Eliminating Onprem Active Directory and Going 100% to the Cloud (2024)

This past month my company started its final push to eliminate our onprem Active Directory (that we've had for 20+ years) so that our cloud-based Azure Active Directory will be our sole enterprise directory!

Having been an early early adopter of Active Directory and authored the #1 bestselling books in the world on AD design and implementation (the 1500-page "Unleashed" series of books from Sams Publishing (1998-2016)), pulling the plug on our on-prem Active Directory wasn't a trivial thing for us, but in a modern cloud world, AD has become a boat anchor in our I.T. operations and we've been actively working to finally eliminate the last legacy system in our environment.

Why AD is No Longer Needed in Enterprises

Active Directory has been the source of user identity and policy management for years, and when everything was on-premise (users, servers, systems, applications), on-prem AD worked great. But in this day and age where email is in the cloud (Office 365, Google), communications systems are in the cloud (Teams, Zoom, RingCentral), collaboration and development tools are in the cloud (Teams, Slack, Git), business apps are in the cloud (Salesforce, Netsuite, Dynamics), having an on-premise user directory that is *not* close to users or applications is just not a thing anymore. Cloud has driven a time for change.

What Has to Be Shifted to the Cloud to Eliminate AD

Despite "many" applications being in the cloud these days, Active Directory still plays a big part for enterprises than just user logons that have to be moved "somewhere else" before you can eliminate AD.

• Group Policy Objects (GPOs) - Many organizations apply device security and application security through Active Directory Group Policy Objects, even enforce VPN connections for remote users simply to have security policies being "pushed" from on-prem Active Directory to devices. But GPOs never really worked with Apple Macs nor mobile phones, and mobile device management solutions (like Microsoft Intune) can push device and application policies to ALL systems (Windows, Macs, iOS, Android) from the cloud. So a shift from GPOs on-prem to a cloud-based mobile management solution eliminates a historically big function of AD.
• Domain Name Services (DNS) and Dynamic Host Configuration Protocol (DHCP) - DNS and DHCP are services that help applications and devices know where to find things on the network. Active Directory included DNS and DHCP, so organizations set up AD to provide these services years ago. It's easy to shift DHCP to networking devices (routers, switches, and WiFi access points) and DNS to a standalone server system or cloud DNS solution and easily eliminate the need for AD serving up those functions.
• Certificate Services / PKI - Many organizations issue security certs from an Active Directory based Certificate of Authority system that'll go away when AD is eliminated. However most certs created in the past were for "servers" (Exchange, SharePoint, Web) that no longer exist on-prem that have been replaced by cloud services. The need for certs these days (frequently for WiFi security, laptop security, application signing, etc) can be handled by a cloud-based certificate solutions (like solutions from KeyFactor, SecureW2, SCEPman).
• Domain Join - This is typically the last "need" to eliminate as old server applications have required "joining Active Directory", and it's hard to unhook old applications from this domain join function if you're still using the apps. However if you identify the applications that require joining a domain, and focus to shift those applications to cloud-based (SaaS) solutions, once you are free of any domain joined systems, then that's typically the final hook that can be released to allow you to eliminate Active Directory. For orgs that might have 1 or 2 applications that will "always" be domain joined systems, you can still keep an AD server or two on-prem for those applications, but you can eliminate all other domain controllers across your organization as users and devices switch to cloud-based logon, directory, and device management tools.

Can't We Just Move AD to the Cloud?

Many I.T. professionals want to simply move Active Directory to the cloud to "complete" their modernization process, but that's like lifting and shifting an Exchange Server or a SharePoint Server to run as a virtual machine in the cloud than doing modernization "right". With Exchange and SharePoint, we just moved mailboxes, calendars, and files to Office 365 that in the end made a WHOLE lot more sense for organizations. Lifting and shifting AD to a cloud virtual machine isn't the solution.

Another common thought is moving on-prem Active Directory to Microsoft Azure's AD Domain Services, with the through that Azure's AD Domain Services is a possible solution, but it is NOT. I wrote about this many months back, that unfortunately Azure AD Domain Services does not shift on-prem AD to the Azure cloud as one might think it should.

The Migration Process

Taking the bullet points above, by identifying the things that rely on Active Directory and shifting them off to non-AD required solutions, an organization can whittle away at the areas that AD serves. Things like implementing Microsoft Intune for endpoint management (that many organizations already own as part of their Microsoft 365 licensing) eliminates the need for domain join and device management.

Eliminating virtual machines (that "join" to Active Directory) in favor of cloud-based applications and solutions, shifting from LDAP directory queries to modern authentication mechanisms, and moving from older ADFS application authentication to Azure Active Directory native single sign-on (SSO) authentication gets rid of all the miscellaneous things tied to Active Directory in an environment.

The PowerShell Command That Makes Cutovers Easy!

With the elimination of device management, policy management, server joins, and legacy authentication functions from Active Directory, the last piece is moving users from being AD users that are "sync'd" to Azure Active Directory (AAD) in the cloud, to just being solely AAD cloud users.

Microsoft released a PowerShell command that makes all this easy. Basically you unsync the user from Azure Active Directory, then run:

get-msoluser -ReturnDeletedUsers

Restore-MsolUser -UserPrincipalName "xxxxx@yourdomain.com"

The unsync process (done by removing the sync of your AD/Connect server that syncs users from on-prem AD to Azure AD) will effectively soft delete the user(s) from AzureAD. But the PowerShell command then undeletes the user and restores all services for that user in Office 365.

Note: After you soft delete the user and then undelete them through PowerShell, the user will not be able to logon or access any Office 365 resources for around 21-minutes (we call it a "half hour" of offline time). This is the time that is takes for Microsoft to re-connect the user (now Cloud only) to their old resources (email, OneDrive, Teams, etc). Everything reconnects just fine with no changes, but just know the users won't be able to access O365 for a half hour.

After this wait time, the user is back online now as a Cloud only account (not AD sync'd) and more importantly, the user's password and everything works exactly as it did before, NO user interaction needed!

*** Obviously test this on a single test account and then on a handful of accounts so you know the process and behavior before running this org wide ***

When this PowerShell command is run, you will find that AzureAD group memberships are retained, but synced on-prem group memberships go away.If you have old AD groups (sales, accounting, IT, etc) that you track users by, you'll need to create new Azure AD groups and place users into those groups (along with applying cloud-based security or management policies for whatever is pertinent these days for your organization).

Note: while organizations frequently have a lot of AD groups, most were created long ago to designate default print queues, user location, users who had "remote access" privileges, etc that have very little applicability in the current cloud, work from home, hybrid world we're in. So before you start creating AzureAD groups that mirror ALL of the old on-prem AD groups you have, you might want to whittle it down to just the handful of groups actually used these days.

Wrap-up

Getting rid of on-prem Active Directory is the final step in having fully "moved to the cloud," and completely eliminates an organizations dependence on a legacy system that has very little applicability in today's I.T. world. But it's more than just uninstalling AD, it's stepping back through a decade or more of "things" we have just used AD for over the years that all needs to be modernized to cloud solutions.

There's a modern solution for everything AD did, and a good practice for organizations looking to "modernize" to walk through the process of preparing for the elimination of AD as you unravel a whole lot of legacy "on-prem" things that just don't apply in a cloud-focused world.