Getty Images

Tip

What are the Microsoft Entra ID benefits for on-prem admins?

Active Directory's presence looms large for organizations that rely on Microsoft's venerable directory service for a multitude of tasks tied to identity and access.

Your organization's plans to move to the cloud might be weighed down by its earthly possessions.

As organizations migrate more resources to the cloud, there may be a temptation to phase out an on-premises Active Directory environment and replace it with Microsoft Entra ID, formerly Azure Active Directory. There are perks, such as simplified management and integration with cloud services, but there are some drawbacks that could prohibit adopting Microsoft Entra ID for the organization's directory services.

How do Active Directory and Microsoft Entra ID compare?

Active Directory has been a part of Windows Server since the release of Windows 2000. Active Directory builds on the domain structure introduced in Windows NT Server, the precursor to Windows Server, adding numerous improvements over the years with consequent Windows Server releases. For example, Active Directory supports structures such as forests and organizational units that were not in the initial NT release. Active Directory also offers a multi-master replication model and supports the hardening of domain-joined devices via Group Policy.

Microsoft Entra ID, renamed from Azure Active Directory in August 2023, is a cloud-based Microsoft directory environment touted as a next-generation replacement for Active Directory. Unlike Active Directory, which is based around domain controllers, Microsoft Entra ID is a managed service, meaning organizations do not have to deploy, configure or maintain domain controllers. Additionally, Microsoft Entra ID is the identity and access management system used by Microsoft 365 and Office 365 for user and group management and other tasks.

What are the shortcomings of Active Directory?

Given the length of time that Active Directory has been around, it is not surprising there are some disadvantages to relying on a legacy Active Directory environment.

One disadvantage to Active Directory is the lack of support for non-Windows devices. Microsoft built Active Directory when organizations relied almost exclusively on domain-joined Windows devices. While a user can log in to an Active Directory environment from a non-Windows device, IT is not able to secure it with Group Policy settings. Many organizations have adopted parallel device management products to handle these non-Windows devices.

Another disadvantage to Active Directory is Windows Server machines require continuous maintenance and patching to remain secure. Patch management is a labor-intensive task that burdens many IT departments.

What are the benefits of Microsoft Entra ID?

For organizations that are looking to switch to Microsoft Entra ID, there are several advantages. Microsoft Entra ID is more scalable than Active Directory. A key limitation of Active Directory is the amount of work required to manage the domain controllers, which is not practical for a small IT team if the number of domain controllers is large. Microsoft Entra ID is a managed service, so domain controller maintenance and the related scalability challenges are not an issue.

Admins can manage Microsoft Entra ID with several tools, including Windows Admin Center and PowerShell. Microsoft Entra ID supports modern authentication methods and compliance standards, and it seamlessly integrates with a variety of cloud services, such as Microsoft 365 and Office 365.

What are some drawbacks of switching to Microsoft Entra ID?

While it has many advantages, Microsoft Entra ID is not without its shortcomings. There are significant disadvantages an enterprise must consider prior to adopting Microsoft Entra ID.

There is a learning curve for admins who switch to Microsoft Entra ID. Microsoft did not design familiar tools, such as Active Directory Users and Computers, to work with Microsoft Entra ID. Instead, IT pros need to use tools they may not be familiar with, such as Endpoint Configuration Manager and Intune.

Another important consideration is that legacy applications that have an Active Directory dependency might not work with Microsoft Entra ID. For example, a legacy application might require a particular Group Policy setting that does not exist in Microsoft Entra ID.

A legacy application might not work with Microsoft Entra ID due to the differences in the protocols supported by the two environments. The application might be unable to query the directory following a switch to Microsoft Entra ID because Active Directory queries are normally based on Lightweight Directory Access Protocol (LDAP), which is not natively supported by Microsoft Entra ID. While there are workarounds, such as performing a directory synchronization using Microsoft Entra Connect, formerly Azure Active Directory Connect, not all LDAP features work in Microsoft Entra ID.

Active Directory and Microsoft Entra ID use different authentication protocols. Active Directory is designed to work with the Kerberos and NT LAN Manager protocols. Microsoft Entra ID is cloud-based and uses web-based authentication protocols, including OAuth and Security Assertion Markup Language. Again, there are workarounds to use Kerberos with Microsoft Entra Connect, but this typically requires a hybrid deployment that uses both Microsoft Entra ID and Active Directory.

Why a hybrid arrangement might be the best approach

Organizations do not necessarily have to choose between Active Directory and Microsoft Entra ID. There is an option to create a hybrid deployment of both Microsoft Entra ID and Windows Server domain controllers. These domain controllers can be on premises or in cloud-based VMs. A hybrid environment gives the benefits of a modern, cloud-based directory service in Microsoft Entra ID, while also maintaining the legacy Active Directory environment, which may service these older applications.

Microsoft makes it relatively easy to create a hybrid directory. At a minimum, an organization needs only to download Microsoft Entra Connect and install it on a VM. Once installed, Microsoft Entra ID Connect needs credentials to connect to the Active Directory and Microsoft Entra ID environments. Microsoft Entra Connect then synchronizes the two directories.

Brien Posey is a 15-time Microsoft MVP with two decades of IT experience. He has served as a lead network engineer for the U.S. Department of Defense and as a network administrator for some of the largest insurance companies in America.

Dig Deeper on Microsoft identity and access management