Mastering Active Directory, Third Edition E-Book

Mastering Active Directory

Third Edition

Design, deploy, and protect Active Directory Domain Services for Windows Server 2022

Dishan Francis

BIRMINGHAM—MUMBAI

Mastering Active Directory

Third Edition

Copyright © 2021 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Producer: Tushar Gupta

Acquisition Editor – Peer Reviews: Saby Dsilva

Project Editor: Namrata Katare

Content Development Editor: Alex Patterson

Copy Editor: Safis Editor

Technical Editor: Aditya Sawant

Proofreader: Safis Editor

Indexer: Tejal Daruwale Soni

Presentation Designer: Ganesh Bhadwalkar

First published: June 2017 Second Edition: August 2019 Third Edition: November 2021

Production reference: 2141022

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80107-039-3

www.packt.com

Contributors

About the author

Dishan Francis is an IT professional with over 15 years' industry experience. He was a six-time Microsoft MVP in Enterprise Mobility before joining Microsoft UK as a security consultant. He has maintained the RebelAdmin technology blog over the years, with lots of useful articles that focus on on-prem Active Directory services and Azure Active Directory. He has also written for other Microsoft managed blogs such as canitpro and ITOpsTalk.

It would have been impossible to write this book without many people behind me. I'd like to thank my wife Kanchana, daughter Selena, and son Andrew for their great support, and my parents and all my relations for their encouragement. Thanks too to my publisher, reviewers, and my friends in Microsoft for their support on this journey.

About the reviewer

Chris Spanougakis is a Microsoft Certified Trainer since 2000 and holds a Master of Science in computer studies. He has participated in various Microsoft local and international events, such as Teched Europe, Microsoft Ignite, Microsoft Sinergija, IT Pro|Dev Connections, and ShowIT as a technology speaker, and he is specialized in Microsoft products, such as Windows Server, Exchange Server, System Center products, etc. He was also a Microsoft Most Valuable Professional (MVP) in Identity and Access Management from 2008 to 2019. Chris has more than 20 years of experience as an IT consultant, specialized in the implementation of Microsoft technologies in organizations of any size. Today he works as an Azure solution architect and trainer in Greece and abroad. You can reach him at https://systemplus.gr

Preface

Microsoft Active Directory is the most widely used identity management solution. It can centrally manage identities across its infrastructure. It is equipped with different role services, features, and components that help us handle identities securely and effectively according to business requirements. For the last 20 years, Microsoft has continued improving Active Directory, and Active Directory 2022 further consolidates its approach in terms of rectifying industry requirements and protecting identity infrastructures from emerging security threats. However, a technology-rich product is not simply going to make a productive, reliable, scalable, and secure identity infrastructure. It requires knowledge of Active Directory roles services, components, and features. It also requires knowledge of how to use those effectively to match different operational requirements. Only then can we plan, design, manage, and maintain a robust identity infrastructure. Over the past few years, more and more organizations have adopted cloud technologies for a variety of reasons. With the growth of the cloud footprint, organizations' identity requirements have also changed. We can no longer limit corporate identities to on-prem infrastructures. By using Microsoft Azure Active Directory, we can extend our on-prem identities to the cloud. The hybrid AD approach provides lots of benefits for modern authentication requirements. However, security-wise, it also opens up a whole new level of challenges. Therefore, the majority of new content in the third edition is related to designing the Azure AD hybrid cloud, securing a hybrid AD environment, and protecting sensitive data.

Who this book is for

If you are an Active Directory administrator, system administrator, or network professional who has basic knowledge of Active Directory and is looking to become an expert in this topic, this book is for you.

What this book covers

Chapter 1, Active Directory Fundamentals, explains what Active Directory is and its capabilities. This chapter also explains the main components (physical and logical structure), object types, and role services of Active Directory. Last but not least, this chapter also covers why we need an advanced identity management solution such as Azure Active Directory.

Chapter 2, Active Directory Domain Services 2022, explains what we can expect with Active Directory Domain Services (AD DS) 2022 and how we can use the features introduced in AD DS 2016 (as there is no new Domain Functional Level (DFL) or Forest Functional Level (FFL) ) to improve your existing Active Directory environment.

Chapter 3, Designing an Active Directory Infrastructure, talks about what needs to be considered in Active Directory infrastructure design. This chapter discusses how to place the AD DS logical and physical components in the AD DS environment according to best practices. It also covers the design concepts for hybrid identity.

Chapter 4, Active Directory Domain Name System, explains how DNS works with AD DS. This chapter also includes information about the DNS server component, different types of DNS records, zones, DNS delegation, and DNS policies.

Chapter 5, Placing Operations Master Roles, talks about the Flexible Single Master Operations (FSMO) roles and their responsibilities. This chapter also describes things we need to consider when placing FSMO roles in an Active Directory environment.

Chapter 6, Migrating to Active Directory 2022, covers the different AD DS deployment models. This chapter also provides a step-by-step guide to migrating from an older version of AD DS to AD DS 2022.

Chapter 7, Managing Active Directory Objects, discusses how to create objects, find objects, modify objects, and remove objects (small-scale and large-scale) by using built-in Active Directory management tools and PowerShell commands.

Chapter 8, Managing Users, Groups, and Devices, further explores the Active Directory objects by deep diving into attributes, managed service accounts, and management of different object types. Last but not least, you will also learn how to sync custom attributes to Azure Active Directory.

Chapter 9, Designing the OU Structure, teaches you how to design the organizational unit (OU) structure properly, using different models to suit business requirements. This chapter also describes how to create, update, and remove OUs. Furthermore, this chapter also discusses how we can delegate AD administration by using OUs.

Chapter 10, Managing Group Policies, mainly discusses Group Policy objects and their capabilities. Group Policy processing in an AD environment depends on many different things. In this chapter, we will deep dive into group policy processing to understand the technology behind it. We are also going to look into the different methods we can use for group policy filtering. Last but not least, we will learn about most commonly use group policies.

Chapter 11, Active Directory Services – Part 01, walks us through the more advanced Active Directory topics, such as AD Lightweight Directory Services (LDS), Active Directory replication, and Active Directory sites.

Chapter 12, Active Directory Services – Part 02, sees you learn about Active Directory trusts in detail. This chapter also covers topics such as Active Directory database maintenance, Read-Only Domain Controller (RODC), AD DS backup, and recovery.

Chapter 13, Active Directory Certificate Services, discusses the planning, deployment, and maintenance of Active Directory Certificate Services. Furthermore, we will also learn how signing, encryption, and decryption work in a public key infrastructure (PKI).

Chapter 14, Active Directory Federation Services, focuses on Active Directory Federation Services (AD FS) such as planning, designing, deployment, and maintenance. This chapter also covers new features of AD FS, such as built-in Azure MFA support. At the end you will also learn how to establish a federated connection with Azure AD.

Chapter 15, Active Directory Rights Management Services, covers the Active Directory Rights Management Service (AD RMS) role, which we can use to protect sensitive data in a business. Data is the new oil, and the value of data keeps increasing. Therefore, protection of data is important for every business. In this chapter, we will learn how AD RMS works and how to configure it.

Chapter 16, Active Directory Security Best Practices, covers the protection of the Active Directory environment. Recent attacks and studies prove that adversaries are increasingly targeting identities. So, we need to be mindful of protecting our Active Directory infrastructure at any cost. In this chapter, we will learn about different tools, services, and methods we can use to protect the Active Directory environment such as Secure LDAP, Microsoft LAPS, delegated permissions, restricted RDP, and Azure AD password protection.

Chapter 17, Advanced AD Management with PowerShell, is full of PowerShell scripts that can be used to manage, secure, and audit an Active Directory environment. We will also learn about the Azure Active Directory PowerShell for Graph module, which we can use to manage, query, and update AD objects in a hybrid AD environment.

Chapter 18, Hybrid Identity, discusses how we can extend our on-prem AD DS infrastructure to Azure Active Directory. Before we work on the implementation, we will deep dive into the planning process of the Azure AD hybrid setup. In this chapter, we will also learn about different Azure AD connects deployment models, Azure AD cloud sync, Secure LDAP, and replica sets.

Chapter 19, Active Directory Audit and Monitoring, teaches you how to monitor your on-prem/hybrid AD DS infrastructure using different tools and methods (cloud based and on-prem). This chapter also demonstrates how to audit the health of an Active Directory environment.

Chapter 20, Active Directory Troubleshooting, discusses how to troubleshoot the most common Active Directory infrastructure issues using different tools and methods. Furthermore, we will also look into the most common Azure AD Connect errors, which can have a direct impact on the health of the Azure AD hybrid environment. You can find this chapter available online at: https://static.packt-cdn.com/downloads/9781801070393_Chapter_20.pdf

Appendix A, References, covers the Further reading section chapter wise. It's freely available online for our readers and here is the link: https://static.packt-cdn.com/downloads/Mastering_Active_Directory_References.pdf.

To get the most out of this book

This book is ideal for IT professionals, system engineers, and administrators who have a basic knowledge of Active Directory Domain Services. A basic knowledge of PowerShell is also required, since most of the role deployment, configuration, and management is done by using PowerShell commands and scripts.

Download the example code files

The code bundle for the book is hosted on GitHub at https://github.com/PacktPublishing/Mastering-Active-Directory-Third-Edition. We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!

Download the color images

We also provide a PDF file that has color images of the screenshots/diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781801070393_ColorImages.pdf.

Conventions used

There are a number of text conventions used throughout this book.

CodeInText: Indicates code words in the text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "SLDs are domain names that don't have DNS suffixes such as .com, .org, or .net."

Any command-line input or output is written as follows:

Bold: Indicates a new term, an important word, or words that you see on screen. For example, words in menus or dialog boxes appear in the text like this. Here is an example: "Go to All Services | Azure AD Domain Services."

Get in touch

Feedback from our readers is always welcome.

General feedback: If you have questions about any aspect of this book, mention the book title in the subject of your message and email us at [email protected].

Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packt.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details.

Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.

If you are interested in becoming an author: If there is a topic that you have expertise in, and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.

Share your thoughts

Once you've read Mastering Active Directory, Third Edition, we'd love to hear your thoughts! PleaseclickheretogostraighttotheAmazonreviewpage for this book and share your feedback.

Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.

Download a free PDF copy of this book

Thanks for purchasing this book!

Do you like to read on the go but are unable to carry your print books everywhere? Is your eBook purchase not compatible with the device of your choice?

Don’t worry, now with every Packt book you get a DRM-free PDF version of that book at no cost.

Read anywhere, any place, on any device. Search, copy, and paste code from your favorite technical books directly into your application.

The perks don’t stop there, you can get exclusive access to discounts, newsletters, and great free content in your inbox daily

Follow these simple steps to get the benefits:

https://packt.link/free-ebook/9781801070393

1

Active Directory Fundamentals

- Satya Nadella

It has been two years since the release of the second edition of this book, Mastering Active Directory. First of all, I would like to thank all my readers for their valuable feedback, which encouraged me to write this third edition. I am sure that you will all benefit from the additional content that has been added to this new edition.

We are going to start this book by refreshing our knowledge of the fundamentals of Windows Active Directory. The main topics covered in this chapter are as follows:

To start with, let's talk about how the pandemic and other factors have shaped modern access management.

Modern access management

The Covid-19 pandemic has heightened our sense of uncertainty as humans over physical and mental health, economy, family, society, and work. Most of us have experienced long-lasting effects on our lives that we never envisioned. Some of these profound effects may drag our lives backward or forward by years. A paradigm shift hastened by the pandemic is the accelerated digital transformation of society. The lockdown rules and increased demand for secure remote work has pushed some "offline" businesses and industries into the "online" realm sooner than we thought. My nine-year-old daughter is having her piano lessons via Zoom meetings now. I never thought it was practical to learn an instrument "online" but I was proven wrong. At the beginning of the pandemic, the financial sector wasn't ready to embrace the working from home culture. But a recent survey carried out by Deloitte confirms almost three quarters (70%) of employees working in financial services rate their working from home experience as positive. (Source: https://bit.ly/3CSjC08) Twilio is a leading cloud communications and customer engagement platform. They recently surveyed over 2,500 enterprise decision makers in the United States, the United Kingdom, Germany, Australia, France, Spain, Italy, Japan, and Singapore to evaluate their views on digital transformation as a result of Covid-19. According to the survey results, "97% of enterprise decision makers believe the pandemic sped up their company's digital transformation." (Source: https://bit.ly/2ZSnTlK.) McKinsey & Company is an American worldwide management consulting firm and they recently did a survey using 900 C-level executives and senior managers representing the full range of regions, industries, company sizes, and functional specialties. According to the study, respondents confirmed their companies acted 20 to 25 times faster than expected in implementing digital transformation strategies. When it comes to remote working, companies moved 40 times faster.

Figure 1.1: Speed of responses to pandemic challenges

Source: https://mck.co/2Ykj9Fd

With the rise of digital transformation, working from home has become the new normal. Businesses have had to implement applications, services, and collaboration tools that allow remote workers to carry out their day-to-day tasks seamlessly. On this journey, the hurdle wasn't the investment or the technology.

It was the "time." This was the same for many businesses when adopting this ubiquitous nature of operations. When "time" starts to cost us money or when "time" starts to affect sales, the manufacturing process, supplies, or workforce productivity, we do not have time to evaluate all the pros and cons. We do not have time to do all the ground work. We will have to take risks. We will have to bend the rules. When we rush things, as humans, we tend to make mistakes. Some of these mistakes opened up opportunities for cyber criminals throughout 2020:

If we summarize the above findings, we can see there was a massive increase in data breaches in 2020 and the majority of those breaches were due to human error. The healthcare and IT industries have been the top targets financially motivating cyber criminals in 2020. The above data also confirms cyber criminals are mainly after identities.

Identity is the new perimeter. The perimeter defense model is no longer valid against modern identity threats. Identity and access management is the cornerstone of digital transformation. A study done by Ping Identity says 90% of IT decision makers believe identity and access management is the key enabler of digital transformation (Source: https://bit.ly/3BNw0gS). Identity and access management solutions depend on directory services such as Windows Active Directory to store/retrieve data relating to user identities. Windows Active Directory was first released on February 17, 2000, and for 21 years it has been helping organizations to manage identities. But now we have a new set of challenges.

According to FireEye's Cyber Security Predictions 2021 report (https://bit.ly/3nZBpfQ), about 95% of companies have some type of cloud presence.

So the questions are:

To address the above questions, we need a distributed, highly available identity and access management solution such as Azure Active Directory. It doesn't mean Azure Active Directory is a replacement for Windows Active Directory. These are two different products with many different characteristics. But these two solutions can work together to address access and security challenges in both worlds (On-prem and the cloud). In this edition, you will find many topics and a lot of content related to hybrid identity. Also, throughout the book, content will be positioned to accentuate the importance of identity protection.

What is an Identity?

Elephants are truly fascinating creatures. Female elephants stay in their herd for life. When a baby elephant is born, young female elephants in the herd will help the mother to take care of the baby. A baby elephant usually weighs about 250 pounds and is three feet tall. In the beginning, a baby elephant can't see clearly. But it can identify its mother among the other young female elephants by touch, smell, and sound. Social insects such as ants recognize various castes in their colony based on "ant body odor." The same method is also used to recognize ants from other colonies.

When it comes to humans, we use many different ways to uniquely identify a person. In day-to-day life, we recognize people based on their name, face, voice, smell, body language, uniforms, and so on. The uniqueness of individuals describes an "identity." However, if we need to prove our identity, we need to use formal methods of identification such as a passport, driving license, and residence card. These formal methods are well recognized by many authorities. So far, we have talked about physical identity. But how can we bring this to the digital world? To do that, we need our digital identity to represent our physical identity.

As an example, when I registered with my GP for the first time, they checked a form of identification and verified my identity. Then they issued me with a unique NHS number; this unique number is the way their computer system will recognize me. When I signed up for my broadband connection, the service provider asked me to set up a unique password. This password will be used to prove my identity when I call them for support next time. Different systems, applications, and services uses different methods to verify someone's digital identity. These systems use databases and directories to store the data related to digital identities.

It is also important to remember a digital identity does not always represent a human. It can represent other entities such as devices, applications, services, groups, and organizations. Digital identities are also becoming more and more dynamic. As an example, your Facebook profile represents a digital identity. It keeps updating based on pictures you upload, posts you share, and friends you make. It is a living identity. A digital identity can get frequently updated based on attributes and access privileges. Nowadays, we can see different systems allow users to use one form of digital identity to get access. As an example, a Microsoft account can be used to access on-prem applications as well as SaaS applications. These federated digital identities provide a better consumer experience. The Active Directory service is capable of managing digital identities as well as federated digital identities.

Before we go and look into Active Directory fundamentals, I think it is better to share some of the identity and access management trends that lie ahead of us in 2021 and see how Active Directory will fit in to the picture.

The future of Identity and Access Management (IAM)

In the previous two sections, I used the words "identity and access management" a few times. What exactly does identity and access management mean? Identity and access management is a solution used to regulate the "access life cycle" of a user within an organization. The main role of it is to make sure the right person has the right access to the right resources for the right reason. Identity and access management solutions mainly have four components.

According to the above definition, Active Directory is not an identity and access management system. But it plays a major role in an identity and access management system. The directory element of an identity and access management system doesn't represent Microsoft Active Directory only, it could be any directory. But we know that the most commonly used directory service on the market is Microsoft Active Directory. The success of an IAM solution depends on all four pillars that I mentioned before. As I explained in the introduction, IAM is the key enabler of digital transformation. So what does the future look like for IAM in 2021 and beyond.

The Rise of Cybercrime

It's been a roller-coaster year for most of us. With the Covid-19 pandemic, uncertainty is all around us. That's changed the future for us in many ways. You may have had to reorganize your priorities and push back some of your plans years. On top of that, we have all had to do a lot to maintain our mental health. Cyber criminals are also humans. So we might think that the pandemic has also struck a blow to their activities. But it seems it hasn't. They seem to have found opportunities even during a pandemic. Instead of a reduction in cybercrime, we have seen a huge increase in the number of incidents. The FBI says it saw a 300% increase in cybercrime in 2020 (Source: https://bit.ly/3o3uguL). When it comes to the healthcare industry, we would expect some dignity as it has been a lifeline during the pandemic. But for criminals, it was just another opportunity. Verizon's Data Breach Investigations Report 2020 (https://vz.to/3CQvPCL) confirms a 58% increase in data breaches in the healthcare industry and the majority of them were financially motivated attacks. Also, these attacks are getting more sophisticated day by day. The recent Nobelium attack is a great example of that. SolarWinds Inc. is a software company that develops solutions to monitor and manage network devices, servers, storage, and applications. On December 12, 2020, they announced a sophisticated attack on their Orion platform. This affected 18,000 SolarWinds customers, including the US departments of Commerce, Defense, Energy, Homeland Security, State, and Health. This attack was one of the biggest cyber incidents the public has witnessed in years. According to Microsoft (https://bit.ly/3q6wSec), 44% of victims of this attack were in the IT industry and 18% were government institutions. This attack marked a milestone in cybercrimes due to the following reasons:

This particular attack taught us a few things:

All attacks have something in common. They are all after some sort of "access" to systems first.

It could be a username and password, certificate, or even an SAML token. Once attackers have initial access, then they start to laterally move until they have access to accounts with privileges, which can help them to do their tasks such as stealing data, causing disruptions, or conducting espionage. So it is a greater challenge for IAM to protect digital identities from these rising cybercrimes.

However, in the fight against cybercrime, organizations have to overcome some other challenges as well. According to the COVID-19 on Enterprise IT Security Teams Report issued by (ISC)² (https://bit.ly/3mLiJkq), organizations face the following challenges:

We already have a huge skill shortage in cybersecurity. Covid-19 has had a negative financial impact on some businesses. Because of that, businesses will have difficulties funding cybersecurity projects and developing cybersecurity skills in the coming years.

Zero trust security

With the Covid-19 pandemic, most businesses have not had the option of allowing their employees to work from home. We can't protect corporate data and identities appearing in unsecured home networks by using the same security approach we use in closed networks. This has created a huge opportunity for cyber criminals as most companies didn't have time to evaluate the risks involved in remote working and prepare themselves beforehand. Most companies are still "catching up" on cybersecurity risks related to remote working. According to an IBM report (https://ibm.co/3wwOSjf), remote working has increased the average cost of a data breach by $137,000. According to a survey done by Malwarebytes (https://bit.ly/3HUQWXc), 20% of their responders said they faced a security breach as a result of a remote worker. 44% confirmed they did not provide any cybersecurity training to employees that focused on the potential threats of working from home.

Interestingly, this study also confirmed that only 47% of employees are aware of the cybersecurity best practices when working from home.

The above stats show that the sudden shift to working from home creates risks for companies. This also confirms that the traditional parameter defense approach is not going to meet modern cybersecurity requirements. The best way to address this challenge is to take a Zero Trust security approach. The Zero Trust security model has three main principles:

More information about the Nobelium attack is available in the following articles, which are published by Microsoft:

To enforce the principles of the Zero Trust model, we need IAM solutions such as Azure Active Directory. Based on the lessons we learned from attacks such as Nobelium, more and more businesses will start to follow this security approach in the next few years.

Password-less authentication

Back in 2004 at the RSA Security Conference (San Francisco), Bill Gates said "There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down, and they just don't meet the challenge for anything you really want to secure." Over the years, this statement has been proven over and over. Passwords are no longer secure. Passwords are breakable. The UK's National Cyber Security Center has done a study to examine the passwords leaked by data breaches. According to them, the number one password used is "123456."

So, if passwords are failing, what else can we do to improve security in the authentication process? Multi-factor authentication can add another layer of security into the authentication process. It can be SMS, a phone call, an OTP code, or a phone app notification to further confirm the authenticity of the access request. There are many different MFA products available on the market. However, MFA doesn't eliminate the requirement for passwords.

But now we have an option to replace traditional authentication with password-less authentication. This is basically to replace passwords with biometrics, PIN, certificates, and security keys.

Fast Identity Online (FIDO) is an open standard for password-less authentication. This allows authenticating in systems using an external security key built into a device.

Windows Hello for Business and Azure Active Directory support password-less authentication based on FIDO2 security keys.

FIDO2 is the third standard that came out of the FIDO Alliance. FIDO2 consists of a Client to Authenticator Protocol (CTAP) and the W3C standard WebAuthn. When we use FIDO2 security keys for authentication:

More information about WebAuthn is available at the following links:

Over the last few years, password-less authentication has grown significantly and it will continue to do so in the coming years. According to Gartner, "By 2022, Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will implement password-less methods in more than 50% of use cases—up from 5% in 2018." Azure AD now supports password-less authentication using FIDO2 keys. This can be used to authenticate into cloud resources as well as on-prem resources. I have already written some articles about the configuration of FIDO2 keys. You can access those here:

Step-by-step guide: Azure AD password-less sign-in using FIDO2 security keys: https://bit.ly/3GTjHmG.

Step-by-step guide: Enable Windows 10 password-less authentication with FIDO2 security keys (Azure AD + Microsoft Intune): https://bit.ly/3wl8wyz.

Digital ID

So far in this chapter, I have used the term "digital identity" a few times. Digital identity is a form of identification that can be used to recognize a person using digital channels. When I log in to my LinkedIn account, I use a username and password. The username and password were created when I signed up to LinkedIn. When I log in to my bank's online service portal, I use a different username and password. Both of these accounts represent my identity. Instead of using multiple digital identities, what if we can agree on one digital ID that allows you to use multiple online services such as healthcare, banking, travel, and leisure. It will reduce the complexity of proving identity. According to a study done by McKinsey Digital (https://mck.co/3bJK14p), one billion people in the world don't have any legal form of ID to prove their identity. Imagine the opportunities they are missing in their day-to-day lives.

It could be preventing them from accessing public services such as education and healthcare, it could be affecting their rights, and it could be affecting their loved ones. With the Covid-19 pandemic, more and more countries are in the process of adopting this unified digital identity concept. The UK government has already created a framework for digital identity (Source: https://bit.ly/3ENOtvz). According to the UK government, the cost of proving identity manually offline could be as high as £3.3 billion per year. The government believes "The new digital identity will not only make people's lives easier but also give a boost to the country's £149 billion digital economy by creating new opportunities for innovation, enabling smoother, cheaper, and more secure online transactions, and saving businesses time and money." (Source: https://bit.ly/3BQImER.) The US has recently introduced the Improving Digital Identity Act of 2020 (Source: https://bit.ly/3BQb5cK) to establish a government-wide approach to improving digital identity. The Digital ID & Authentication Council of Canada (DIACC) created the Pan-Canadian Trust Framework (Source: https://bit.ly/3nYg7z3), which defines the conformance criteria necessary for a digital identity ecosystem and explains how digital IDs will roll out across Canada.

As we can see above, countries around the globe are already working toward regularizing digital identity. On this journey, IAM also has a role to play. There will be new laws related to digital identity. There will be new rules to comply with. Organizations will have to find an efficient way to manage these new digital identities. More importantly, we need protection from identity theft. We can't do this only by using a legacy directory service. We need IAM solutions in place to manage the complete life cycle of a digital identity.

We can clearly see a challenging time ahead for IAM. We can't talk about IAM without talking about directory services. So this is why an on-prem directory service such as Windows Active Directory still has paramount value.

Hybrid Identity and Active Directory Domain Services

Active Directory Domain Services was first introduced to the world with Windows Server 2000. For more than 21 years, AD DS has helped organizations to manage digital identities.

However, modern access management requirements are complicated. Businesses are using more and more cloud services now. The majority of the workforce is still working from home and accessing sensitive corporate data via unsecured networks. Most software vendors are moving to the Software as a Service (SaaS) model. Cybercrimes are skyrocketing and identity protection is at stake. To address these requirements, we need to go beyond legacy access management. Azure Active Directory is a cloud-based, managed, Identity as a Service (IDaaS) provider that can provide world-class security, strong authentication, and seamless collaboration. Azure Active Directory can span on-prem identities to the cloud and provides a unified authentication and authorization platform to all resources, regardless of location. This is called hybrid identity.

Azure Active Directory is often referred to as a cloud version of AD DS, but this is completely wrong. It is like comparing an iPhone with a Samsung phone. Both can be used to make calls, take pictures, watch videos, and so on. Some apps are also available for both types of devices. But you can't replace one with another as each has its uniqueness. AD DS and Azure Active Directory are the same. They have their similarities as well as differences. Let's go ahead and compare both products based on different focus areas:

Focus Area

Active Directory Domain Service

Azure Active Directory

User Provision

User accounts can be created manually or use a third-party AD management and automation solution such as Adaxes to automate the user provisioning process.

We can sync user accounts from on-prem Active Directory by using Azure AD Connect. We can also create cloud-only users manually or use SaaS applications with SCIM to create users automatically.

Group Membership

Administrators have to manage group memberships manually or use PowerShell scripts or a third-party tool like Adaxes to manage memberships automatically.

Supports dynamic group membership.

Privileged Access Management

Active Directory doesn't natively support Privileged Access Management. We have to use a solution such as Microsoft Identity Manager or Adaxes to manage privileged access (sensitive group memberships, workflows).

Azure AD Privileged Identity Management (PIM) can be used to provide just-in-time workflow-based access to privileged roles.

Identity Governance

Active Directory doesn't natively support identity governance. We have to use PowerShell scripts, third-party solutions to review permissions, group memberships, and access behaviors.

Azure Active Directory Identity Governance can be used to make sure that the right people have the right access to the right resources at the right time.

Advanced Authentication

Active Directory doesn't have MFA or password-less authentication built in. We can integrate Azure MFA or another third-party MFA solution with Active Directory. We can enable password-less authentication using Windows Hello for Business (in a hybrid setup).

Azure MFA is free for Azure AD and can use to improve security with few clicks. Azure AD also supports password-less authentication based on FIDO2 standards.

Evaluate Access risks

Active Directory doesn't have the capabilities to evaluate access risks based on user location, sign-in behaviour, user account risks, and so on.

Azure AD Conditional Access can evaluate user risks based on many policy settings and allow or deny access.

SaaS Application Integration

Active Directory can integrate SaaS applications by using Active Directory Federation Service (AD FS).

Azure AD supports direct integration with SaaS applications, which support OAuth2, SAML, and WS-* authentication.

Legacy Apps

Active Directory supports app integration based on LDAP or Windows-integrated authentication.

Azure Active Directory can provide a modern authentication experience to on-prem legacy apps by using the Azure AD application proxy.

External Identities

Active Directory uses federation trusts, forest trusts, and domain trusts to collaborate with external identities. This comes with a management overhead and security risks.

Azure AD B2B simplifies integration with external identities. It doesn't require infrastructure-level changes.

Windows Device Management

Group Policy allows you to manage Windows device state at a very granular level. We can introduce standards easily to incorporate devices without additional tools or services.

Azure AD Join endpoints can manage by using Microsoft Endpoint Manager

Mobile Device Management

Active Directory doesn't natively support mobile device management. We require third-party tools to do that.

Azure AD integrated Microsoft Endpoint Manager can manage mobile devices.

As we can see in the above comparison, we can't simply replace one solution using another. But hybrid identity with Azure AD allows organizations to revamp traditional identity management and prepare themselves for the cloud era. So, the biggest question is what does the future hold for Active Directory Domain Service on this journey?