Active Directory has been a foundation of identity and access management (IAM) for organizations from its inception. As the modern workplace continues to evolve with cloud adoption and remote work, there are new challenges in managing identities and ensuring secure access to resources. This article will examine the benefits of modernizing Active Directory and considerations for organizations embarking on this transformation.

Benefits of Modernization

Reduction of Infrastructure Footprint

Directory sizes and infrastructure grow over time by various means, whether through the natural growth of an organization or merger and acquisition (M&A) activities. As a result, this can mean scattered directory infrastructure in offices or data centers worldwide where it no longer benefits the organization, especially in scenarios where most of the workforce works remotely and not in an office setting.

A modernization project should include a review of the directory infrastructure locations, assess where infrastructure can be removed from offices or data centers, and can create a streamlined hybrid cloud strategy that includes infrastructure in centralized on-premises data centers and standardized regions in a public cloud, such as Azure that can provide Infrastructure as a Service (IaaS).

Increased Flexibility and Scalability

Modernizing Active Directory through a combination of on-premises, cloud-based services, and applications, allows organizations to gain the ability to scale infrastructure on demand. This allows organizations to accommodate the future growth of users, groups, devices, and applications.

Cybersecurity Risk Management for Active Directory

Discover how to prevent and recover from AD attacks through these Cybersecurity Risk Management Solutions.

Identity Access and Security Modernization

There are many challenges regarding on-premises Active Directory from a security perspective, as listed here.

Regarding identity and access, Microsoft’s latest model for secure access is the Enterprise Access Model. The Enterprise Access Model encompasses a model that includes access across a hybrid on-premises Active Directory and multi-cloud enterprise. The control plane is commonly known as Tier Zero, a critical group of assets in Active Directory and Entra ID. The Tier Zero control plane aims to protect the most critical components of directory access by creating a security boundary to prevent a complete compromise of the directory. Microsoft’s definition of assets to include in the Tier Zero control plane are listed here.

A common cybersecurity principle known as “defense-in-depth” is building multiple redundant defenses into systems. The defense-in-depth strategy can be applied to modernize and protect identities in Active Directory and Entra ID.

For example, with the administration of group access, you can utilize dynamic groups where users are populated into security groups based on user attributes and automate addition and removal access when user attributes are changed. For temporary access to a group, you can also automate just-in-time group membership where a user needs temporary access to a group for a period of time and the user is removed from the group once the time expires leveraging solutions, such as Entra ID Privileged Identity Management (PIM).

With Privileged Account Management (PAM), accounts with elevated permissions in Active Directory need more stringent security controls than regular user accounts. This security layer safeguards the integrity of privileged credentials and reduces the risk of credential theft. At many organizations, multiple individuals share a common admin password. This enables them to do their jobs quickly and efficiently, but it increases the risk of misuse by insiders or attackers and makes accountability difficult. A far more secure approach is to give admins time-based passwords that enable them to perform assigned tasks. Like temporary AD group membership, these passwords should be granted through an automated workflow via a PAM solution. This ensures proper approvals are in place before access is granted and removes the access rights when the time period is over.

Considerations for Organizations

Define Roadmap Goals

It is important to define the goals of the organization and desired outcomes of the modernization initiative. Understand the challenges being faced by the current infrastructure, networking, and identity processes, and prioritize the improvements to be achieved.

Environment Assessment and Migration Approach

A comprehensive assessment of the Active Directory environment is required to understand the scope of the modernization project. Factors include organizational unit and directory structure, user and service accounts, group policies, workstations and servers, and application dependencies. An assessment will also help to identify any potential roadblocks and help to develop the migration strategy.

Approaches to the migration strategy will involve what type of environment the target Active Directory environment will look like. For Example, the target Active Directory environment could be a greenfield environment where Active Directory forests and domains are created from the ground up with all new servers and assigned a new domain name and directory structure. The target environment could also be an existing Active Directory environment that is in a different location due to an acquisition or divestiture or could be a subset of the existing infrastructure of domains and forests within the organization.

Once the target Active Directory environment is defined and mapping activities of objects such as users, groups, and workstations are documented with a target location in the directory and group policies are applied to the OUs, migrations can then start to be performed.

User accounts and required security groups for various access to services and objects must be in place before workstation migrations can occur. Workstation migrations in on-premises Active Directory or in a hybrid state (where workstations are also represented in Entra and managed by Intune to SCCM to a Entra ID joined state only in the Entra ID tenant), require additional planning considerations which are listed here.

Training and Education

Active Directory modernization projects of any size will involve significant changes in processes and technologies for both end users and administrators. Proper communication channels will need to be set up to ensure the adoption and benefits of services to end users. It is also important to invest in training for administrators and architects who need to modernize their skillsets within the modernized infrastructure.

Conclusion

Active Directory modernization is a crucial step for organizations looking to transform and enhance their IAM capabilities. By embracing the benefits of cloud integration, improved security, scalability, and simplified identity governance, businesses can ensure seamless and secure access to resources. With careful roadmap planning and a well-defined approach, organizations can successfully modernize their Active Directory infrastructure and meet the demands of the digital era.

Join Me at TEC 2023 in Atlanta for More!

This is just an overview of some benefits and considerations of Active Directory modernization.  If you want to hear further insights about these topics, join me in my upcoming session Active Directory Modernization: A Journey to a Secure and Flexible Identity Infrastructure with a panel of experts discussing real-world scenarios at The Experts Conference 2023!

About the Author

Julian Stephan

Julian Stephan has been working with Microsoft technologies for over 16 years in various architecture, operation, and migration roles. As a Principal Consultant at Quest Software, he helps customers with planning and migrating to Microsoft 365 and Azure with a focus on tenant-to-tenant migrations, Exchange migration, Azure migration, identity migration, and automation.

Leave a Reply