Worth transitioning from EntraID to on premise solution
Posted by yukkit@reddit | sysadmin | View on Reddit | 47 comments
I’m the only sysadmin in a tiny company of ~ 15 people, and was ask to think about leaving EntraID in favor of a self hosted, open source solution like keycloak/authentik/zitadel/etc. The company policy is globally focused on using open source and free software that we host using third party cloud services (and I find this approach nice btw).
But we still rely on some Microsoft tools like office, teams, share point etc.
Currently we use the entraID SSO whenever possible, and we also have some apps that don’t support neither oauth nor saml and other methods, using independent user accounts. Among EntraID on prem concurrents some propose interesting features like reverse proxy integration/auth or ssh/unix accounts management, but it’s not essential at our scale.
And now I really start to think it’s not a good idea to abandon EntraID considering our not so big but irreducible dependence on Microsoft products, like i would still have to manage Microsoft accounts, but also the self hosted solution and its maintenance…
Do you think I should tell my boss to give up on that idea and keep up with Microsoft?
pecheckler@reddit
You will submit to Microsoft’s entire business software ecosystem and you will like it 💩
yukkit@reddit (OP)
I was more used to Linux in my previous experiences but honestly even if I’m often lost in the non intuitiveness of MS user interfaces I have to admit that it’s an easy trap in which to fall in 🪤
Acceptable_Wind_1792@reddit
linux user saying ms is non intuitive ... you can say alot of things about ms .. but being easier to train a user on linux is not one.
superstaryu@reddit
Then no.
Unless you're also planning on moving away from those tools/apps. Absolutely no point taking on the burden of another IAM when you have a widely used a well supported one that you get essentially for free.
yukkit@reddit (OP)
We clearly can’t move away from those apps mainly because other companies use them. But I’m curious to know how companies with a different IAM and that are also using Microsoft tools do and why they may prefer doing so!
Acceptable_Wind_1792@reddit
we use on prem AD an use ad sync to sync out directory to azure .. and we use adfs to connect to login to azure .. all passwords are only on prem .. azure just forwards the login requests to adfs for auth ... but you can use duo, okta ect also. okta, duo and entra ad are all IDP providers.
derango@reddit
They don’t. They use entra.
sysadmin_dot_py@reddit
There are companies that use Okta. But they still use Entra. They link the two and Okta handles the authentication and passes it through to Entra. Rather than a Microsoft login page, you have an Okta login page.
OnwardKnight@reddit
This is not quite true. Okta has way more off-the-shelf partner built integrations, especially for automating user and group provisioning via SCIM at higher license levels. If you’re only using Okta for basic SAML (many orgs are), you’re using it wrong.
calladc@reddit
Yeah this is the one.
I work with an entra tenant that is near enough to 100 independently managed active directories. Each AD has a spoke and synchronizes objects up to a single entra tenant.
They also have partner entra tenants that fall under the same top level umbrella but have functional requirements that they're not members of the same tenant. They use okta for GAL sync so that everyone is using the same address list in exchange.
Entra didn't have a native support for complex scenarios like this when they were looking to begin this. Okta saw them through and retooling at this stage would be a nightmare
yukkit@reddit (OP)
It's interesting, I was expecting to hear some reasons or advantages from people using a different IAM but it seems to just be a historical burden!
Optimaximal@reddit
Microsoft have made it effectively seemless and whilst I dislike supporting them, given their moves elsewhere in the industry, they provide probably the best and most complete SSO experience across pretty much every platform, plus its all provided 'as-is' for most SMBs via the Business Premium license.
FatBook-Air@reddit
I have seen this exact setup and 100% don't understand. I keep thinking there must be some secret to this that I do not understand, but nobody has given me a reasonable explanation so far.
TheIncarnated@reddit
Our "corporate" company uses Okta, the rest of the companies under them use Entra or on-prem AD. None of us like Okta and wish for it to go away but here we are...
sysadmin_dot_py@reddit
Usually it's just legacy and they are trying to get off of it.
ThatBCHGuy@reddit
Yeah, same. Okta is just another point of complexity and failure. Just use Entra.
gihutgishuiruv@reddit
It’s even funnier when they use Okta for authn and Entra for authz, which is what seems to happen most of the time.
QuantumRiff@reddit
I know many startups that use google workspaces instead, and have no problem reading and writing word and excel files.
sysadmin_dot_py@reddit
Other companies use Okta or similar as an IAM for Microsoft products, as the authentication engine in front of Entra. In my experience, those companies are using Okta because it was in place before they went cloud-based and before Entra/Azure AD had the foothold it is today. In my experience, at these companies using a separate IAM outside of Entra, it is a legacy system and they are actively migrating to Entra as the sole IAM for both technical simplicity and cost reasons.
EolasDK@reddit
This is something for your home lab not something for a real enterprise environment.
compu85@reddit
Agreed with this.
Acceptable_Wind_1792@reddit
if you are on azure ID why would you move off .. if you are on prrem you still have to sync to azure AD. if you dont have a need for on prem AD i would stay far away.
theotheritmanager@reddit
As long as you're using teams/sharepoint/etc, moving away from Entra would make no sense. And Entra's a great product overall, for what it is.
A policy of [trying to use] FOSS doesn't mean punching yourself in the nuts every day. You need to be smart about how you approach certain platforms.
There are some solutions and situations where FOSS just isn't there (or you'll spend a ridiculous amount of time cobbling something together that you will permanently struggle with).
corky2019@reddit
No, focus on real problems at your org.
Every_Star_1180@reddit
Why? It seems like you are trying to make your life harder. Does the organization require some level of security outside of Microsoft's scope?
Surely without event taking into account the hosting cost, the support and management headache alone of these services has to be close to the licensing cost of Entra in value.
Genuinely curious not trying to be rude, just seems like an IT flex for no reason if you are already using the platform.
yukkit@reddit (OP)
Thanks for your comments, it doesn’t feel rude and clearly it would make my life harder. We don’t need more secures solutions and I think my boss is mainly interested in the “spirit” of using open source tools. I also like the idea of not depending on third party services for such a critical thing as the SSO but yep it really feel like a bad idea!
Optimaximal@reddit
Microsoft's SSO implementation is probably the most robust solution out there and is effectively full decentralised - you're only dependent on a single point of failure in so far as 'if Microsoft shuts down overnight, you're screwed'.
ccatlett1984@reddit
I would much rather depend on a third party service, then be the only one whose neck is on the chopping block when the open source tool breaks.
joshghz@reddit
Yeah, you have to absolutely remember that you're now solely responsible for keeping all the servers and packages up to date, documenting, fixing things when something inevitably breaks...
If this was a fresh environment, sure. But this is like saying you want to replace a perfectly good Camry with a project car.
brainstormer77@reddit
This sounds like a "just because" reason. If business was open source focused, then it's time to move to LibreOffice, RocketChat etc before you consider moving off Entra ID.
Also, I hope this is documented, because open source means no vendor support. Any problems you need to figure out yourself. Think of business impacts.
airinato@reddit
I don't know enough about the environment, but unless you have a service desk, engineers and solution architects available to address every issue open source software is going to cause, and there will be many, then it would be stupid to switch to anything else.
yukkit@reddit (OP)
It’s a good point and maybe I should just argue with that since I’m the only sysadmin it will just make the service worse for everyone :/
airinato@reddit
Just watch out for yourself in these equations, it's not just implementation but maintenance and support. Stuff will break, and unlike waiting an hour for Microsoft to fix the rare outage, it ends up being you in the middle of vacation with everyone breathing down your neck.
yukkit@reddit (OP)
Stewge@reddit
If you're already in the stack then it makes little sense. Especially if you don't really know why you would need to self-host.
That being said, you could federate Authentik (example) with Entra if you have a good use case.
e.g. this can be handy if you want to Oauth to machines that are in a DMZ and either can't or not allowed to communicate directly with the internet/Entra.
Or you could use the LDAP or RADIUS outposts in Authentik to have gapped authentication to legacy devices.
In case you're not aware, in the MS stack, Front Door and App Proxy is their solution to this, but only hosted in Azure. Personally I can't stand them from a configuration standpoint. I'd take HAProxy/Nginx/Traefik any day of the week. However, MS App Proxy is somewhat unique in that it can SSO a domain-auth'd legacy system via Entra login in a hybrid environment.
yukkit@reddit (OP)
When I started thinking about foss solutions I looked at authentik and keycloak but indeed I'd need to federate it with entra and overall comments in this post make me realize it's probably not worth the (small) gain of being able to use it with some internal services. It could be handy for things as unix/ssh auth, but it really seems redundant and most people here explain that they're trying to do the opposite and centralize everything within a single IAM which makes sense.
Thanks, I wasn't aware of front door and app proxy, but I know that you can also integrate entra with popular proxies using oauth modules (like for apache). And I'd rather prefer that than integrating a new MS tool that I'm probably gonna struggle to configure.
crankysysadmin@reddit
if everyone uses the microsoft platform and depends on it what would your advantage be to moving away from entra id? your solution would require more maintenance and be less redundant and again what is the point? you get entra id for free with your microsoft subscription so there is literally zero reason for you to spend staff time rolling your own solution
Rawme9@reddit
Love open source stuff but if you are already in the Microsoft ecosystem with Windows and 365 then there is nothing that will even come close to feature parity. If you were starting from scratch this may have been doable.
yukkit@reddit (OP)
I forgot to mention that employees work on Mac, so we’re not dependent for machine accounts but still as you said it should have been a starting choice maybe
Peteostro@reddit
Macs now have support for platform SSO with entra ID
Rawme9@reddit
If using Mac that makes it a stronger case, but I think the open-source options for Identity are not great compared to the big players in the industry. I think your boss would need a VERY strong business case for me to be on board with this, because there will be MANY headaches and hours and not be as easy to manage as Entra ID
DevinSysAdmin@reddit
No, what a terrible idea.
FOSS/Open Source != great product, easier to use, bug free, etc. it’s just a different way of doing business.
davy_crockett_slayer@reddit
You absolutely can move from Entra ID to something open source and self-hosted. Tech companies typically use Google Workspace. You can set up SSO through SCIM/etc from your self-hosted solution to Office 365.
https://learn.microsoft.com/en-us/answers/questions/1111382/microsoft-365-business-standard-provisioning-users
Authentik can be your source-of-truth when interfacing with Entra ID and/or Office 365. https://docs.goauthentik.io/add-secure-apps/providers/entra/
topher358@reddit
Entra is the best part of Microsoft. Not worth leaving IMO especially because you’re going to need some kind of Microsoft presence anyway based on your comments
baw3000@reddit
If you're not leaving 365, then honestly there's no point.
quetzalcoatlus1453@reddit
TBH that’d be the last part of the Microsoft ecosystem I’d get rid of
QoreIT@reddit