Think security first when switching from traditional Active Directory to Azure AD

What enforces your security boundary today? What will enforce it in the next few years? For many years, Microsoft Active Directory has been the backbone and foundation of network authentication, identity, and connection. But for many organizations moving to cloud applications or having a mixture of operating systems, the need for cloud-based network management is on the rise.

Some firms are merely adding synchronization between on-premise networks and cloud environments and calling it a day. But too often user habits that were acceptable in a traditional domain are no longer acceptable in a cloud-first environment where you may not be quite as aware of attacks and how attackers target you. 

Over the past few years, I’ve seen more and more organizations question whether they should be deploying traditional Active Directory anymore, given that Windows 10 has seen its final rollout (aside from security updates) and will no longer be supported as of 2025. But we all know that one cannot have unmanaged computers, thus there is the need for some sort of management mechanism.

Chances are that many are considering Azure Active Directory and cloud applications to replace traditional Active Directory functions — especially newly formed or geographically dispersed organizations and possibly those employing other operating systems in addition to Windows. The question is, is Azure Active Directory robust enough to be relied upon completely?

With Microsoft having announced Windows 10 22H2 as the final release of Windows 10 and deployments now turning to Windows 11, it may be time to review options for adopting Azure Active Directory.

Take the time to get to know Azure AD basics

When deciding to transition to Azure AD, take the time to understand the basics. You can start with Microsoft’s documentation on the differences between on-premises Active Directory and Azure AD.

For example, it’s handy to know that with Windows 11, you can immediately join a workstation to Azure Active Directory to take advantage of its authentication process. With an Azure P1 license, you can use conditional access to further protect and manage deployment. Rather than using group policy to manage devices, you can pivot to Microsoft Intune to manage security patches.

And Microsoft recently released a Windows Local Administrator password solution replacing its Legacy LAPS toolkit. Windows LAPS and Intune can be used to manage a local administrator password. Note that the ability to manage and store the password in Azure AD is in preview at this time. Clearly, Microsoft sees that more of us are wanting to move to cloud-only deployment.

Evaluate the costs and benefits of switching to Azure AD

In addition, you’ll want to evaluate the costs and benefits of the licensing you will need to properly protect your organization. While Microsoft provides a basic Azure AD, I would strongly recommend that you choose either Premium P1 or P2 option to deploy in your organization. P1 includes device-based conditional access, whereas P2 provides risk-based conditional access.

Reviewing the tools you have been using to control traditional Active Directory and determining the cloud equivalents is critical. But don’t just take what you do on-premise and do exactly the same thing in the cloud — for one thing, the types of attacks on and the weaknesses of the two systems are of a different nature. The boundary of the cloud tends to be authentication and identity and it’s less reliant on firewalls as a protective outer barrier. If an attacker can acquire credentials in a cloud environment, they can often pivot into entering cloud-based resources as well.

Azure AD setup in Windows 11 is straightforward

Joining a Windows 11 workstation to Azure AD is now part of the out-of-box setup experience, though it will require a Windows 11 Professional, Enterprise, or Education version to perform this function. When you turn on Windows 11 there is a prompt that asks: “How would you like to set up this device?” If you choose “set up for work or school” this provides onboarding for Azure. Use the credentials you have set up in Microsoft 365/Azure Active Directory.

The user will be prompted by the Microsoft account process and if you have mandated multifactor authentication, you will be prompted accordingly. Then Azure AD will check whether enrollment in mobile device management is required, after which the overall Azure AD enrollment is performed. To verify that a device has been enrolled in Azure AD you can go to Settings > Accounts, which will indicate whether the device is connected and provide information regarding what is managed.

In the Azure portal, you can review those devices that are compliant as well as non-compliant with your policies. You’ll also be able to manage Bitlocker keys, conditional access, as well as Intune. Do note that as with many cloud deployments, one has to be patient when onboarding computers. New devices will not show up in the portal for several hours, thus it’s wise to plan accordingly.

Be aware of how attackers target Azure AD deployments

It’s also wise to also be aware of how attackers are targeting Azure deployments. Many attacks start with password-spraying techniques for Microsoft Online accounts. Thus, it’s highly recommended that your deployment techniques should include multifactor authentication as a default verification option.

Conditional access that allows you to set boundaries and alerts for unusual activities is another tool that will allow you to better protect your network from threats and attacks. Your password processes and policies should be reviewed as you begin the process to prove to Azure AD.

Finally, you can take advantage of Azure AD even If you aren’t yet fully migrated to Azure. You may not have realized you have access to several tools with a hybrid deployment, such as Azure AD password protection, which is available in Azure AD P1 or P2 licensing. Using this feature, you can set a password policy for your Azure AD that mimics what you already have in your on-premises active directory.

Password protection prerequisites in Azure AD

You will need the following prerequisites:

1. Azure AD Password Protection Proxy installed on one (or more, ideally) servers in your environment.
2. An Azure subscription with a Log Analytics Workspace
3. Domain Controllers on DFS-R for Sysvol replication
4. All Domain Controllers installed with Azure AD Password Protection agent
5. Domain Controllers onboarded via Azure Arc (or forwarding specific event logs to Azure via another method).
6. Azure AD Password Protection Proxy servers onboarded via Azure Arc (or forwarding specific event logs to Azure).

You can then build a workbook to synchronize your password policies so that your Azure AD will have the same structure as your on-premise Active Directory policies.

Even if you are still fully entrenched in on-premise Active Directory, you should always keep an eye out for new options and new techniques to protect and expand your network. Azure Active Directory should be seen as another tool in your arsenal of identity and protection.