organization uses both their existing on-premises Active Directory and Azure Active Directory. Hybrid changes everything. While most organizations see cloud solutions as potentially being the standard in the future, the current reality is that only 17% of organizations have transitioned to cloud-only deployments, with more than 50% of businesses working in a hybrid Microsoft environment.
For more about the current status of management and protection in Microsoft environments, from other IT professionals, read our full study.
While there are many things Azure AD and Microsoft 365 can offer, there are several issues that require additional considerations, complex planning, and costly implementation in order for organizations to transition to cloud-only. With on-premises AD having been embeded deeply into the companies’ IT infrastructure for so many years, it’s difficult to untangle and rebuild; especially when Azure AD does not have the same basic functionality of legacy AD. Also, many application vendors may take up to 10 years to become fully accessible from a cloud-only directory. Put simply, Hybrid Active Directory environments are the new standard for modern enterprises and will be for the foreseeable future.
The Race to Market “Hybrid”
As enterprises transition a portion of their on-premises Active Directory to cloud-based products like Microsoft 365 and Azure Active Directory (Azure AD), the need for a hybrid solution to bridge the multiple environments has become increasingly important. Managing users, security policies, change monitoring and audits across a mix of domains and tenants, adhering to increasingly stringent compliance and legal regulations (like SOX, HIPPA, and PSI), both in cloud and on-premises, can become a massive undertaking for IT administrators, especially with limited budgets.
As we discussed previously, many third-party experts became vendors of Active Directory Management tools. When Azure AD became a reality, some of these providers decided to focus their attention on creating cloud-only tools to capture the anticipated cloud-only market, while others decided to keep their focus on their existing on-premises AD customer base only. As time went on, it became clear that the transition to cloud was going to be a journey, with hybrid being a large part of it, and some tools just aren’t fit to make the journey.
With more than half of the market operating in a hybrid environment, existing Active Directory Management tool providers, also known as legacy AD management, have tried to use several techniques to bolt-on components to their existing software in order to claim “hybrid” and to be able to market their products as hybrid capable. When Microsoft introduced Azure AD Connect, a tool released to help sync on-premises AD to Azure AD, more legacy AD tool vendors simply added “hybrid” to their sales pitch acting like it was a feature of their product, simply because AAD Connect could push to cloud many of the changes their legacy AD product made. This does not however allow for a mix of management, for example resetting on-premises AD user passwords and managing cloud only security groups or Teams Memberships with one delegation model and in one user interface.
You’ll find that many of the traditional on-premises Active Directory Management solutions vendors have separate on-premises-only and cloud-only products. Unfortunately, this can lead to issues as organizations have to purchase and manage multiple solutions and sometimes can include Powershell scripting in order to fulfill the “hybrid” component. Deployment of these can often be complicated and time-consuming to configure.
Although these legacy AD tools provided many great solutions for on-premises Active Directory, in today’s ever-evolving, modern environments these tools aren’t ideal. In most scenarios, they add additional costs and increase the burden placed on IT departments in order to continue use multiple legacy tools. Since, “hybrid” claims have become such a popular marketing method, how do you know if a provider is actually hybrid and can progress with you on your journey to the cloud? In the next part of this blog series, we will be discussing ways to identify if you’ve outgrown your current Active Directory Management provider and it may be time to consider one built purposely for hybrid environments.