As organisations move legacy applications to cloud-based apps, they see the simplification of on-premises workloads to reduce cost.
Active Directory (AD) is one of the services organisations think of removing, because its retirement is seen to reduce attack surface, and the costs of licensing, compute / storage, and operations. By moving user identities to Entra ID, Microsoft can now manage authentication services and ensure availability, using the Microsoft 365 licensing for which you are already paying.
However, there are plenty of reasons to keep AD around, even if you have moved all your applications to the cloud.
Factors to consider before removing Active Directory
Here is a non-exhaustive list of things to consider before deciding if retiring Active Directory will benefit your organisation. Keep in mind that this list is changing rapidly as Microsoft makes improvements to Entra ID. Additionally, you should apply these considerations to your current and future plans for your IT infrastructure.
| Area | Considerations |
| Applications | If applications use Active Directory to authenticate users or computers (i.e., Kerberos or NTLM), they need user accounts in AD and computers that are part of the domain. This applies to applications hosted in trusted forests or domains. |
| Windows Server | Windows Server does not support Entra join. Although Windows Server can be configured to enable sign-in via Entra ID (i.e. servers hosted in Azure or managed with Azure Arc), Entra ID cannot be used as a method to remotely authenticate to Windows Server. |
| Password Policies | Entra ID does not have a single centralised password policy control like Active Directory; password policies are configured per user. This article explaining password policies restrictions in Microsoft Entra ID is a helpful guide on this area. |
| Entra Domain Services | Entra Domain Services is not an equivalent replacement for AD. Entra Domain Services is intended for back-end application services and is not a replacement for management or authentication for users or devices. It is also not suitable for VDI because it does not provide single signon to Entra ID authenticated application from within a virtual desktop. |
| If you have LDAP requirements (which aren’t typically required from client applications), then Entra Domain Services could be a suitable replacement for AD. | |
| Active Directory Certificate Services (ADCS) | An Enterprise CA must be joined to AD. Customers using ADCS may need to consider an alternative certificate services solution such as Microsoft Cloud PKI and reconfigure authentication mechanisms before moving off ADCS. |
| It is important to understand what Microsoft Cloud PKI offers in its initial release. Use cases are restricted to device certificates for use in 802.1x or VPN authentication. | |
| Closely related to certificate authentication is RADIUS. Entra ID does not provide RADIUS capabilities typically deployed with Network Policy Server. | |
| Third party solutions for PKI and RADIUS that integrate with Entra ID have existed for a while, and they can be used to replace on-premises workloads. However, they do require additional licensing. | |
| Configuration Manager | Even as you move to Entra join for corporate Windows PCs, there are good reasons to use co-management for Windows devices with Configuration Manager and Microsoft Intune, including Microsoft Connected Cache, advanced hardware and software inventory and OS deployment task sequences. While AD is not strictly required for user identities in this scenario, Configuration Manager still does require Active Directory. |
| Azure Files | File shares hosted on Azure storage accounts require hybrid identities, even if the storage account is joined to Entra ID. Refer to these supported authentication scenarios. The most common scenario here will be user profiles (FSLogix Containers or Citrix Profile Management) hosted on a storage account. |
| You can use storage account access keys to enable an AVD session host to access a storage account and store FSLogix Containers, but this is strongly discouraged because it is not supported and it is not guaranteed that the key can be protected. | |
| Virtual Desktops | The best identity and management solution for multi-session and non-persistent virtual desktop environments is still Active Directory-join and Group Policy. These desktops need to ensure that policy configurations are applied consistently for computer and user environment management. Microsoft Intune is not yet a complete replacement for Group Policy–Windows Server enrolment is not supported, and there are limitations for Windows multi-session desktops. Check out Windows 10 or Windows 11 Enterprise multi-session remote desktops for more information on this topic. |
| Personal or persistent desktops can work with Entra join and Intune enrolment because they can be managed and behave just like a physical device. | |
| Privileged Access Workstations using Windows 10/11 multi-session with Entra join and Intune does work okay, as long as you account for the supported constraints. | |
| Citrix DaaS | While Entra join is supported for VDAs in some scenarios, Citrix DaaS and CVAD require Active Directory for specific services to operate including SQL Server, Citrix Federated Authentication Service, Provisioning Services, StoreFront and Delivery Controllers. |
What to do if you can’t remove Active Directory yet
If you have determined that you cannot move away from Active Directory just yet, what options are available to reduce (but not eliminate) the overhead in managing AD? Here are key steps to take:
- Migrate file shares to OneDrive for Business or SharePoint Online, and retire Windows file servers for general unstructured data where possible
- Migrate from Windows print servers to Microsoft Universal Print or third-party print management solutions, and retire Windows print servers
- Migrate corporate Windows PCs to Entra join with Microsoft Intune management (including co-management if you still have Configuration Manager). Entra joined Windows PCs can still authenticate to AD joined resources that use Kerberos and NTLM
- Centralise legacy applications with virtual desktop infrastructure. VDI can deliver remote desktops and individual applications from AD joined virtual machines to ensure those legacy apps can work as intended
- If Active Directory Certificate Services is needed, enable secure access for certificate enrolment with the Certificate Connector for Microsoft Intune and Microsoft Entra application proxy
- Ensure domain controllers are running only the domain controller and DNS server roles. You could also migrate DHCP services from Windows Servers to dedicated network devices. This will simplify domain controller updates, management and recovery
- Keep domain controllers current. The domain controller role is the most critical role within AD, so staying current with OS versions and updates is important for keeping Active Directory and your infrastructure secure
There will be more steps to take that are specific to your environment but this list of recommendations will enable modernisation of key services, and a reduction of your Active Directory footprint. Migrate those services you can to the cloud, while centralising services that require Active Directory.
With this strategy in mind, you can reduce infrastructure in branch offices or infrastructure exposed directly to local networks, minimise the number of domain controllers needed to support your environment, and ultimately remove direct access to domain controllers for a simpler, more secure operational experience.
If you need guidance with your migration projects, Insentra is here to assist you. We offer migration services that are fast, secure and with minimal user disruption no matter the complexity. Contact us today and we’ll start discussing your needs and goals.
