Thoughts on Entra ID vs. Traditional AD?
Posted by kshot@reddit | sysadmin | View on Reddit | 234 comments
Hey everyone,
I’ve been looking into Entra ID recently and wanted to get some opinions. How does it stack up against traditional Active Directory in your experience? Do you think AD will still be around for a while, or is Entra ID the way forward?
Thanks for sharing your thoughts!
W3tTaint@reddit
You probably need both, that's just where we're at right now. Entra works for clients and apps and AD is still required for servers.
illicITparameters@reddit
That’s not entirely true. Entra Donain Services is a thing, and servers can join it, you’d just need to migrate your VMs to Azure IaaS.
W3tTaint@reddit
That's just AD as a service, not really a third option.
ApoplecticMuffin@reddit
If you need LDAP or the ability to join servers to a domain and you don't want to host your own AD, it is absolutely worth it. Entra Domain Services isn't overly expensive. It's basically maintenance-free, and it just works. I've been using it for years instead of a traditional on-prem AD and have zero complaints.
raip@reddit
As long you don't need anything that requires Domain Admin or Enterprise Admin level changes, like schema extensions.
PowerShellGenius@reddit
LOL they don't even let you extend the schema and they call it an AD replacement?
Lots of identity management and automated provisioning/deprovisioning systems used to link to HR systems add their own attributes.
inteller@reddit
That stuff is integrated with Entra ID now.
Extended schemas is an old school thing. Im not sure Microsoft even considers that a best practice now.
PowerShellGenius@reddit
AD was meant to be the base of your extensible directory ecosystem that you can customize, and just as importantly scale, to fit your business needs.
Try reading from Entra ID via Microsoft Graph at 5% of the rate you could perform LDAP lookups against a local DC on good hardware. Sustain that for an hour. You'll find Microsoft has a special response code built into Graph that is literally designed to tell you how long to wait when they throttle access to your company's own data to protect their servers from load that would not have been an issue on prem.
inteller@reddit
Entra DS Premium van handle that many calls from your poorly architected LDAP/S application.
PowerShellGenius@reddit
I meant reading from the basic directory service that was included, at a rate that was no problem and taken for granted with the basic on prem directory service everyone had.
I don't mean yet another fucking SKU for what was never an issue before. That's how the cloud nickels and dimes the shit out of you.
Cloud storage can also be cheaper than on prem storage if you never/rarely access any substantial amount of your data - and telling people "it's cheaper" without mentioning egress charges is the same brand of lie as saying "you can still read from your directory fast in the cloud" while omitting the "with yet another fucking SKU" part
inteller@reddit
old man shakes fist at cloud
PowerShellGenius@reddit
I'm not old, I am in my 20s, and I call out predatory business models where I see them hosted on prem too. Oracle has tons of on-prem shit I won't touch with a 100 foot pole.
inteller@reddit
Entra DS is commodity AD.
PowerShellGenius@reddit
When someone says something becomes a commodity, what they mean is it's no longer new and premium and as it ages it is cheaper (correcting for inflation obviously... in nominal terms nothing gets cheaper anymore...)
For example, when cars first came out, they were toys of the rich, and over time it got to where outside the urban areas, someone who clerks at Walmart for a living usually drives to work. It went from a new premium product to an everyday commodity.
Same with computers themselves.
Same with access to the internet - you get 1gig symmetric fiber for much less than a 1.544Mbps T1 line ever was.
Entra DS isn't your directory becoming a commodity. It's trying to take a non-new set of needs and package it up as a premium new invention and move total costs the other direction.
inteller@reddit
Wow that's some might big acrobatics to rationalize an incorrect position, but I'll give you an 8 on the landing.
PowerShellGenius@reddit
AD is built to be extensible, scaled and sized to your business needs, and usable for third party applications that need to store something in a directory. The level of activity and responsiveness is something you can size for.
Entra ID might be wonderful for every application that used a schema extension at a small company - which isn't many things, and their DC was probably running on an old i5 desktop with a spinning HDD.
For companies with applications that are heavy on directory reads, going from a DC with NVMe storage, to accessing Entra ID with Microsoft Graph (which has a purpose built response code that literally means "we've decided to throttle your company's access to your own data to protect our servers, try again later") is a massive downgrade.
jdanton14@reddit
The ADDS azure service is one of the three worst azure services, and it’s more expensive than running a couple of DC VMs as long as you don’t need giant DCs.
PowerShellGenius@reddit
I would say that for SMALL companies, where they aren't paying enough for a highly skilled sysadmin who actually understands AD enough to harden it, they are probably safer with Microsoft managing more of their AD.
I'd hate to have AD in the cloud. But given the choice between an all-defaults AD with no restrictions on NTLM, no MFA (smartcard) or auth policy silos on domain admins, krbtgt hasn't been rotated since pre-2008 so the whole domain is using RC4 Kerberos, backups of DC .vhd's are sitting in a sysadmin's OneDrive, etc - I'd take a cloud managed AD any day.
inteller@reddit
Lol wut? If you don't understand it, it is high time you do cause that's the future forward for AD.
maverekt713@reddit
Not everything is supported there and especially for AVD hybrid deployments you need good old ADDS
bolunez@reddit
Entra AD DS is not the same as whatever the Entra rebranding is for Azure AD.
It's a SaaS version of on own AD and has some limitations. It's also an extra cost.
HealthySurgeon@reddit
What limitations?
NoSelf5869@reddit
Here's some https://learn.microsoft.com/en-us/entra/identity/domain-services/faqs
sin-eater82@reddit
They didn't say or imply that it was the same...?
Sufficient-West-5456@reddit
Yaaa but it's much easier to use entra and Ad while having some VMware VMs who still has great value,
Cause for devops, office 365 we can use entra at that point.
Migration to IaaS is a.... cost plus pain...
illicITparameters@reddit
VMware has no value for most of us currently. Thanks Broadcom.
Sufficient-West-5456@reddit
I agree. We move most to hypervisor that's why. I guess it's a question of how long till we fully in there. I wish I was in that team but ... heck even our product team is slow dying.
No chance getting in the IT core, so bounce off may be in play for me,
hankhillnsfw@reddit
Have to disagree here. I am very firmly in the “no net new on prem” tho.
You only need both if your org doesn’t properly utilize azure which…is most companies…lol
trapped_outta_town2@reddit
I have a question. If you have no “local” AD (and therefore no ability to run NPS and provide a LDAP Bind point) then how do you provide RADIUS/LDAP for things like integrating other on-prem apps or wi-fi with AD/Entra user/pass login
Lvl30Dwarf@reddit
We use SAML as all our apps are cloud based. If you're apps are on prem you may not have the option.
For wifi authentication, I know fortigate supports SAML based wifi authentication if you don't mind using a captive portal. https://docs.fortinet.com/document/fortigate/7.0.0/new-features/561062/wireless-authentication-using-saml-credentials-7-0-5
Reverent@reddit
Modern "Zero Trust" says, keep the networks your endpoints connected to functionally as guest wifi and then do the authentication at a VPN/SASE layer.
Non endpoint infrastructure goes into their own network bubbles.
dunxd@reddit
If the WiFi network is essentially open then you need to authenticate for access to the internet else your bandwidth is at risk.
A PSK is essentially public knowledge since it is probably written on every whiteboard in the company. Most phones allow sharing PSKs via a QR code.
IMHO PSK Auth is only good for ensuring the communication between client and access points is encrypted - beyond that it is essentially security through obscurity.
Reverent@reddit
You can still use certificate auth. In fact that's recommended just because from a user experience they don't have to do anything to connect.
Just don't have it necessarily be connected to anything organisational or sensitive.
izvr@reddit
This right here is the correct answer
Jolape@reddit
Radius aas and pki aas. At least thats what we're planning. We tested wifi radius/certificate authentication with our Meraki infrastructure and the tests were successful so far.
awit7317@reddit
Especially certificate based wifi auth
PowerShellGenius@reddit
Is "properly" defined by the company getting paid for Azure (Microsoft) or the company paying for Azure?
Not all workloads are more economical in the cloud.
sham_hatwitch@reddit
I mean all it takes is one old school app that requires a VM and it can make sense to run an on-prem domain. Try working in the banking, or some kind of healthcare industry and you might find you're contractually/legally obligated to.
Frisnfruitig@reddit
You can run any kind of OS on a cloud based VM and configure it however you would configure it on prem, in theory.
sham_hatwitch@reddit
Typically, when you run a VM in the cloud, you run an on-prem domain in the cloud.
techgurusa@reddit
Yup... Exactly this!
grapplerman@reddit
I agree W3tTaint (username has me laughing)
Reverent@reddit
Well specifically you need central authentication and user management, preferably these days sporting MFA and passwordless.
It's just a question of what you run and how you support that. Entra ID is typically a no brainer because most organisations will run M365 either way (and as a value for money proposition, M365 is pretty darn cost effective. Assuming you don't accidentally turn on all the hidden knobs and whistles that shoot your per user cost through the roof).
Then you have to figure out how to use entra to authenticate other things. If you have an on prem endpoint presence (and nothing else), you can probably get away with just entra joining your endpoints and managing it with intune.
If you have an on prem server presence, you need some sort of AD or LDAP or something to manage authentication. If you are drinking the entra juice, you can have entra be the source of truth and your AD is functionally a read only domain controller. Then you rely on a bastion that is entra compatible to access your server infrastructure.
But then you have to ask, is it worth it to have an on prem server presence at all these days? That's not an obvious yes or no. If you have a large amount of compute requirements, on prem is typically going to be cheaper (by an order of magnitude sometimes). If you have a large amount of storage requirements, cloud is typically cheaper. If you do want to stay on prem, you have to factor in Total Cost of Ownership (IE: hardware lifecycles and staff maintenance).
PowerShellGenius@reddit
Microsoft's original Multi-Factor Authentication was also Passwordless and Phishing-Resistant. However, even though it meets all definitions of all three of those terms, it wasn't branded as any of them, since none of them were buzzwords yet when it was released in Windows 2000. It blows my mind how many sysadmins in my own generation have no clue what a "smart card" is.
Today, you also have Windows Hello for Business as an option for users who use one (or a small number) of computers to do "passwordless, phishing resistant MFA" - and WHfB can be set up on prem (with extra work on your part) or hybrid (easily).
TrippTrappTrinn@reddit
Any new deployment from scratch should strongly consider Entra only. What I see in the enterprise I work is that more and more aoplications authenticate with Entra. And if you want to use Microsoft365, you have to use it.
Interesting-Yellow-4@reddit
That is horrible advice which gives zero thought to exit strategy. Don't ever tie your critical deployments to a cloud solution. Ever. That's fucking stupid.
Mindestiny@reddit
Guess everyone using AWS and GCP is "fucking stupid" then?
Interesting-Yellow-4@reddit
For critical business applications? Yes.
In fact, it's illegal to do so in my country if for example the military relies on that infrastructure.
It is actually "fucing stupid", no joke.
Mindestiny@reddit
Whatever you say man, this is not an argument worth having.
Interesting-Yellow-4@reddit
Imagine having mission critical stuff on Azure as an AT&T customer today. God, I feel sorry for your employer.
sumZy@reddit
t. man from the 90s
charleswj@reddit
What year are you commenting from?
TrippTrappTrinn@reddit
All this talk about exit strategy is just useless noise. If you want a real exit strategy you limit the products you can use so that it is close to impossible to run anything at an enterprise level.
tdreampo@reddit
Can you find a way to script a drive map to a file server with Entra only and no intune? Because I cant.
Overall_Finding_586@reddit
Intune is an absolute must. My first concern is why you are using Entra but not Intune as the MDM? Seems like an odd choice. However, I guess if you wanted to.. you could make a script and add it to start up processes. You can mount your file share to Azure Files.
tdreampo@reddit
You can not deploy a script without a file share of some sort. I tried. So no you cant do that. Like I guess you could one computer at a time, but I want to do it automatically for 100 computers at once if I wanted. …what AD is literally for. Intune has a per computer monthly fee would be why I wouldn’t want to use it. But I was more just trying to build a 100% azure environment as proof of concept and to just make sure I understood the process and I found this one puzzling.
chaosphere_mk@reddit
You are incorrect.
You absolutely can deploy scripts via Intune. I've been doing it for years.
Intune isn't licensed per computer. It's licensed per user.
tdreampo@reddit
I’m saying do it WITHOUT intune. I don’t want to pay per user….
chaosphere_mk@reddit
Ok, but you're fine with paying for device/user CALs for AD?
It's not necessarily AD that allows you to configure devices. Really, it's the group policy component of AD that allows you to do that.
Something to keep in mind: Entra ID is not a replacement for AD. It is a replacement for the directory component of AD. Intune is the replacement for the group policy component of AD.
Entra ID can do more than the directory component of AD and Intune can do more than the group policy component of AD.
tdreampo@reddit
Yes exactly. And I don’t like paying for cal’s but at least it’s a one time fee. Paying monthly for basic features seems like a step backwards to me.
chaosphere_mk@reddit
Not if someone else is hosting it, managing the infrastructure, updating it, etc.
It is basic functionality, sure, but you simply don't want to pay for it. You're essentially just making an anti-cloud argument.
tdreampo@reddit
I’m certainly not anti cloud but I’m also just not sold on it being overall good for business from a 10k foot view. It’s just one more way to not be in the drivers seat of your company. It’s way over used for sure.
chaosphere_mk@reddit
I'm pretty sold on it I guess. From a business point of view, it eliminates cap-ex and moves infrastructure costs to op-ex. Security and compliance responsibility shifts an overwhelming majority of the responsibility to the cloud provider in the shared responsibility matrix.
Less or no upfront infrastructure costs, vulnerabilities to patch, operating systems to update, upgrade, and maintain. Less reliance on on-prem datacenters that require whole teams of experts to operate. I could go on.
tdreampo@reddit
The total cost of ownership of cloud is 10x on prem as far as I can figure.
chaosphere_mk@reddit
You have that reversed. TCO is cap-ex
tdreampo@reddit
What do you mean?
vane1978@reddit
I’m slowly transitioning domain joined computers to Entra ID joining, and it has been great so far but it is a lot of work.
The main reason for this transition is security. Entra ID joined computers prevents lateral movement on a hybrid network.
Additionally, if you want to implement a true Passwordless solution and done right, Entra ID joined computers are the way to go. You would need Intune and Entra ID P1 licenses.
Overall_Finding_586@reddit
I think you’re confused. Entra is NOT an MDM. How do you expect to deploy a script to a computer that isn’t managed by Intune ? You will have to manually load and make all changes by hand. Otherwise, your answer is Intune. It’s included in the E3 license. Azure AD is very modular, there isn’t just one product for everything. It’s multiple modules working together. It’s more expensive but it works very well. Much better than AD in most cases but again this heavily depends on what you need it for and your current infrastructure.
Fickle_Bit1481@reddit
RMM?
tdreampo@reddit
Yea that’s the only way I could see it done.
TrippTrappTrinn@reddit
We stopped supporting drive mapping many years ago. Too high risk if a user gets a crypto virus.
tdreampo@reddit
Interesting, are you just relying on one drive for sharing?
TrippTrappTrinn@reddit
Lots of file servers, but we recommend using favorites. As I do not do desktop support, I do not know what is actually used. We do not prevent drive mapping, but do not support central management of them. More and more data is being moved to other platforms like Teams, Sharepoint and onedrive.
illicITparameters@reddit
No, because Entra is only used for authentication, InTune is where the policies live.
RagingITguy@reddit
Ah I am curious about this also. Exploring moving entirely to Entra but right now it is not possible. We have lots of legacy crap (yes I know we have to get rid of it eventually but public edu works slow).
illicITparameters@reddit
I manage a 2200 person org’s infrastructure, and I have them down to 2 apps that authenticate against the on-prem directory. We will be down to 1 by Q1 ‘25. By that time I’m hoping the vendor for the last application will have implemented SAML.
I’ve made a big push the last year and a half in moving their apps to SAML because I want the users forced to use MFA, and I’d rather the business critical apps that are SaaS anyway, authenticate against the cloud rather than on-prem.
VermicelliHot6161@reddit
If push comes to shove you can go the Global Secure Access route and just put CA and MFA in front of, well, anything.
illicITparameters@reddit
They won’t pay for that, hence my mad scramble to get everything to SAML.🤣
alconaft43@reddit
it is not a question about legacy AD vs Entra ID, but question where will be all your apps and therefore users.
horus-heresy@reddit
How is AD a legacy? It is just Active Directory, entra is not some ad2.0. Entra serves absolutely different set of functions in authentication ecosystem
hankhillnsfw@reddit
Active Directory (AD) is often considered “legacy” because it was built primarily for on-premises environments, managing local networks, devices, and user accounts. In a world that’s increasingly cloud-focused, AD’s on-prem nature makes it less adaptable compared to modern, cloud-native solutions. While AD can connect with cloud services using tools like Azure AD Connect, this integration feels more like a patch than a native feature, leading to added complexity and potential security gaps, especially for organizations that rely heavily on cloud-based applications.
AD’s security model is also rooted in a traditional perimeter-based approach, which focuses on protecting the network boundary. This stands in contrast to modern security practices, like Zero Trust, where trust is never assumed regardless of network location. AD struggles to fully support this shift, particularly in hybrid or remote work setups. Its reliance on Domain Controllers, which require regular maintenance, patching, and physical security, highlights its legacy status, as this setup doesn’t align with the scalable, dynamic nature of cloud services.
Managing AD can be complex and resource-intensive, especially in large organizations. Tasks like handling Group Policies, setting up trusts, and maintaining replication can be cumbersome compared to the streamlined, policy-driven management offered by modern cloud-native identity platforms like Microsoft Entra ID. Additionally, while AD supports some security features, advanced access controls and multi-factor authentication typically require additional configuration and tools, unlike platforms like Entra, which offer these features natively and with more sophisticated options.
Entra isn’t an AD 2.0; it serves a different purpose in the authentication ecosystem, focusing on cloud-native, identity-first security principles and seamless integration with modern applications. Its architecture aligns with today’s digital transformation needs, including decentralized identity, secure application access, and comprehensive conditional access policies. In contrast, AD lacks built-in capabilities for advanced analytics and insights, making it harder to detect and respond to security threats in real-time. While AD remains an important tool, its traditional, on-premises-focused design increasingly positions it as part of a legacy setup that doesn’t fully meet the demands of today’s rapidly evolving IT landscape.
Coffee_Ops@reddit
I think you and I have a different experience of active directory.
There are certainly challenges in maintaining on-premise, but active directory itself has never been a big challenge. The entire point of the multi-master model of active directory is that you don't need to maintain replication unless you have crappy hardware that's constantly failing. Patching is not unique to AD, and neither is policy. Whether you're using InTune or gpos, you still have to set policy. Whether using ad or Azure, you're still going to need a patching solution.
Properly deployed core DCs should basically never go down, and never need real maintenance.
I'm also not clear how you think entra AD gives zero trust in a way that AD cannot. Zero trust is more than a directory, and more than an authentication source. Ad gives you Kerberos which is a very strong on-prem authentication system, but if that's not enough, there are a dozen different ways to tie into it with SSO solutions like saml and oidc.
The reason Microsoft pushes Azure is not because ad is bad. It's because AD does not give recurring revenue, whereas with Azure they can bill you monthly for an E5 subscription. That's really the end of it.
Why do you think AWS will sell you What is effectively a stripped down active directory for 500 hours a month?
raip@reddit
While I don't really agree with AD being considered legacy technology - I do think it's problematic for a zero trust model in regards to hybrid/remote workloads.
No one would ever think putting a DC on the Internet would be smart, unlike Entra which is cloud native. You can solve this with a VPN - but since this is Kerberos, you're limited to an Always-On VPN or connect before logon solutions - otherwise you're dealing with issues like group modifications not updating because of cached tickets.
I do think once Microsoft has a way to move from Hybrid to Cloud only without a loss of functionality, we'll start seeing AD go the way of Netware (which technically still works, but I'll quit before I support it again).
Coffee_Ops@reddit
I'm increasingly convinced zero trust, for all that it has a real meaning, has mostly become a marketing term.
How is it zero trust to be entra domain joined, but not zero trust when you're Kerberos domain joined?
Aws offers a cloud directory that's effectively a stripped down ad, is that zero trust? Or does only Microsoft offer a zero trust solution?
And what about the other operating systems out there, are they incapable of zero trust because of their poor support for Azure and entra?
raip@reddit
It absolutely is a marketing term but you can make anything zero trust - the only real core tenant that matters is UAA (User Authentication and Authorization) everywhere. It's just that some architecture is harder than others.
Entra joined means when you log into the workstation, the system immediately checks with Entra that your credentials are still good. There's a very minimal cache here.
With Kerberos, you need LoS to a DC when you first login. After that, those credentials are cached, and if you take that system off the network, they aren't checked again until you put it back on the network.
This only introduces complexity - but if you have an always on VPN and limit or change the winlogon cache, you can have zero trust with an only AD setup. That isn't even the hard part of ZTNA truth be told, it's just a complication that you need to solve instead of stuff working out of the box.
Coffee_Ops@reddit
Your assessment of Entra and active directory are not correct. Entra absolutely caches credentials, I believe it uses oidc which just like Kerberos has a valid lifespan.
And Kerberos can be configured with rapidly expiring renewable tickets, and you can even set maximum lifetimes for sensitive accounts.
On the client side, Linux and possibly Windows allow you to limit the duration of the client cache, so you can absolutely prevent offline logins if you would like.
And if you're doing things to best practice, you'll be using a token-based credential which can't be saved.
You mentioned that with DC's you need line of sight to the DC, which seems like an unfair comparison because with entra you also need line of sight to entra. I'm not clear why though you count as A disadvantage for on-prem and not for entra.
Maybe it's under the illusion that line of sight to a DC, for example, via always on VPN, is less reliable... But my experience has been that cloud will go down far more often than our VPN or directory.
Maybe I'm missing something, but these sound like flimsy justifications for the cloud, rather than actual problems with on-prem.
raip@reddit
Yeah, they're cached for an hour, which is substantially different than the default non-expiring cache.
It's a count against AD because you don't put DCs on the Internet.
To be clear, I don't like the cloud. I'm mid-implementation on a ZTNA deployment for a 150k user hybrid setup where we're primarily leveraging on-prem resources because Entra does not quite have feature parity with AD and these are some of the issues I've had to work through, which is why I always say strictly AD with hybrid/remote users is harder, but not impossible.
Coffee_Ops@reddit
AD cache absolutely expires, and in any case the AD defaults not fitting your needs is a terribly poor reason to go to Entra. Many common compliance packages will change that default and if this is a concern you go to smartcard auth or MFA everywhere. This is a solved problem.
Honestly I'm going to ask this in a separate thread-- but why do we say on the one hand "don't expose internal auth on an untrusted network"-- literally it's design spec, and hardened for 30 years -- but it's just fine for Entra to be exposed? Are we entertaining the notion that exposed Kerberos+LDAP is sufficient to own a DC? If so, what the heck are any of us even doing?
You're right that Entra doesn't have feature parity. That's been the story of Azure since the beginning, just change all of your schemas and workflows and tech stacks to make Microsoft's life easy, and pay them for the privilege. All of the big cloud migrations I've been on the receiving end of have resulted in lower availability and loss of functionality, and I doubt I'm alone here.
raip@reddit
You might wanna tell Microsoft that: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available
Big old purple disclaimer at the bottom.
Coffee_Ops@reddit
You either didn't read or didn't understand my comment, and so you're arguing something different. I specifically spoke about Kerberos tickets, because thats one type of credentials cache, and those absolutely expire on the regular.
The cache discussed there is to allow local login. That's somewhat irrelevant to network posture because that device would be unauthenticated to the network, so this really is irrelevant to the ZTN discussion: the user authenticated locally, and they aren't trusted on the network until they authenticate there.
Further, what you're talking about is client-specific, not AD-specific; you can use expiring cache on-prem with Windows (e.g. WHfB) and out of the box on sssd clients (Linux) by changing the cache age (I often set to under 24h).
As for "the rest of my points" I'd love to understand where my error is. Everyone says "don't expose Kerberos / LDAP / ADFS”: But no one seems to have an answer for "why". All blue team scenarios assume an attacker who has LoS the DCs, and these protocols have been hardened for decades before HTTP/2 was created.
And if the worry is simply the exposure of your root of trust: how is that not a thousand times worse with Entra? What would a heart bleed type bug do, if attackers could read arbitrary memory on your auth endpoint?
To be clear I still wouldn't expose my DCs because I think there are good, simple solutions (VPN) that dramatically reduce your exposure-- but if we're saying that the complexity behind that is a reason to move to Entra how is exposing say ADFS for WHfB worse than what Entra does?
raip@reddit
You said AD Cache with no specificity - and I was the original one that brought up the Windows logon cached credentials and this is what I was referencing. With an Entra joined device, it doesn't exist by default.
The workstation itself is a node and has resources, ZTNA accounts for it as well which is why every endpoint should be encrypted.
Coffee_Ops@reddit
If you're leaning hard into ZTNA you'd want to use 2FA / smartcards / WHfB anyways, which don't get cached. If you use duo for instance, you can trivially set the device to reject offline authentication without having to put all of your eggs in the Entra basket.
And in any event ZTNA means there's no implicit trust. I'm not clear how cached local-only login violates that. If the box is encrypted / secure boot / measured boot, you can have a pretty good reliance on the validity of the cached credential-- and if the cached credential deeply offends you you can simply set the policy item referenced in your article to disallow the cache entirely:
raip@reddit
Of course - like I've said either in this thread or other threads on this post - ZTNA is very possible with AD and doesn't require Entra, but Entra makes it much easier without going 3rd party for stuff like Duo.
The problem with cached credentials are people using old passwords and still getting access imo - IE: terminated user.
Coffee_Ops@reddit
Then disable cached credentials if that is a concern.
Your tradeoff of course is a complete inability to work when the network / entra goes down, which is the entire reason cached login / email / network files exists, but you don't have to enable those things.
I personally think its overkill. If you really are concerned with that level of DLP, you need to be using some kind of VDI anyways. If you're not going to that extent, a determined insider can always exfiltrate stuff, and you're trading off a lot of reliability for threats that are probably irrelevant.
PowerShellGenius@reddit
Zero trust, in the way people interpret it when they say it's impossible on prem, is a myth. You have to trust something. Zero trust is often just taken to mean "we place Zero Trust in anything that will be my fault when it fails, and 100% of our trust in the entire business world's single point of failure, Entra ID". Entra ID's root of trust might have more modern protections than Microsoft DECIDES to put into a product they sell, because they'd rather rent it.
But ultimately there is a root of trust. And if Microsoft's servers get hacked, it's going to be a global event. Centralization is a big risk in the "cloud".
On prem has a moderate (or low if well managed) frequency of an event that is catastrophic on a per business basis. (note I say frequency instead of risk, because of the law of large numbers. Given enough years/decades, if it is a risk, it will happen, the question is how often). For a natural analogy, this is like the areas that flood every 60 - 100 years and it's a known risk that insurance factors into premiums, and then covers.
The cloud is like the "safe" area around a "safe" volcano that hasn't gone off since modern record keeping began, but geologically, WILL go off eventually. There is still a root of trust. You may not have a "krbtgt" but something is signing your OAuth tokens. It's running on a server somewhere that runs some sort of OS. It has vulnerabilities, which have never been exploited. But since it is all or nothing - a very low frequency but globally catastrophic event - when we DO eventually see Entra ID itself become severely compromised, every cyber insurer will declare bankruptcy.
Coffee_Ops@reddit
I've known all this, but I appreciate you saying it. I have felt for a very long time like the emperor has no clothes when people talk about the cloud.
I do see some of it's utility, but as far as I can tell that is mostly just:
But I think most people overestimate when each of these applies, and for the most part are far too enthusiastic about the cloud.
I have seen too many instances when people go all in on the cloud and get burned by either changing prices or changing offerings, and I can't imagine building my career around interfaces and apis that are so subject to the whims of particular companies.
Zero trust seems to be just the latest term that has been hijacked to market buying more things and more cloud, when what most companies need is probably more simplicity in their tech stack.
sleepybeepyboy@reddit
Don’t even bother - I could smell the AI after a paragraph. I doubt that guy even works in our field lmao to say such stupid shit.
If Active Directory is Legacy then I guess every client at my huge MSP is a legacy customer? It’s a stupid comment
OP has a great question. Sad we have people in here posting AI responses. Seriously lame
c00000291@reddit
This is a good write up, although gives me AI vibes. I'd also add that Microsoft in general has shown a lack of interest in updating and modernizing on-premises, native AD capabilities and integrations (e.g., SCCM, GPO, DFSR). Meanwhile, their Azure suite is updated constantly and strongly pushed to the point of near necessity
bemenaker@reddit
That's because MS like everyone else, wants to push cloud subscriptions. They are fully capable of making AD behave the same way. They chose not too. The cloud does not fit everyone's needs, just like fully on-prem doesn't fit everyone's needs.
I've worked in >300 person companies for the 20 years, and in most of their cases, cost wise, it was still cheaper to stay on prem. People argue with me over this all the time, but we ran the numbers. We had third party experts run the numbers. This isn't everyone's case, but it was ours. But it moved it to cap-ex, yeah, at 3 times the cost. When current tax laws give bigger breaks to op-ex because they are encouraging physical growth, there is absolutely no gain. Zero trust and some of the other arguments, very valid, and that goes into MS doesn't want to sell on-prem. Showing a constant revenue stream from subscriptions looks better to the stock market, so they want to push cloud subscriptions.
ErikTheEngineer@reddit
100% correct. It would be incredibly easy for Microsoft to propose a "Kerberos over HTTPS" and "RPC over HTTPS" standard in an RFC to make all of the RPC and legacy ports disappear...but if they did it, it would extend the life of AD. If you were Microsoft and had these choices, which one would you choose?
That's basically what's going on now. Microsoft's playing the waiting game waiting for on-prem to die and for companies to be unable to operate without the cloud.
rongway83@reddit
This for sure, cloud is more profitable and has lockin, very sticky product to remove once in place VS selling you an on prem solution for exchange.....
bemenaker@reddit
Exchange is the one service I will always cloud. Exchange servers suck. O365 is so much better
Lvl30Dwarf@reddit
I was going to say....this is for sure AI.
hankhillnsfw@reddit
It is 100% all AI lol
hankhillnsfw@reddit
It is 100% all AI lol
Kuipyr@reddit
We're getting a new AD functional level in 2025.
Popsicleese@reddit
Yeah but all that old stuff that actually works doesn't have excessive subscriptions attached to it. It would never work in a cloud-native environment for modern application security needs because it doesn't fit the aaS model.
tacotacotacorock@reddit
No I don't necessarily disagree with what you say. I still disagree with calling AD legacy. We're not talking about Cobalt or adtran or AS400 systems, definitely not a token ring network. Is it the most relevant technology for cloud computing? No there's things that can do more and offer more flexibility. However AD still absolutely has its place and will for a long time. Which makes the legacy label not applicable in my mind.
joe_schmo54@reddit
lol written by chat gpt
AmazedSpoke@reddit
Thanks ChatGPT.
sin-eater82@reddit
It's a legacy solution. If you're not seeing it in that light, you need to start thinking about it.
horus-heresy@reddit
And replacement for Active Directory is what exactly? When you apply set of rules like cis bench to group of onprem servers what you gonna do?
raip@reddit
You'd run their Entra ID benchmarks instead.
horus-heresy@reddit
Not how it works
raip@reddit
I beg to differ: https://learn.microsoft.com/en-us/compliance/regulatory/offering-cis-benchmark
horus-heresy@reddit
I'm not talking about assessment as in scan of your workloads to tell if CIS L1 and L2 are applied. Without AD you'd need to script out something complex like DSC if you have no AD and GPOs
raip@reddit
Microsoft Azure Policy would handle that - no need to bust into DSC.
horus-heresy@reddit
On onprem servers? There’s only very limited list of built in definition for azure arc enabled servers so not possible to see in enterprise architecture review boards
raip@reddit
There's a lot of details here - but if assuming VMs with either HyperV or VMWare, you have feature parity with Azure Policy between an Azure native VM or an on-prem VM.
There are some limitations with a bare metal machine with a lot of stuff still in preview - but I believe at least the CIS L1 requirements are covered. My company doesn't run the L2 requirements in our annual audits so I can't speak to that - but like I said in another thread, there's no real issue with AD, it's just on its way out. We'll still be dealing with it for at least 10 years.
horus-heresy@reddit
I don’t see it being on a way out at all or at least until ms announces something substantial
raip@reddit
They're actively working on things like User writeback and anchor changing to allow Entra to be the source of truth, which is pretty substantial in my opinion.
sin-eater82@reddit
Did I say to replace anything?
I said start looking at it in that light.
AD is unnecessary for device management/GPO.
AD is unnecessary for identity.
Shares... in 2024? What are you doing that for?
I didn't say there wasn't any use-case for it at all. But you should be looking forward. And AD should have a smaller footprint in environments moving forward.
tacotacotacorock@reddit
Calling a technology legacy technology is absolutely implying that it should be replaced.
sin-eater82@reddit
For several of it's common uses, it should be replaced or you should have plans to replace in the near future. For some use-cases, you may still need it. Especially in many environments where AD has been the underpinnings for many years.
Don't know what to tell you. That's reality.
Mindestiny@reddit
Yep, a lot of these admins are gonna be gobsmacked when MS eventually announces that AD support is officially sunsetting. They've made it very clear that EntraID/Azure/Intune are the future of identity, management, and infrastructure.
We're already well beyond the point where any new infra should be putting forth an extremely solid business case as to why it shouldn't be leveraging these solutions by default.
tacotacotacorock@reddit
I think it can be considered that. Entirely depends on your architect and needs.
sin-eater82@reddit
Right. And for some uses-cases, the writing has been on the wall and it's time to plan to move on if you haven't already. For others, not so much.
This is bound to happen when something provides a solution to multiple things. Not all of those things are going to change at the same time or rate.
The footprint of AD in environments should be generally shrinking. It will be slower in some environments than others.
bofh@reddit
Microsoft have picked their words extremely carefully but have made it clear in conversations that I’ve been a part of that they don’t consider it the way forward.
It’s a long way from not being useful, and can still be very useful for a business that has little cloud presence, but those are becoming increasingly rare.
horus-heresy@reddit
When they announce it I will believe. Otherwise sccm is still a way to go and azure stack hci is nowhere to be attractive enough of a product. Same with ad
bofh@reddit
That’s fair enough. I know what they said to us and I believe it, but I’d be dubious of some internet rando too. I think it also depends on your business size, type and model. SCCM is a great tool but doesn’t really scale to our needs, for example.
tyrillis@reddit
Entra needs to catch up. Honestly it's not good enough. It's a few years behind where it should be.
chaosphere_mk@reddit
What are you referring to? It needs to catch up up to what? It's THE leading/most advanced cloud IdP, as far as I'm aware.
tyrillis@reddit
Google workspace just works better. So does it's IDP. They are close. But when it is held back by AD.....it's an issue.
Mindestiny@reddit
This is the first time I've seen anyone honestly claim Google Workspace "just works better" than the MS cloud stack.
Maybe if all you need is barebones productivity, but once you go past that it's a rats nest of "that's not part of our product, sorry" and awkward limitations.
tyrillis@reddit
To be fair. You're right. However the main used apps are the productivity and collaboration tools.
charleswj@reddit
So you're saying Google's IdP is better with AD than Entra is?
chaosphere_mk@reddit
What just works better? What is held back by AD? I still am not picking up What it is that you're referring to.
JudgeCastle@reddit
Small org here. Entra ID is nice. We’re less than 50 users. Just started rolling out Intune, MDE, and Entra ID correctly and it’s good enough for us since we host nothing and are all cloud based. I’m unsure how these products scale beyond this.
If you are full cloud, as someone else said, the Business Premium license is worth the extras you pay for it imo compared to Standard. Assuming you’re not in the E category yet.
Fast_Bit@reddit
Are you transitioning from on prem AD or directly from nothing to Intune and Entra ID?
JudgeCastle@reddit
Second option. Like it was there and kind of set up but nothing was utilized. We all had standard licenses and pretty much only used Exchange. Took time to get them to come around.
Just got the go ahead to roll it all out and it’s nice. Getting control where I had none will be nice.
Fast_Bit@reddit
Awesome! I’m starting this week. Thank you!
wine_and_dying@reddit
E-5 or dieeeeeeee
JudgeCastle@reddit
As I don’t have access to it and i have t researched it, is this the comparative to Biz Pro in the enterprise scale?
Due_Programmer_1258@reddit
Biz Premium is most similar to E3. https://m365maps.com/ shows the breakdown nicely.
JudgeCastle@reddit
I appreciate you sharing this. Thank you.
Jackarino@reddit
Any client of ours who has a server, about 70, have on-premises AD. The balance has Entra AD.
Proper_Cranberry_795@reddit
Do you have any people who work remote, or is every computer staying in the office. Situations that annoy me are like computers that are remote not getting group policy configurations. Difficulty in password resets when the PC can’t talk to the domain controller…
I think entra AD is badass, not to mention the fun stuff you can do with intune.
Cormacolinde@reddit
Traditional AD for your servers and the primary directory for users. Sync users to Entra ID. Clients connected to Entra ID and managed with Intune. You get the best of both worlds.
Fast_Bit@reddit
Can you have the same user and device in both AD and Entra ID?
Cormacolinde@reddit
If you sync them, yes.
Phyber05@reddit
I would love to go full Entra ID but I’m just not sure how to pivot my current on prem AD and GPOs to Intune and have them work
donatom3@reddit
Intune has a gpo import tool that will tell you which are compatible and create them.
Phyber05@reddit
Hi! I’ve tried that but had limited success. Maybe I wasn’t investing enough attention to it.
I’m really stuck on how to assign printers from print server/group policy and map local network shares. Also applying desktop wallpaper 🙁
donatom3@reddit
Use this script for drives. https://intunedrivemapping.azurewebsites.net/ I modify the triggers to also include network changes.
For printers you can make them apps or go with another solution like printerlogic.
Phyber05@reddit
Thank you! Dumb question; if I’m still hybrid joined, and I have my local domain pcs Azure AD joined/Intune enrolled…will having these scripts for Entra ID only pcs cause any conflict?
donatom3@reddit
They could conflict what you'd want to do is use dynamic groups that target entra ad joined machines only and not hybrid machines.
Transresister@reddit
Two weeks away from no longer needing AD. Never going back. All our apps are cloud native.
SweepTheLeg69@reddit
And your replacement for Windows file services?
Niceuuuuuu@reddit
Some people use SharePoint, but I've heard it's painful with large files and CAD/design work.
Azure Files gets brought up but I don't have much experience with it.
Got282nc@reddit
When SharePoint didn’t meet our needs for files due to substantial size and volume (it’s always Marketing and Design) I tried an Amazon Gateway and S3 solution. It was less than reliable for users so I moved to Azure Files. Solved a ton of of problems (read: complaints to helpdesk). About 18 months later and no complaints from me on Azure Files.
r1kupanda@reddit
How does the cost stack up? Sharepoint gives you 1TB for free, wondering about storage, RW operations, and egress costs. Anxious to move a CAD client to Sharepoint...
mingepop@reddit
What authentication method are you using? Tried to set this up with Kerberos for Entra ID but having lots of issues
JerikkaDawn@reddit
For CAD, SharePoint is not as much painful as it is more a non-starter to begin with. If the business needs cloud for CAD, it should be in Autodesk's cloud or something and nowhere near a SharePoint library.
SweepTheLeg69@reddit
I looked in to Azure Files. It's outrageously expensive, and I hate the idea of paying IOPS from Microsoft's data centres to access your own data. I worked out you could buy a large SAN from Dell for the cost of renting 10TB from Microsoft over a 4-5 year period.
SharePoint is not a replacement for WFS in my eyes.
Godcry55@reddit
In terms of SharePoint, it depends on the amount of data you are working with and predict you will be working with in the future.
That being said, Azure can be cost-effective if you leverage resource groups effectively to keep costs in check.
Lvl30Dwarf@reddit
If you want things on S3 then AWS storage gateway, if you want things on Azure (possibly SharePoint not sure) then power automate gateway.
foreverinane@reddit
Check out Egnyte it's meant for this.
psychokitty@reddit
Lucid Link combined with Wasabi storage is a good and affordable solution for file server replacement, especially use of CAD/media files. Lucid Link permissions aren't nearly as granular as AD, however it does integrate nicely with Entra ID SSO for user/group management. Bonus is that the users get a "L:" drive in their file explorer so it behaves just like a mapped file server drive.
New-Pop1502@reddit
Windows Server joined to Entra AD DS then use Hybrid Kerberos. Your Entra ID joined computers will be able to communicate through SMB to the Windows File Server with SSO even if those computers aren't joined to the domain.
TKInstinct@reddit
Azure Files.
Transresister@reddit
SharePoint and Azure Files. We also have a proprietary DMS.
BornIn2031@reddit
Same for us, though 2 months out for us
hankhillnsfw@reddit
This is the way
caribbeanjon@reddit
This is the way, but where I work I will be retired before this happens.
patmorgan235@reddit
AD will definitely still be around for a long time. Organizations that need isolated networks (manufacturing, various types of infrastructure, governments) will continue using it.
Small to medium business that are primarily office workers can definitely ditch on-prem and go all in on Entra ID/cloud.
Donkey-Main@reddit
GCC takes the gov component out of the equation.
Xanros@reddit
If you're starting fresh, Entra ID with intune is great.
AlfalfaGlitter@reddit
Long story short, it's not one or the other. Entra ID just doesn't make the cut by itself.
It's one and the other. And both together cover everything.
It's not a lot of work though, use ad connect.
PaulJCDR@reddit
They are 2 different systems, built on 2 different technologies, using 2 different base set of authentication protocols, aimed at 2 different use cases and applications. One does not replace the other.
For sure as you develop new applications, design them with modern authentication and get all the fancy bells and whistles and security that comes with entra. But until the last dying legacy application that using a legacy auth protocol, AD will be needed in that instance
Interesting-Yellow-4@reddit
I'm sorry but Entra is not a replacement for AD.
They're completely different products for completely different use cases, even if there is some minor overlap.
What are you even asking here.
x-TheMysticGoose-x@reddit
Entra as part of business premium or higher in business with no onprem server requirements is absolutely a replacement for AD
Interesting-Yellow-4@reddit
Yes that's true.
Got282nc@reddit
Completely different, huh? From Microsoft: “Microsoft Entra ID, formerly known as Azure Active Directory (Azure AD), is an identity and access management solution from Microsoft that helps organizations secure and manage identities in cloud and on-premises environments.”.
sin-eater82@reddit
Yes?
Azure AD is not AD. And Azure AD is not Azure. This is why Microsoft renamed it to Entra Identity. Azure AD was a terrible name that confused people because it's neither of those two things.
Got282nc@reddit
Perhaps the first suggestion to call it Excel had already been used and only azure active directory was available at the time. So glad they got a new name to clear that up.
Alaknar@reddit
This is exactly why they renamed the product. Too many people saw "Azure Active Directory" and thought "ah, so it's just AD on Azure, got it".
mingepop@reddit
So why was “Azure Active Directory” its original name then? Like naming it that would imply that, no?
jmbpiano@reddit
Because Microsoft.
They've always been absolutely awful with a) coming up with names in the first place and b) causing confusion by reusing names for disparate products.
Microsoft Surface, for example, or Lync being renamed to Skype for Business after Microsoft bought Skype, despite them being largely separate services with only the barest, most painful, nods to interoperability.
Alaknar@reddit
How about Teams, Teams for Work or School and (New) Teams for Work or School? Don't these roll off the tongue? Especially since most of the time the user just sees "Teams", "Teams" and "Teams".
sin-eater82@reddit
Because some marketing people named it?
It was always a shitty name. I had Microsoft reps say this to me inside of a Microsoft building. It was a bad name. Azure AD is neither AD nor Azure.
The name absolutely gave the wrong impression.
horus-heresy@reddit
Azure Active Directory and Active Directory had as much common as banana and a cucumber buddy. Good thing they renamed it so that folks like you stop assuming wrongly
c00000291@reddit
I think you're being a little hyperbolic. Their basic functionalities and ideas are very similar, just with much different execution. I think the biggest difference with AD vs. Entra ID is that AD has a hierarchy structure with OUs whereas Entra ID is flat
NATChuck@reddit
In the context of Azure as a whole, their question makes perfect sense with Azure as a whole utilizing Entra, they just have the terminology a little confused.
LateToTheParty2k21@reddit
Im assuming OP is suggesting as Entra ID develops, and maybe eventually replaces AD (becomes AD as a service, possibly).
Right now there is a need to understand both but maybe in the future we will just be using Entra ID as part of the MS stack.
devloz1996@reddit
I will not drop AD, because it's a failsafe for identities and credentials. I can push them into Entra ID, Google Workspace, or even Keycloak, and ask users to login as usual. I am not aware of being able to do the same with pure Entra ID identities.
Mindestiny@reddit
Why can't you? You can absolutely federate EntraID with other SaaS identity providers, with Entra as the record of truth and the others essentially being read-only extensions for additional auth options.
Break2FixIT@reddit
Entra is nice for non-specialized apps and organizations.
But if you need to deploy computers fast and need anything related for on-prem services, AD is where it's at.
I seriously can't stand intune and how slow it takes to do anything.
Mindestiny@reddit
Rule #1 of Intune is definitely "if you thought youve waited long enough... give it another half hour" lol
TKInstinct@reddit
Entra ID is great but it is unrelaible IMO. There are too many outages to be completely reliant on it. A hybrid model is where it's at and I think it'll stay that way for a long time. On prem is more reliable as far as I'm concerned while On Prem Services still is good for certain things like some file hosting, VPN and others.
Mindestiny@reddit
What region are you in? I can't remember the last time we had an EntraID outage that wasn't some minor blip in the status portal that ultimately didn't affect us. Certainly not widespread auth failure
wine_and_dying@reddit
We have a lot of legacy and a lot of modern apps and requirements, so we run a hybrid enterprise but even then AD and Entra are downstream from our janky AF IDp
Upper-Affect5971@reddit
I don’t give shit either way, just quit moving the everything around. God damn ridiculous.
I jumped from NT to 2019 seamlessly. I know AD fairly good.
I now log in to Azure, EntraID, or what ever else they want to call it. And I’m now asking the level one guys where in fuck are the users at?
I hate it, it’s kludgie, it crashes and goes down.
On prem is so much easier. At least I can see what the hell is happening.
VirtualDenzel@reddit
On prem is just better. The web experience of azure just sucks balls
ChopSueyYumm@reddit
Entra joined and Autopilot makes device enrollment much easier than the classic AD join infrastructure.
skiemlord@reddit
Bro I’m wasted af atm and went to a techno party called intra. It was sick. That’s all i gotta contribute
sin-eater82@reddit
AD will continue to have a smaller and smaller footprint on organizations.
If I was helping a company build out from the ground up today, I'd avoid it altogether if possible.
But most places already have it embedded in their environment. So it will be around for a bit.
wastedgetech@reddit
Switch to Entra if possible. I am pretty sure you need some of their higher licensing though to put computers in the cloud. So we are a hybrid environment with only users in the cloud. I'm implementing a Passwordless solution and we were using ADFS and had so many problems over 9 months we switched to Entra SSO instead and everything just fricken works and it's so much better.
UCFknight2016@reddit
hybrid
vane1978@reddit
By hybrid joining a computer you are introducing two attack surfaces on your computer and network because if the AD or Azure AD were to be compromised the hybrid joined computers are accessible to both attacks - not one.
UCFknight2016@reddit
Many orgs arent ready for full cloud.
vane1978@reddit
We’re still using on-premises resources including Active Directory and not going full on cloud anytime soon. However, Entra ID joined computers is the way to go for users because it mitigates on-premises attacks from bad actors.
UCFknight2016@reddit
exactly
thedonutman@reddit
This is the way. I believe then you can use the domain password policy (from AD). EntraID by itself limits minimum password length to 8 characters, which is bonkers to me..
disposeable1200@reddit
8 characters plus MFA is fine. Add in compliant device policies and you're safer than ever
soggybiscuit93@reddit
It entirely depends. At the end of the day, the goal is to identify users for the sake of applying policies and managing authentication. Entra isn't a replacement for AD, and in most cases acts as a compliment.
However, it's totally possible to go exclusively Entra. If you're entirely cloud based, Entra may make more sense than Hybrid. We have a fairly complex corporate setup where most of our companies are hybrid, sharing a single M365 tenant, but with individual on-prem domains that have a trust between them. However, we sometimes need to set up \~100 person companies that're only expected to exist for 4 - 6 years and need to remain independent of our infrastructure, and in that case, we generally will set those entities up exclusively in Entra, for example.
matman1217@reddit
A couple of things to think about here. Is your work force remote or most on prem? Do you use apps that can be accessed with Entra ID as the backbone? Do you plan to use an RMM tool or intune to replace group policy if you use Entra ID?
Also I am usually a person that believes in hybrid tbh. I think you should try to move almost everything to Entra ID with password write back to an original AD environment. Opens up doors to do almost anything everything which allows your tech stack to handle any new software/apps/business needs. More expensive but depending on your organization you can justify the costs
VNJCinPA@reddit
It doesn't. Entra AD is only decent when it's tied to AD. Otherwise, you're relying on 8 different portals and 400 ways to accomplish a thing that's going to change next week...
Kemaro@reddit
AD isn't going anywhere any time soon. Many sectors still rely heavily on on-prem resources (healthcare, for example). We are currently hybrid and use Entra join where we can for remote workers. Everything else comanaged at a minimum, except servers which are obviously AD.
ThatDistantStar@reddit
Traditional AD carries so much tech debt from it's 25 years of building off Server 2000 it's almost irresponsible to deploy today. It's comically easy to exploit if you get a foot in the door. Kerberoasting, golden ticket, NTLM relaying, ADCS, the list goes on. I'm not oblivious to the fact that traditional AD is the appropriate tool for the job in some cases, but I would never build a new company on it if I could avoid it.
K3rat@reddit
We run hybrid as we still have on premises AD for a few services that can’t go cloud integrated for AAA. Honestly we force Entra ID integration wherever possible with cloud apps as: 1. Tighter control for off boarding process.
2. The IDP already scans for risky sign ins using AI. 3. We also have the auditing tied into our SIEM for better tracking from a security perspective.
4. Enforcement of MFA using our MFA solution.
Entra ID is likely the best cloud native SAML integrated AAA with IDP out there. The split on Entra ID has a laundry list of vulnerabilities that still need to be resolved. They also gate keep fixes for their system behind next level up licensing.
wine_and_dying@reddit
You’ll be hybrid forever because of RANDOM_ANCIENT_TECHDEBT requires on prem AD or LDAP or something.
You need Entra to manage modern workflows IMO
Neat_Neighborhood297@reddit
From a reliability and security standpoint, I think on-prem AD is still the way to go.
robokid309@reddit
We have a hybrid environment. AD is good for on premises stuff like files shares and whatnot and Entra is great for super intricate configurations like conditional access, password reset policies, SSO, and very important account sign in/audit logs. Definitely get entra along with AD
cidknee1@reddit
Aren’t they one and the same? If you have ad and 365 they are pretty much integrated?
The only thing I wish it would do is change it on the local AD.
And the dishes.
illicITparameters@reddit
That’s called a Hybrid Deployment, and is not required, but at this point if you aren’t doing it you’re a fool.
cidknee1@reddit
Right. Sorry customer got crypto. Long week.
illicITparameters@reddit
My condolences; been there 3 times in my career. GTFO reddit and go do something non-IT related 🤣
chaosphere_mk@reddit
They are not one in the same. They are both identity providers, yes. But that's it. You can deploy them together as a hybrid environment, or you can do them separately. There's lots of options.
Anxiety_As_A_Service@reddit
It’s really going to be a use case thing as everyone’s mentioned. It was a bad naming decision to call it Azure AD (now Entra) in the first place because it really isn’t a successor to AD.
There’s a lot of feature parity at this point and Entra is constantly getting new things added. AD is what it isand won’t get new features really. At the same time it’s not going anywhere. That’s thanks to the government and other customers who need that on prem control. Even those orgs usually sync to Entra to take advantage of the Azure Suite though for things like conditional access and app registrations. 365, EXO, Intune also are heavily reliant on it as an intermediary identity and provisioning store to all the products.
TheDawiWhisperer@reddit
Different use cases for different scenarios - ~~Azure~~ Entra AD isn't a replacement on on-prem AD.
Realistically most places will use both.
canadian_sysadmin@reddit
I think Entra is generally the way forward, but with a lot of caveats. Traditional AD isn't going anywhere any time soon, and Hybrid is very much a thing.
AD provides a very basic and traditional foundation, but it's also not really gaining any new features. It's effectively been in a major feature-freeze state since Server 2012. Microsoft will undoubtedly keep releasing some newer revisions, but with only minor tweaks. Obviously all the new features and hotness will be in Entra.
And again Hybrid is very much an option, and will be for a long time still.
I look at it kinda like ICE vehicles vs. electric. Electric is probably the general way forward over time, but it will take a long time to get there, hybrid is a thing, and ICE will truly never disappear (commercial stuff will continue to be ICE for a very, very long time).
alhttabe@reddit
For small businesses with nothing on-prem, it’s going to give MSPs, contractors & business owners an opportunity for identity management.
For companies with some/any on-prem infrastructure, they’ll use Entra Connect & Cloud Kerberos trust to align identity management between cloud services & on-prem assets.
Hybrid is what hybrid does.
There is no cloud, just someone else’s computer.
Barrerayy@reddit
Eh? They are different products. Most places run hybrid
ImTheRealSpoon@reddit
It comes down to money and where you're apps are, if they are all onprem then entras an annoying subscription. If you use Microsoft 365 you already have entra and if you have business premium you are already paying the fee to sync the two. You might as well use it because you will probably eventually need it.