[SEP25] In a Galaxy far far away... there's no more Active Directory by Martin Bonelli

Transcript

1. In a Galaxy far far away... there's no more Active

   Directory © 2025 All rights reserved. Martin Bonelli September - 2025

2. © 2025 All rights reserved. 2 About me … Freelance

   Azure Solutions Architect | Swiss Banking sector Managing the Azure platform for the bank Career & Contact MCT, Azure certified www.linkedin.com/in/martin-bonelli832 [email protected] Free time Father, wanna be Hiker-, Cook-, Guitar player Martin Bonelli

3. © 2025 All rights reserved. 3 Disclaimer “This presentation includes

   Microsoft graphics and content sourced from public Microsoft documentation. It is intended for informational and educational purposes. The views, interpretations, and conclusions expressed here are my own and do not represent, reflect, or imply the position, strategies, or work at the bank.”

4. © 2025 All rights reserved. 4 Agenda A quick recap

   about AD 01 A quick recap about the state of Entra ID 02 Replacing tasks/functions with Entra ID 03 Demos 04 Conclusion 05

5. © 2025 All rights reserved. 5 A quick recap about

   AD

6. © 2025 All rights reserved. 6 AD? Why even bother?

   “Microsoft previewed Active Directory in 1999, released it first with Windows 2000 Server edition, and revised it to extend functionality and improve administration in Windows Server 2003. Active Directory support was also added to Windows 95, Windows 98, and Windows NT 4.0 via patch, with some unsupported features.”

7. © 2025 All rights reserved. 7 AD? Why even bother?

8. © 2025 All rights reserved. 8 Active Directory? A quick

   recap… Identity Management • Users, Groups, Computers, OUs • Access Control and Delegation Domain Services • Forests, Trees, Trusts, Sites • Centralized Authentication • Kerberos, LDAP, NTLM Group Policy Management • Enforce settings • Security Hardening DNS Integration • Name resolution for DS • Service location

9. © 2025 All rights reserved. 9 A quick recap about

   the state of Entra ID

10. © 2025 All rights reserved. 10 Entra ID? A quick

    refresher…

11. © 2025 All rights reserved. 11

12. © 2025 All rights reserved. 12

13. © 2025 All rights reserved. 13 Entra product alignment

14. © 2025 All rights reserved. 14 Entra licensing -> street

    prices Product name Microsoft Entra ID P1 6$ user/month Microsoft Entra ID P2 $9 user/month Microsoft Entra Suite $12 user/month Comment • P1 or P2 required for Entra Suite Entra ID Entra ID Protection • P1 misses Risk-based CA, Risk accounts Entra ID Governance • P1 misses PIM and: • P2 misses Access reviews, Lifecycle Workflows Entra Verified ID • P1 & P2 miss: Entitlement Mgmt, Face Check Entra Internet Access Entra Private Access Standalones: Internet/Private Access $5 each, ID Governance $7, Workload ID $3

15. © 2025 All rights reserved. 15 Replacing tasks/functions with Entra

    ID

16. © 2025 All rights reserved. 16 From AD to Entra

    ID… or… from Entra ID to AD! “AD will be managed and populated by Entra ID -> this shift is happening.”

17. © 2025 All rights reserved. 17 From AD to Entra

    ID… or… from Entra ID to AD!

18. © 2025 All rights reserved. 18 Focus on “AD minimized”

    Active Directory Entra ID Cloud or on-prem HR Create Users API-Driven prov Entra Cloud sync required Group writeback Microsoft Entra Verified ID Microsoft Entra ID Governance Microsoft Entra Workload ID Microsoft Entra Private Access Microsoft Entra Internet Access Microsoft Entra External ID Devices entra-joined User writeback -> tba !! Microsoft Entra ID Protection Access to Create Cloud Groups Use Features

19. © 2025 All rights reserved. 19 The three pillars of

    transformation Users and Groups Applications Devices Road to the cloud - Introduction to moving identity and access management from AD to Microsoft Entra ID

20. © 2025 All rights reserved. 20 User management today HR

    creates user in SAP SAP Interface Guido’s Battery PS V5.0 on a super safe VM Active Directory User Exchange Mailbox Permissions, Onprem Apps, SaaS, etc… Synced to AZ Worst case: “We handle user creation with a Powershellscript-Battery from Guido, who doesn’t work here anymore, but if it’s urgent, we can still call him.” Guido, awesome Engineer

21. © 2025 All rights reserved. 21 User management (how it

    should look like) HR-driven provisioning

22. © 2025 All rights reserved. 22 Available sources

23. © 2025 All rights reserved. 23 User management (how it

    should look like) API-driven provisioning

24. © 2025 All rights reserved. 24 Group management Focus on

    Entra Groups for all cloud apps, RBAC, M365, etc… If you sync groups -> Group Writeback -> Entra to AD Manage all groups/permissions with Lifecycle management or Access packages

25. © 2025 All rights reserved. 25 Lifecycle Workflows / Access

    Packages

26. © 2025 All rights reserved. 26 Groups Group management tools

    Change Source of Authority now available for: Exchange hybrid Mailboxes … Users?

27. © 2025 All rights reserved. 27 Demo 1

28. © 2025 All rights reserved. 28 Users & Group management

    Demo Scenario 1. Create a User in EID with API Call 2. Change SOA of synced Group

29. © 2025 All rights reserved. 29 Apps

30. © 2025 All rights reserved. 30 Modern authentication Apps •

    OIDC • OAuth2 • SAML • WS-Federation Apps “Think in Apps, not VM’s.” • Move to Entra ID Enterprise Apps (Gallery or Custom) Legacy Apps • Kerberos • LDAP • Radius • Remote Desktop • NTLM Secure Hybrid Access Your options are: App Proxy Entra Private Access Entra Domain Services

31. © 2025 All rights reserved. 31 Apps “You should not

    rely on LDAP.” “I would still invite you to rethink about using these protocols and instead using Modern Auth.” “Do consider replacing your legacy VPN, the blast radius is just too big.” “Stop buying or building AD dependent apps.”

32. © 2025 All rights reserved. 32 Apps migration / rebuilding

    “Applications are undergoing a major wave of refactoring and rebuilding.” Azure Kubernetes Service Azure Container Instances Azure App Service Azure Container Apps Azure Local Kubernetes onprem

33. © 2025 All rights reserved. 33 Entra Private Access

34. © 2025 All rights reserved. 34 Server management Road to

    the cloud - Move identity and access management from Active Directory Domain Services (AD DS) to a Microsoft Entra migration workstream

35. © 2025 All rights reserved. 35 MFA for on-prem Servers

    / Domain Controllers

36. © 2025 All rights reserved. 36 Demo 2

37. © 2025 All rights reserved. 37 RDP MFA Demo Scenario

    1. Requirements 2. Install Extension 3. RBAC 4. RDP Settings 5. RDP through EID

38. © 2025 All rights reserved. 38 Device management Windows 11

    & Intune cloud native Entra-join all devices over time Move Management from GPO to MDM Autopilot

39. © 2025 All rights reserved. 39 Device management tools Windows

    Local Administrator Password Solution (LAPS) MacOS: entra-join, manage with Intune/MDM Privileged Access Workstations (PAW): https://aka.ms/spa VDI: AVD entra-joined/Intune, FSLogix support with Azure Files Linux: entra-registered / Intune support Ubuntu & RHEL

40. © 2025 All rights reserved. 40 Entra Resiliency Link

41. © 2025 All rights reserved. 41 Conclusion • Provision users

    with HR-driven provisioning into EID or AD • Try to use EID Groups, or do group writeback • Use Lifecycle workflows and access packages Users & Groups Devices Apps • Think in Apps, not VM’s • Make use of tools like Private Access or App Proxy • Use modern tools for server management • Manage with Intune and Entra- join devices • Stage with Autopilot V2, add security with LAPS • VDI’s are best in the cloud

42. © 2025 All rights reserved. 42 Links • Entra Licensing:

    https://www.microsoft.com/en-us/security/business/microsoft-entra-pricing • Road to the Cloud: Determine cloud transformation posture when moving identity and access management from Active Directory to Microsoft Entra ID • Group SOA: Entra Group Source of Authority CONVERSION! John Savill • Migrate from AD to Entra: How to Successfully Navigate the Cloud Transformation Journey • Entra Resilience Deep Dive: https://youtu.be/vf6GrILAKsE?si=am9T0f-WvJtH44Ks • HR-driven provisioning: https://learn.microsoft.com/en-us/entra/identity/app-provisioning/what-is-hr-driven-provisioning • Demo 1: QuickStart API-driven inbound provisioning with Graph Explorer - Microsoft Entra ID • Lifecycle Workflows: What are lifecycle workflows? - Microsoft Entra ID Governance | Microsoft Learn • Change Source of Authority: Embrace cloud-first posture and convert Group Source of Authority (SOA) to the cloud (Preview) • Secure Privileged Access: https://aka.ms/spa • LAPS: Windows LAPS overview | Microsoft Learn

43. Thank You © 2025 All rights reserved. Martin Bonelli