Road to the Cloud

Introduction to Cloud Transformation Organizations are increasingly looking to move their identity and access management (IAM) from on-premises Active Directory (AD) to cloud-based solutions like Microsoft Entra ID. This shift aims to enhance productivity, reduce costs and complexity, and improve security posture. The transition involves moving from non-cloud-based services or infrastructure as a service (IaaS) to Microsoft’s cloud-native solutions for identity management (IDM), IAM, and device management.

Establishing a Microsoft Entra Footprint Before migrating IAM from AD to Microsoft Entra ID, it’s essential to set up Microsoft Entra ID. For those already using Microsoft services like Office 365, Exchange Online, or Teams, they’re already utilizing Microsoft Entra ID. The next steps include establishing hybrid identity synchronization, selecting authentication methods (with a strong recommendation for password hash synchronization), and securing the hybrid identity infrastructure.

Optional Tasks for Enhanced Security While not mandatory, Microsoft recommends deploying passwordless authentication for its security benefits and simplifying the environment. Configuring Microsoft Entra hybrid join for existing Windows clients is also suggested to leverage cloud-based security features.

Cloud Transformation Posture Microsoft outlines five states of transformation that align with customers’ business goals. These states have exit criteria to help determine the current environment’s status and guide the transition pace based on resources and culture.

Migration Workstreams After halting the growth of the AD footprint, organizations can focus on migrating existing on-premises workloads to Microsoft Entra ID. The post describes various migration workstreams that can be executed based on priorities and resources.

In this blog we will define the approach for Authentication. Let’s get started.

As discussed above some organizations set goals to remove Active Directory and their on-premises IT footprint. Others take advantage of some cloud-based capabilities to reduce the Active Directory footprint, but not to completely remove their on-premises environments.

This content provides guidance to move:

1. From Active Directory and other non-cloud-based services, either on-premises or infrastructure as a service (IaaS), that provide identity management (IDM), identity and access management (IAM), and device management.
2. To Microsoft Entra ID and other Microsoft cloud-native solutions for IDM, IAM, and device management.

Applications

To help maintain a secure environment, Microsoft Entra ID supports modern authentication protocols.

To transition application authentication from Active Directory to Microsoft Entra ID, you must:

• Determine which applications can migrate to Microsoft Entra ID with no modification.
  • Determine which applications have an upgrade path that enables you to migrate with an upgrade.
  • Determine which applications require replacement or significant code changes to migrate.

The outcome of your application discovery initiative is to create a prioritized list for migrating your application portfolio. The list contains applications that:

• Require an upgrade or update to the software, and an upgrade path is available.
  • Require an upgrade or update to the software, but an upgrade path isn’t available.

By using the list, you can further evaluate the applications that don’t have an existing upgrade path. Determine whether business value warrants updating the software or if it should be retired. If the software should be retired, decide whether you need a replacement.

Based on the results, you might redesign aspects of your transformation from Active Directory to Microsoft Entra ID. There are approaches that you can use to extend on-premises Active Directory to Azure infrastructure as a service (IaaS) (lift and shift) for applications with unsupported authentication protocols. We recommend that you set a policy that requires an exception to use this approach.

Application discovery

After you’ve segmented your app portfolio, you can prioritize migration based on business value and business priority. You can use tools to create or refresh your app inventory.

There are three main ways to categorize your apps:

1.       Modern authentication apps:

These applications use modern authentication protocols (such as OIDC, OAuth2, SAML, or WS-Federation) or that use a federation service such as Active Directory Federation Services (AD FS).

2.       Web access management (WAM) tools:

These applications use headers, cookies, and similar techniques for SSO. These apps typically require a WAM identity provider, such as Symantec SiteMinder.

3.       Legacy apps:

These applications use legacy protocols such as Kerberos, LDAP, Radius, Remote Desktop, and NTLM (not recommended).

Microsoft Entra ID can be used with each type of application to provide levels of functionality that results in different migration strategies, complexity, and trade-offs.

Some organizations have an application inventory that can be used as a discovery baseline. (It’s common that this inventory isn’t complete or updated.)

To discover modern authentication apps:

• If you’re using AD FS, use the AD FS application activity report.
• If you’re using a different identity provider, use the logs and configuration.

The following tools can help you discover applications that use LDAP:

1. Event1644Reader: Sample tool for collecting data on LDAP queries made to domain controllers by using field engineering logs.
2. Microsoft 365 Defender for Identity: Security solution that uses a sign-in operations monitoring capability. (Note that it captures binds by using LDAP, not Secure LDAP.)
3. PSLDAPQueryLogging: GitHub tool for reporting on LDAP queries.

Define the migration strategy for legacy applications.

Legacy applications have dependencies like these to Active Directory:

• User authentication and authorization: Kerberos, NTLM, LDAP bind, ACLs.
• Access to directory data: LDAP queries, schema extensions, read/write of directory objects.
• Server management: As determined by the server management strategy.

To reduce or eliminate those dependencies, you have three main approaches.

Approach 1 (Migrate On prem AD to Entra ID)

In the most preferred approach, you undertake projects to migrate from legacy applications to SaaS alternatives that use modern authentication.

Have the SaaS alternatives authenticate to Microsoft Entra ID directly:

1. Deploy Microsoft Entra Domain Services into an Azure virtual network and extend the schema to incorporate additional attributes needed by the applications.
2. Lift and shift legacy apps to VMs on the Azure virtual network that are domain-joined to Microsoft Entra Domain Services.
3. Publish legacy apps to the cloud by using Microsoft Entra application proxy or a secure hybrid access partner.
4. As legacy apps retire through attrition, eventually decommission Microsoft Entra Domain Services running in the Azure virtual network.

Approach 2 (Extend on prem AD to Azure IaaS and SYNC)

If the first approach isn’t possible and an application has a strong dependency on Active Directory, you can extend on-premises Active Directory to Azure IaaS.

You can replatform to support modern serverless hosting–for example, use platform as a service (PaaS).

Or, you can update the code to support modern authentication.

You can also enable the app to integrate with Microsoft Entra ID directly. Learn about Microsoft Authentication Library in the Microsoft identity platform.

1. Connect an Azure virtual network to the on-premises network via virtual private network (VPN) or Azure ExpressRoute.
2. Deploy new domain controllers for the on-premises Active Directory instance as virtual machines into the Azure virtual network.
3. Lift and shift legacy apps to VMs on the Azure virtual network that are domain joined.Publish legacy apps to the cloud by using Microsoft Entra application proxy or a secure hybrid access partner.
4. Eventually, decommission the on-premises Active Directory infrastructure and run Active Directory in the Azure virtual network entirely.
   1. As legacy apps retire through attrition, eventually decommission the Active Directory instance running in the Azure virtual network.

Approach 3 Independent Active Directory instance in IaaS

If the first migration isn’t possible and an application has a strong dependency on Active Directory, you can deploy a new Active Directory instance to Azure IaaS. Leave the applications as legacy applications for the foreseeable future, or sunset them when the opportunity arises.

This approach enables you to decouple the app from the existing Active Directory instance to reduce surface area. We recommend that you consider it only as a last resort.

1. Deploy a new Active Directory instance as virtual machines in an Azure virtual network.
   1. Lift and shift legacy apps to VMs on the Azure virtual network that are domain-joined to the new Active Directory instance.
   1. Publish legacy apps to the cloud by using Microsoft Entra application proxy or a secure hybrid access partner.
   1. As legacy apps retire through attrition, eventually decommission the Active Directory instance running in the Azure virtual network.

Comparison of strategies

Lets see below table for detailed comparison.

Here are some high-level steps for each approach:

Approach 1:

• Identify the SaaS alternatives that can replace the legacy applications and meet the business requirements.
• Configure the SaaS alternatives to integrate with Microsoft Entra ID and use modern authentication protocols such as OAuth 2.0 or OpenID Connect.
• Migrate the data and configuration of the legacy applications to the SaaS alternatives.
• Test and verify the functionality and performance of the SaaS alternatives.
• Decommission the legacy applications and the on-premises Active Directory.

Approach 2

• Deploy and configure Active Directory domain controllers on Azure IaaS virtual machines and join them to the existing on-premises Active Directory domain.
• Configure the Azure AD Connect service to sync the Active Directory users and groups with Microsoft Entra ID.
• Replatform the legacy applications to use Azure PaaS services such as Azure App Service, Azure SQL Database, Azure Storage, etc. or update the code of the legacy applications to support modern authentication protocols such as OAuth 2.0 or OpenID Connect.
• Configure the legacy applications to integrate with Microsoft Entra ID and use it as the identity provider.
• Migrate the data and configuration of the legacy applications to the Azure PaaS services or the updated code.
• Test and verify the functionality and performance of the legacy applications on Azure.
• Decommission the on-premises Active Directory and the legacy applications.

Approach 3:

• Deploy and configure a new Active Directory instance on Azure IaaS virtual machines and create a trust relationship with the existing on-premises Active Directory domain.
• Migrate the data and configuration of the legacy applications to Azure IaaS virtual machines and join them to the new Active Directory domain.
• Test and verify the functionality and performance of the legacy applications on Azure.
• Decommission the on-premises Active Directory and the legacy applications or plan to retire them when the opportunity arises.

Conclusion

The road to cloud-based identity and access management is a strategic move for organizations seeking to modernize their IT infrastructure.

By transitioning from Active Directory to Microsoft Entra ID, businesses can achieve increased productivity, reduced costs, and a stronger security posture.

 The process requires careful planning, starting with establishing a Microsoft Entra footprint and considering optional tasks for enhanced security.

Microsoft’s guidance through the five states of transformation provides a structured approach to this significant shift, ensuring alignment with business objectives and a pace that suits each organization’s unique needs and capabilities. As the cloud landscape evolves, staying informed and adaptable is crucial for a successful transition.

References:

https://learn.microsoft.com/en-us/entra/architecture/road-to-the-cloud-introduction