Hybrid Identity and Active Directory Domain Services
Active Directory Domain Services was first introduced to the world with Windows Server 2000. For more than 21 years, AD DS has helped organizations to manage digital identities.
However, modern access management requirements are complicated. Businesses are using more and more cloud services now. The majority of the workforce is still working from home and accessing sensitive corporate data via unsecured networks. Most software vendors are moving to the Software as a Service (SaaS) model. Cybercrimes are skyrocketing and identity protection is at stake. To address these requirements, we need to go beyond legacy access management. Azure Active Directory is a cloud-based, managed, Identity as a Service (IDaaS) provider that can provide world-class security, strong authentication, and seamless collaboration. Azure Active Directory can span on-prem identities to the cloud and provides a unified authentication and authorization platform to all resources, regardless of location. This is called hybrid identity.
Azure Active Directory is often referred to as a cloud version of AD DS, but this is completely wrong. It is like comparing an iPhone with a Samsung phone. Both can be used to make calls, take pictures, watch videos, and so on. Some apps are also available for both types of devices. But you can't replace one with another as each has its uniqueness. AD DS and Azure Active Directory are the same. They have their similarities as well as differences. Let's go ahead and compare both products based on different focus areas:
|
Focus Area |
Active Directory Domain Service |
Azure Active Directory |
|
User Provision |
User accounts can be created manually or use a third-party AD management and automation solution such as Adaxes to automate the user provisioning process. |
We can sync user accounts from on-prem Active Directory by using Azure AD Connect. We can also create cloud-only users manually or use SaaS applications with SCIM to create users automatically. |
|
Group Membership |
Administrators have to manage group memberships manually or use PowerShell scripts or a third-party tool like Adaxes to manage memberships automatically. |
Supports dynamic group membership. |
|
Privileged Access Management |
Active Directory doesn't natively support Privileged Access Management. We have to use a solution such as Microsoft Identity Manager or Adaxes to manage privileged access (sensitive group memberships, workflows). |
Azure AD Privileged Identity Management (PIM) can be used to provide just-in-time workflow-based access to privileged roles. |
|
Identity Governance |
Active Directory doesn't natively support identity governance. We have to use PowerShell scripts, third-party solutions to review permissions, group memberships, and access behaviors. |
Azure Active Directory Identity Governance can be used to make sure that the right people have the right access to the right resources at the right time. |
|
Advanced Authentication |
Active Directory doesn't have MFA or password-less authentication built in. We can integrate Azure MFA or another third-party MFA solution with Active Directory. We can enable password-less authentication using Windows Hello for Business (in a hybrid setup). |
Azure MFA is free for Azure AD and can use to improve security with few clicks. Azure AD also supports password-less authentication based on FIDO2 standards. |
|
Evaluate Access risks |
Active Directory doesn't have the capabilities to evaluate access risks based on user location, sign-in behaviour, user account risks, and so on. |
Azure AD Conditional Access can evaluate user risks based on many policy settings and allow or deny access. |
|
SaaS Application Integration |
Active Directory can integrate SaaS applications by using Active Directory Federation Service (AD FS). |
Azure AD supports direct integration with SaaS applications, which support OAuth2, SAML, and WS-* authentication. |
|
Legacy Apps |
Active Directory supports app integration based on LDAP or Windows-integrated authentication. |
Azure Active Directory can provide a modern authentication experience to on-prem legacy apps by using the Azure AD application proxy. |
|
External Identities |
Active Directory uses federation trusts, forest trusts, and domain trusts to collaborate with external identities. This comes with a management overhead and security risks. |
Azure AD B2B simplifies integration with external identities. It doesn't require infrastructure-level changes. |
|
Windows Device Management |
Group Policy allows you to manage Windows device state at a very granular level. We can introduce standards easily to incorporate devices without additional tools or services. |
Azure AD Join endpoints can manage by using Microsoft Endpoint Manager |
|
Mobile Device Management |
Active Directory doesn't natively support mobile device management. We require third-party tools to do that. |
Azure AD integrated Microsoft Endpoint Manager can manage mobile devices. |
As we can see in the above comparison, we can't simply replace one solution using another. But hybrid identity with Azure AD allows organizations to revamp traditional identity management and prepare themselves for the cloud era. So, the biggest question is what does the future hold for Active Directory Domain Service on this journey?
For most companies, the cloud journey starts with SaaS applications. On the majority of occasions, it is Office 365. And not only Microsoft; in general, most software vendors are transforming their services into the SaaS model. SaaS applications support different types of authentication. If an organization is looking for a single-sign-on experience, we have two options. We can set up Active Directory Federation Service (ADFS) and configure SAML-based authentication to provide SSO. However, this comes with additional costs and administrative overheads. Instead of that, we can simply sync on-prem identities to Azure Active Directory and integrate an SaaS application with Azure Active Directory for authentication. This method gives us a few advantages:
- Fewer Changes – We do not need to make many changes in an existing on-premises environment to enable cloud-based authentication. It only requires lightweight agents, simple firewall rules, and a reliable internet connection.
- Advanced Authentication – Azure Active Directory supports modern authentication standards such as OAuth2, SAML, and WS-*.
- Advanced Identity Protection – Azure Active Directory enriched with features and services that you can use to protect identities. Azure MFA, password-less authentication, Azure PIM, Azure Identity Governance, and Conditional Access are some of the examples of that. To start using these features and services, we do not need to make drastic changes to the existing environment. We can start by protecting identities in the cloud and then slowly extend it to on-prem as required.
As we can see, it doesn't mean we need to get rid of on-prem Active Directory to use Azure Active Directory and its features. Both can work side by side to provide a unified access experience to users. Active Directory was the top choice in industry for the last 21 years and it is the most widely used directory service. If we can move everything to the cloud, yes, it has benefits but it is not practical and not as easy as it sounds. We may have rules with which we have to comply. We may have legacy business applications that can't shift to cloud services. We may have skills and security gaps to embrace cloud technologies. Therefore, hybrid identity will not be a short-term solution for most businesses. Most businesses prefer hybrid identity instead of the cloud-only method because of the flexibility.
In the Nobelium attack, cyber criminals moved laterally after the initial security breach and gained control of Active Directory Federation Services (ADFS).
This allowed attackers to forge SAML tokens and get access to cloud services. Security is one of the key focus areas for public cloud services. There are various services and features available for customers to choose from, to protect identities and data in the cloud. There has been an increase in public cloud attacks recently, but the success rate is still relatively low compared to on-prem attacks. The Nobelium attack confirms cyber criminals are now targeting on-prem services to gain access to cloud services. Identity protection is a shared responsibility between cloud service providers (CSPs) and cloud customers. Therefore, it is the customer's responsibility to protect on-prem identities from attacks. Even if there is an attack, lateral movement needs to be prevented to protect cloud services. According to the Oracle and KPMG Cloud Threat Report 2020 (https://bit.ly/3BUNAj6), 92% of responders had a cloud security readiness gap. It shows we can't protect the cloud if we can't protect an on-prem environment.
In hybrid identity, Active Directory Domain Service is responsible for managing and protecting on-prem identities. There are many things we can do to protect on-prem identities from sophisticated attacks similar to Nobelium. We can prevent lateral movement by introducing the Active Directory tier model. We can use group policies to standardize the device and user state. We can introduce Microsoft LAPS to protect local administrator accounts. We can limit privileged accounts' appearances to privileged access workstations (PAW). If we are in a hybrid environment, we can further use cloud-based solutions such as Microsoft Defender for Identity, Microsoft Defender for Endpoint, and Azure Sentinel to identify potential security risks in the environment and address those proactively.
As we can see, in hybrid identity, we can't take our eyes off on-prem Active Directory by thinking extended identities to the cloud is going to take care of identity protection. Later in this book, we will further explore the things we can do to protect identities. Before that, let's go ahead and look into some fundamentals of Active Directory.