At WME we frequently are asked what is the best modern approach to managing identifies and users and devices in the most efficient, cost effective, and secure way. Microsoft offers the following platform options for integrating with Azure Active Directory (AAD):
- Hybrid – Integration of AAD with on-premises AD with AAD Connect (most common)
- Cloud only – All devices, users, and applications are cloud based (recommended)
- AAD Domain Services (AAD DS) – Extends AAD with Domain Controller as a service
- AD hosted in Azure – Hybrid mode where AD domain controllers are hosted in Azure VM
There are benefits and challenges to the approaches above. You can review Microsoft’s documentation Compare Active Directory-based services in Azure for a more detailed comparison. Hybrid is the most common approach which allows you to continue to use your legacy on-premises applications and infrastructure while starting to leverage modern services such as Exchange online, Mobile Device Management (MDM), or Single Sign-On (SSO) for web-based applications.
If you have no legacy infrastructure or applications preventing you from going to a modern only cloud infrastructure. This is the approach we recommend to reap the most security benefits and cost savings. There are also third-party Cloud Directory services available another option for a price. If you need assistance in assessing your environment to determine if you are ready for a modernization of your infrastructure, contact us at email@example.com.
It has becoming increasingly appealing for clients who using Microsoft 365 for mail services to look at moving their identity, directory, and device management services to the cloud with AD and cutting ties with their on-premises Active Directory (AD) infrastructure. This is especially true for organizations without the resources to secure critical infrastructure like domain controllers as Microsoft recommends.
In some areas, another potential risks of seizure of physical assets by local authorities. One non-profit we recently worked with that defends human rights organizations, was concerned with their government being able to easily seize assets versus meeting Microsoft requirements for seizure of data.
AD Versus AAD
Microsoft considers these two platforms to complement one another. They are similar in name only, AAD is not a cloud version of AD. Its focus is primarily for management of Office 365,Azure and Single Sign-On (SSO) for web-based applications. AD supports NTLM/Kerberos, LDAP, Group Policies, and Certificate Services which AAD does not. AAD does provides an alterative to federation from Active Directory Federation Services (AD FS) for application which support SAML and OAuth.
How Do I Migrate?
This begs the question, how to I migrate from AD to AAD? This presents a challenge because there is no migration path from on-premises AD to AAD. In speaking with our Microsoft Partner team, they confirmed the recommended practice was to enroll users in OneDrive for Business and leverage Enterprise State Roading to cache the user data in the cloud. Then perform a fresh install of Windows 10 with a clean AAD Join with new identities. They also recommended using Windows AutoPilot to customize the onboarding experience.
In working with our clients, we have found many are not ready to license & migrate to OneDrive Drive for business and Enterprise State Roaming. In addition, this does not migrate legacy applications settings. They wanted a seamless process with the least impact to the daily use of their devices. To accomplish this, we leveraged tried and true migration technology that we have used with countless organizations performing Windows migrations. It required some creative thinking to adapt to an Azure AD migration.
We have developed a semi-automated process which orchestrates migrating from AD to AAD in the following steps:
- Configure Hybrid mode and synchronize accounts
- Migrate device to AAD (custom scripting):
- Capture Windows profile user data and application state with User State Migration Tool (USMT)
- Disjoin domain and join workgroup
- Azure AD join (Microsoft does not plan offer a way to script this outside AutoPilot, OOBE Bulk Join)
- Restore AD profile to AAD profile with USMT user mapping
- Update last logged on user
- Remove Azure AD Connect and decommission Active Directory
If you would like our assistance in implementing this migration process contact us at firstname.lastname@example.org.
A Look at a Migration
Check out screenshots of a step-by-step semi-automated migration of a Windows 10 device from AD to AAD developed by WME: