The future of Active Directory: Where will AD go from here?
More and more companies are relying on services in the cloud, for example in Microsoft Azure. Azure AD is used for authentication and security. In this context, the question arises as to the future of on-premises Active Directory.
First of all, no one needs to worry about this at the moment. Microsoft is not planning to eliminate Active Directory. That would not be so easy either.
The structure of Azure AD differs significantly from the structure of local AD environments. Azure AD relies primarily on Security Assertion Markup Language/SAML and Open Authorization. To confirm identity, Azure AD supports various MFA methods. These include the Microsoft Authenticator app, OAuth tokens or FIDO2 security keys. Locally operated and older applications often cannot handle these. For this reason, it is currently almost impossible to imagine many environments without a local AD.
That is why Active Directory will remain with us for a long time to come
There are functional reasons that will continue to make Active Directory necessary in the future. But Windows Server will also continue to evolve.
LDAP, NTLM and Kerberos
First, there are many companies that do not plan to migrate all services to Azure or Microsoft 365. Here, a local Active Directory is still needed because local authentication of resources is not possible with Azure AD. If a legacy application needs access to LDAP, NTLM or Kerberos, Azure AD is out. Of course, NT LAN Manager (NTLM) is somewhat outdated and insecure. But that doesn’t change the fact that legacy applications still need this protocol in some cases. But there are many more reasons why on-premises AD will be with us for a while.
Windows Server support
Active Directory is still included in the successor to Windows Server 2022 with the current designation Windows Server vNext and is not marked as “outdated”. Since this version is expected to be released in 2024 or 2025 and will receive at least three years of support (plus extended support), it can be assumed that Active Directory will still be part of Windows servers until at least 2030, probably even significantly longer. For these reasons alone, on-premises AD is not a dead end.
If Active Directory is discontinued by Microsoft at some point, Redmond will mark AD as ” outdated” in the successor to Windows Server vNext at the earliest. So an end to local AD environments is not currently in sigh
Active Directory and Azure Active Directory: Strengths on both sides
Azure AD’s mission is not to replace on-premises AD environments, but to provide the ability to extend on-premises AD environments into the cloud. There are numerous options and tools to synchronize AD users with Azure AD so that single sign-on (SSO) scenarios in networks with cloud usage enable AD and Azure AD to work together. So the two directory services are not competitors, but a team with strengths on all sides.
Powerful in combination
In the cloud, Azure AD provides real added value and maximum security for cloud services. In the on-premises data center, Active Directory can be optimally used to secure traditional applications. Synchronization and Azure AD Connect allow both worlds to be connected. This allows companies to decide for themselves where they want to run services. The two worlds already work well together and are likely to grow even closer in the future.
Active Directory and Azure AD growing together
Without cloud applications, no Azure AD
However, this does not mean that companies that rely on AD must also use Azure AD. Here, the use only makes sense if cloud resources are also to be used in Azure. AD also works without Azure AD without any problems.
However, if a company relies on resources in Azure, an AD is often also used locally. In this case, it can make sense to connect the two directory services with each other. This allows users in SSO scenarios to log in to their workstation with their AD account and access resources in Azure via AD synchronization with Azure without having to authenticate again.
Suitable software solutions for hybrid IT world
FirstAttribute offers a portfolio of software solutions to efficiently manage identities in on-premises AD environments and in the cloud.
The FirstWare IDM Portal is an IAM solution for automated user and authorization management, both on-premises and in the cloud. It combines all aspects of identity and access management in one portal and accesses identity and directory services centrally.
The my-IAM Cloud Identity Management Platform focuses on bringing together and managing all internal and external identities through apps integrated with Microsoft Teams, such as my-IAM PeopleConnect and my-IAM TeamSpace.
Where will Active Directory go in the future?
Azure AD will open up more in the direction of Active Directory in the future. Via management solutions such as the Windows Admin Center, Azure resources should be able to be integrated more into local AD environments. Examples of this are the:
- backup of local data with Azure Backup
- Synchronization of local Hyper-V VMs to the cloud to improve high availability.
At the same time, Azure Arc can be used to connect local servers to Azure in order to monitor them with Azure Monitor, for example, or to administer local servers from the cloud without having to set up a VPN. The Windows Admin Center is also used here.
AD and Azure AD thus grow together where desired. However, local AD environments can continue to be used without Azure without any problems. With Azure Stack HCI, Microsoft currently offers the option of operating Azure resources such as VMs in local data centers and securing and expanding them with Azure technologies.
So, on-premises and cloud tend to grow together. It does not currently look as if all resources can and should run in the cloud in the future.
New features in Active Directory are currently not available
There have been no significant innovations for Active Directory since Windows Server 2016. This is also the reason why there are no newer operating modes than Windows Server 2016 for Active Directory in Windows Server 2022 and currently also in Windows Server vNext. At present, Microsoft therefore does not see any need to further extend the functionality of Active Directory, and this is not necessary at present. All relevant functions are already integrated and a comprehensive adaptation of AD simply does not make sense. Azure AD will then be used in parallel for this purpose if authentication is to be extended to the cloud.
Azure AD Domain Services brings Active Directory to the cloud
With Azure AD Domain Services, Microsoft offers a fully managed service for Active Directory in Azure AD.
This means that many (but not all) Active Directory functions can also be used in the cloud in parallel with Azure AD.
This also shows that Microsoft still sees a lot of potential in Active Directory, because the development of such a cloud service naturally involves a lot of effort. However, Azure AD Domain Services does not support trust positions, organizational units, or extending and customizing the Active Directory schema. In addition, administrators cannot manage many settings in the environment themselves. These include control over the:
- operating mode used,
- the global catalogue and
- the various operational master roles.
However, there are at least limited group policies.
Summary
The structure of Azure AD is not suitable for all use cases. Active Directory allows a much deeper structure than Azure AD. Organizations that need multiple domains, structures (trees), and forests rely on AD because Azure AD has a shallow structure without these capabilities. For this reason, in Azure AD all accounts are in the same domain.
All this shows that Azure AD is not a next-generation AD, but a different approach developed for use in the cloud. Companies that continue to operate resources in their own data center will therefore continue to rely on on-premises AD in the future and use Azure AD in parallel as a supplement for authentication in the cloud. This will not change much in the next few years, so Active Directory will continue to be an important basis for networking.
About FirstAttribute AG
FirstAttribute AG is an independent German cloud service and software company with a focus on Identity & Access Management (IAM) for AD and M365/Azure AD.
Find out everything you need to know about our software solutions and services here. Contact us if you want to update and accelerate your identity and authorization management and are looking for a customized IAM solution in a hybrid IT world.
