Historically, as we have moved from on-premises directories to the cloud, the identities have been ‘homed’ or sourced from the on-premises directory, primarily Active Directory. Now, as more services and users are internet-based or internet-first, there is reduced reliance on the on-premises Active Directory Domain Services (AD DS) for authentication & authorization.
Moving the center of identity and authentication away from on-premises directories is a key first step in preparing for modern authentication and a Zero Trust approach to security. Below, I have outlined several of those benefits, including better control of privileged access, a common attack vector in many successful hacks.
The concept of Identity Inversion, or ‘AD as an App,’ is that we move from homing accounts in on-premises AD to homing those accounts in Microsoft Entra ID (formally Azure AD). Accounts that then require access to applications or resources that are on-premises would have an on-premises account provisioned.
Modern applications use modern authentication. As companies refresh their business applications, the center of gravity for identities shifts to the cloud and the dependency on AD DS diminishes. Some companies are aggressively deploying modern apps to drive security and competitiveness. Others are taking a more conservative approach. Even if you’re taking a conservative approach, there are security gains that can be realized now by shifting identities to the cloud.
Security benefits of the model
Leapfrog Domain Consolidation
Moving to Entra-based identity provides an opportunity to consolidate, or potentially eliminate AD domains. Reducing administrative overhead in this way not only can free up resources for priority projects but improves security by reducing the overall protect surface as well.
Least privilege is a core concept of Zero Trust Architecture (ZTA). By not provisioning accounts to AD unless those accounts are needed, the management overhead of on-premises AD is reduced. This also decreases the attack surface of those on-premises, usually highly valued, assets.
Whether with malicious intent or after having an account compromised, the goal in dealing with insiders is to reduce the ‘blast radius,’ or how much damage can be done with one account. By limiting unnecessary account creation, the threat is reduced.
Just-In-Time (JIT) provisioning
The ability to provide JIT provisioning, privilege escalation, or emergency access to on-premises administrative accounts reduces the risk of standing administrative accounts. It also improves security by reducing the number of those accounts in existence.
Separates Privileged Accounts
One of the issues found because of the SolarWinds attack was that AD Domain Administrators were being synchronized to Entra. This gave the attackers the ability to move between environments with a single compromised account. Verifying that privileged accounts are unique to the AD instance (DS or Entra) is an important security protection.
Bring along ‘Lift & Shift’
As legacy, on-premises workloads are moved to the cloud, these workloads likely do not support modern authentication. So, a legacy authentication/authorization mechanism must be put in place. Building an AD instance in the cloud to support these applications, and provisioning only the required users/operators of the application, provides good governance of entitlements and can support Separation of Duties for compliance.
Entra ID Domain Services (formally Azure Active Directory Domain Services), enables managed domain services, providing serverless Active Directory functionality to support this “lift & shift” workloads. Entra ID DS managed domains allow organizations to run legacy applications in the cloud that are not able to use modern authentication protocols or if lookups to on-premises Active Directory domains are not optimal or desired. Because Entra ID DS integrates natively with Microsoft Entra ID, users can sign-in to resources using their existing credentials. Entra ID DS provides common services like group policy, domain join, LDAP and Kerberos/NTLM authentication.
Provide Active Directory Federation Services (ADFS) in support of Certificate Based Authentication (CBA)
While Microsoft works towards providing native CBA, users may be provisioned to support Common Access Card (CAC) or Personal Identity Verification (PIV) authentication. This is done with federation services (e.g., ADFS) connected to the provisioned, limited AD instance which may be hosted in either the public or government clouds.
Cross-domain Separation of Duties (SOD)
SOD is a relatively simple problem in one application or across one authentication provider. Managing SOD across applications and domains requires a centralized view of the entitlements granted in the organization.
Governance of On-Premises AD
Building a governance solution to provision users in this model provides governance of the on-premises AD at the basis of the provisioning, not as an add-on. Moving to this model allows for clean-up of historic or legacy ‘cruft’ in the on-premises AD. This improves security posture, and helps to clear technical debt.
Improve Application Owner Control
Using an access request model for provisioning in certain AD DS instances in support of specific applications gives more granular control to application owners in assigning access to applications and provides for overall segregation of duties management. We are not moving back to a departmental model. Rather, we are pushing some of the levers for app provisioning back to that department level.
Hurdles on the Path
Files in the cloud have different permissions and different access patterns compared to on-premises. Until on-premises file shares move to the cloud (which would reduce the need for most users to access on-premises (SMB) file shares), moving to a Cloud-First identity model will be difficult.
Users in a large facility use AD DS to locate and use printers on a regular basis. Suitable file access patterns must be in place before this move. Microsoft’s Universal Print – cloud-based printing – is a good solution to provide printer location and eliminate printer driver installation.
Many organizations use on-premises resources for endpoint management (GPOs, Citrix, SCCM, etc.) to managed devices in the organization. Methods and services must be found to supplement these services as users move to being cloud-first or cloud-only.
Migrating from AD/Hybrid-Joined to Microsoft Entra ID-Joined
A major component of any AD to Microsoft Entra ID migration is endpoint migration, specifically for Windows-based computers that are AD or Hybrid Entra ID joined. The challenge is automating the process so that hours are not spent on manually decoupling devices from the AD DS infrastructure, Microsoft Entra ID joining and user profile migration. There are several ways to do this:
- Users can start with a fresh build as part of the regular upgrade cycle.
- Users can refresh their PCs and reset profiles at that time.
- If user profiles must be retained, tools such as Microsoft’s User State Migration tool or third-party solutions may be used
Microsoft Entra ID as the Center of the Universe is not an all-or-nothing proposition. As users move to cloud-first they can be removed from the on-premises AD if there are no requirements for them to have those accounts, provided the creation/maintenance of cloud accounts is not driven from the on-premises directory. Changing where accounts are homed will probably be the biggest lift here, but as detailed above there are a raft of security improvements that may be achieved as a result.
Want to learn more about Microsoft Entra ID as the Center of the Universe? Check out the recording from our webinar on the same topic.