This past month my company started its final push to eliminate our onprem Active Directory (that we've had for 20+ years) so that our cloud-based Azure Active Directory will be our sole enterprise directory!
Having been an early early adopter of Active Directory and authored the #1 bestselling books in the world on AD design and implementation (the 1500-page "Unleashed" series of books from Sams Publishing (1998-2016)), pulling the plug on our on-prem Active Directory wasn't a trivial thing for us, but in a modern cloud world, AD has become a boat anchor in our I.T. operations and we've been actively working to finally eliminate the last legacy system in our environment.
Why AD is No Longer Needed in Enterprises
Active Directory has been the source of user identity and policy management for years, and when everything was on-premise (users, servers, systems, applications), on-prem AD worked great. But in this day and age where email is in the cloud (Office 365, Google), communications systems are in the cloud (Teams, Zoom, RingCentral), collaboration and development tools are in the cloud (Teams, Slack, Git), business apps are in the cloud (Salesforce, Netsuite, Dynamics), having an on-premise user directory that is *not* close to users or applications is just not a thing anymore. Cloud has driven a time for change.
What Has to Be Shifted to the Cloud to Eliminate AD
Despite "many" applications being in the cloud these days, Active Directory still plays a big part for enterprises than just user logons that have to be moved "somewhere else" before you can eliminate AD.
Can't We Just Move AD to the Cloud?
Many I.T. professionals want to simply move Active Directory to the cloud to "complete" their modernization process, but that's like lifting and shifting an Exchange Server or a SharePoint Server to run as a virtual machine in the cloud than doing modernization "right". With Exchange and SharePoint, we just moved mailboxes, calendars, and files to Office 365 that in the end made a WHOLE lot more sense for organizations. Lifting and shifting AD to a cloud virtual machine isn't the solution.
Another common thought is moving on-prem Active Directory to Microsoft Azure's AD Domain Services, with the through that Azure's AD Domain Services is a possible solution, but it is NOT. I wrote about this many months back, that unfortunately Azure AD Domain Services does not shift on-prem AD to the Azure cloud as one might think it should.
The Migration Process
Taking the bullet points above, by identifying the things that rely on Active Directory and shifting them off to non-AD required solutions, an organization can whittle away at the areas that AD serves. Things like implementing Microsoft Intune for endpoint management (that many organizations already own as part of their Microsoft 365 licensing) eliminates the need for domain join and device management.
Eliminating virtual machines (that "join" to Active Directory) in favor of cloud-based applications and solutions, shifting from LDAP directory queries to modern authentication mechanisms, and moving from older ADFS application authentication to Azure Active Directory native single sign-on (SSO) authentication gets rid of all the miscellaneous things tied to Active Directory in an environment.
Recommended next reads
The PowerShell Command That Makes Cutovers Easy!
With the elimination of device management, policy management, server joins, and legacy authentication functions from Active Directory, the last piece is moving users from being AD users that are "sync'd" to Azure Active Directory (AAD) in the cloud, to just being solely AAD cloud users.
Microsoft released a PowerShell command that makes all this easy. Basically you unsync the user from Azure Active Directory, then run:
get-msoluser -ReturnDeletedUsers
Restore-MsolUser -UserPrincipalName "xxxxx@yourdomain.com"
The unsync process (done by removing the sync of your AD/Connect server that syncs users from on-prem AD to Azure AD) will effectively soft delete the user(s) from AzureAD. But the PowerShell command then undeletes the user and restores all services for that user in Office 365.
Note: After you soft delete the user and then undelete them through PowerShell, the user will not be able to logon or access any Office 365 resources for around 21-minutes (we call it a "half hour" of offline time). This is the time that is takes for Microsoft to re-connect the user (now Cloud only) to their old resources (email, OneDrive, Teams, etc). Everything reconnects just fine with no changes, but just know the users won't be able to access O365 for a half hour.
After this wait time, the user is back online now as a Cloud only account (not AD sync'd) and more importantly, the user's password and everything works exactly as it did before, NO user interaction needed!
*** Obviously test this on a single test account and then on a handful of accounts so you know the process and behavior before running this org wide ***
When this PowerShell command is run, you will find that AzureAD group memberships are retained, but synced on-prem group memberships go away.If you have old AD groups (sales, accounting, IT, etc) that you track users by, you'll need to create new Azure AD groups and place users into those groups (along with applying cloud-based security or management policies for whatever is pertinent these days for your organization).
Note: while organizations frequently have a lot of AD groups, most were created long ago to designate default print queues, user location, users who had "remote access" privileges, etc that have very little applicability in the current cloud, work from home, hybrid world we're in. So before you start creating AzureAD groups that mirror ALL of the old on-prem AD groups you have, you might want to whittle it down to just the handful of groups actually used these days.
Wrap-up
Getting rid of on-prem Active Directory is the final step in having fully "moved to the cloud," and completely eliminates an organizations dependence on a legacy system that has very little applicability in today's I.T. world. But it's more than just uninstalling AD, it's stepping back through a decade or more of "things" we have just used AD for over the years that all needs to be modernized to cloud solutions.
There's a modern solution for everything AD did, and a good practice for organizations looking to "modernize" to walk through the process of preparing for the elimination of AD as you unravel a whole lot of legacy "on-prem" things that just don't apply in a cloud-focused world.