Event Recording

Kim Cameron - The Future of On-Premise AD in the days of Azure AD


Azure AD is here. It can act as a domain controller. It helps you managing your partners. It is ready-made for managing your customers. The application proxy builds the bridge back to your on-premise applications. That raises an important question for all organizations running AD on-premises: What is the future role for on-premise AD? What is the right strategy? Who can and should get rid of on-premise AD now or in the near future, who should focus on a hybrid strategy? Where is the overlap?

Okay. So I'm gonna try and talk very briefly, too. And on the hope that it would, there would be things that people would want discuss. Does that make sense when it comes to a D the role of AAD D versus a D they're likely to be, or there possibly will be people who wanna talk about specific situations. So I'll just go through, give you a high level view of, of how we see it, of, of, of how we see the strategy and how we see our customers reacting. And then we, if we want to go deeper, we can, so, oh, okay.
I got a twofer. Yeah. So I won't, I didn't bore you by putting a, a slide on what a is, is that okay? Is everyone, can everyone live with that? Okay. And I won't bore you with going into this. I think everybody knows what's happening. And there's a lot of it happening at once. Basically there's, there are whole, the, the wor the era has changed. There is this cloud era that we're in cloud technology, as part of that era cloud threats are part of that era, right? The threats that the increase in, in professionalism of the attackers and the introduction of all of these new ways of attacking things. Meanwhile, our, our, our cus you know, one's customers, are, they have, you know, what do, what do they call it? They sort of homegrown it, the, the shadow, it, that starts using these external systems, whether the official it wants them used or not. So suddenly people are, you know, you turn around and you, we actually developed a product that would count how many of which external systems your users were using, and anybody who, who tried it was, was completely horrified. They had. Absolutely, no, it was, people were off in their projections of what kind of cloud systems were being used by their own employees, by a order of magnitude.
And so we, we, we saw over this coming and we said, we need to, actually, it, it's not, it's not a matter of sort of going in. And what do we add next to a, to ad? I mean, I worked, I went to Microsoft to start working on AAD on ad in 1999. And so we added stuff and we added stuff and we added stuff and we added stuff. But as in essence, it was built to be a domain directory. In other words, within this closed confine, which you could, which you could control in companies that didn't have to deal with a bunch of external relationships and external forces coming in. And all of a sudden we were in this new era. So our view was that we needed to, to address the new era and to help ad address the new era, but the way to do it, wasn't to continue to building widgets inside ad on premise, it was for us to embrace the cloud and start building the solutions for the cloud era problems in the cloud to use the cloud, to solve the problems that people were encountering.
So we ended up with this system. I think a lot of people now are very familiar with what's in Azure ad as well. So I'm not gonna spend a lot of time on that. Basically, if you were a little Greenfield organization with no intellectual property, you could go in and you could just build your own little Azure ad what we call tenant and start using. It would do everything that you do in a, in a regular directory lake on premise directory, lake active directory. But in addition, it has these ways of dealing with the cloud-based problems. It has the gallery of has actually 2,500 pre integrated cloud apps so that you can manage how your, how your employees get into all of those cloud apps, not only how they get into Azure ad. It has ways of, you can use Azure ad to, to send traffic back securely, back onto premise so that you can replace a bunch of stuff you would normally have to deploy on premise with, by putting things in the cloud, you can do the same sort of employee identity, credential, group management and everything you can in active directory.
It, one of the new things that you can do is you can use it as a, you can actually have all of your domain functionality through, through Azure ad as well. And we have this new component called ad domain services where you can run something in the cloud. Let me put, let me back up a moment. A lot of people have, have a bunch of applications running, which they would like to move into the cloud and run on virtual machines in the cloud, rather than in their own data centers. But they're stuff that was written prior to the cloud. They're the sort of legacy things. And so they're very much tied into active directory just as it, as it always has worked. Well, now there's a, a, a component of Azure ad this Azure ad domain services. That looks exactly like an ad, an ad domain controller, so that you can run those applications in VMs, in the cloud. Yeah.
Does Azure ad domain services work with federated accounts without,
Does it work with federated accounts,
Federated directories
With federated directories without password sync? Well, the, the domain controller itself is, is it doesn't do Fedra. You know, you, you don't put ADFS onto you. Don't set up ADFS inside. The I'm aware. Yeah. Question is. Yeah, because you don't, in other words, you don't, you don't need to do the Federation at that level. You can do do the Federation at other levels. Question is can
I go from, cover us via Sam to cover us automatically without having password super into
Well, okay. I, I would have to see the exact use case because there's a lot of moving parts in there to go from SAML to Eros to go from ERO to SAML was easy because you're gaining more resolution to go from SAML to Eros is hard because you know, you're going from a whole language to a single word. And so I can't give you a, so the question I would have to ask you is which word are you using? But anyway, so we, we could talk about invite you to contact me, and we can talk about that. The specifics of that. Okay.
The other thing is that Azure D allows you to do these big, new things that have to be done, like manage as your, as your customers all become virtual, become, they want virtual relationships with your enterprise. That becomes a huge part of what everybody has to deliver. You can, you need to be able to manage your digital identities with your customers. And that starts to become really key. And you'll probably start, retain maintaining resources related to your customers, and those have to be protected properly. And so the whole question of having professionalized support for your customer identities is just as important in the long term as having professionalized support of your employee identities. And so Azure ad is where we developed all of these capabilities of supporting your customers. Clearly, one of the reasons is the question of scale. A lot of even small companies have very large numbers of customers, but it's also because the, the customers themselves are using devices and so on which represent problems that are easier to solve into the, in the cloud too.
So putting those two things together, what about, what about ad on premise? Well, ad has been traditionally used for different environments. One is sort of just the regular corporate environment to manage employee systems and applications. That's the biggest use case. Some people have used it to manage identities and so on for partners, vendors, and consultants, but, and there are a lot of specialized applications, for instance, in high security environments for, for example, health systems, where you need to be able to have the doctors getting into the emergency room, even if the power goes out, even if there's no internet connectivity, everything has to be resilient within a local environment. So these high security and reli reliability environments, active directory has been very, very successful there, high sensitivity environments, where you want to be able to physically control access to anything, be absolutely certain who is able to gain admission to the, even the rooms where the machines are operating and so on and isolated in low connectivity environments.
We, we do, for example, there they're used on many of the world's submarines, perhaps almost a huge percentage of the world's submarines because, you know, it's obviously they're gonna lose internet connectivity for a few minutes every, every now and then. Okay. So for all of those reasons, a lot of those reasons are not gonna go away, right? You're not gonna, and in my view, you, you know, we're not gonna, we're not gonna see an end to high security, reliability environments. We're not gonna see an end to high, super high sensitivity environments. We're not gonna see an end to isolated or low connectivity environments. So the, the, the, one of, some of the fundamental capabilities that active directory has are, are not transient they're they're long term things that are gonna be with us. I, I would say forever.
So ad on-prem still has a, a critical role to play. I, I would say that one of the things that happened in the adoption cycle of cloud is many people said, gee, what am I gonna do in the cloud? Well, do I have to move my basic employee management into the cloud? Well, why, why do I, I mean, I'm, there's no, there's nothing to force me to require me given how busy I am to take my current daily systems that were just fine. Thank you very much and move them into the cloud. And so the first thing that people wanted to look at was how you use the cloud to solve the cloud era problems that they have no solution for. They don't know how to solve those things. And it's only later a as people go through the experience of what are, how, how, how, how, how many simplifying assumptions occur when you start using the cloud that then people start to think, well, we can actually gain a lot by taking some of these, these changes in operations and changes in the way things are built and using that for our regular employee management too.
So some of the, of the on-premise ad requirements will, will go away and could be replaced by using, using cloud. On the other hand, some organizations will never perhaps be able to leave on premises, those in high sensitivity and so on. And the truth of the matter is because of the mix of applications and the massive penetration of all this stuff hybrid will be around for an awful long time by hybrid, I mean, use both of cloud and on premise. And so what we did when we, when we developed Azure ad was, was to say, right from the beginning, we're gonna, we're gonna differentiate our cloud offering by, by making it a hybrid thing, something that it works on its own, but it also reinforces the value of ad and is tied into it. And the two of them create a synergy. And what we, what we really want is a way that we can manage both of them in one place so that we have no replication or duplication of management effort, no additional source of, of, of problems in governance, because you have two places where things are being managed and all that kind of thing.
So in this sense, our strategy has been and remains that we support a hybrid world where we understand that there are use cases for active directory running in various modes, some modes where it's completely isolated some modes where it's tied into the cloud and can benefit from cloud services. So I've, I've more or less gone through this, which is just, here are the people with these critical systems, and here are the people with no legacy, et cetera. And so we can kind of summarize what, what our thinking is by this. We, we, we started with this position where people were on ad. They, we, they were able to synchronize information into the cloud and deploy then things like office 365, but our vision is that because of the fact that we have all of these other cloud era problems, Azure active directory becomes a more and more powerful component into the equation in the equation.
And that, if anything, in many instances, the synchronization, the rate, the direction of synchronization would be from Azure active directory into ad in order to hydrate you, you know, in, in my own imagination, I even think of it as being that we, you could think of on premise ad becoming over time, something virtually stateless that gets hydrated out the cloud, but then turns it into this thing with this resiliency and this ability to function when, when in, in isolated environments and so on, when the submarine goes down, it's able to continue to function when it comes back up, it's being hydrated through, through the cloud and resynchronize. So, but once again, the important thing here is that this arrow is bidirectional. So that our vision is that the customer would be able to put that where they want, they could drive the cloud-based side of things from their on-premise, or they could drive ultimately the on-premise from the cloud-based things.
And that, that allows them to make this overall evolution. So in terms of what, what you would approach the you're, you know, you're trying to do these things like reduce your TCO and, and so on to do all of this, you don't need to abandon a D our view is you, you can use the ability of AAD to work with a D and then surgically choose what it makes most sense to run in the traditional fashion and what you should move into cloud management. So I think I'll leave it there. And, and then we can turn to questions, but no questions, as, as complicated as that one, we need one, one step down. No, it's a very good question. It's just, it is complicated. Let's start, it will work up
Questions. Okay.
Yeah. Hybrid
Mode then,
Is it
Hybrid without the need for Federation?
Is it hybrid without the need for Federation, if you had, if you had hybrid, if you had no Federation, you mean between on premise and, and the cloud. Yes. You see, I kind of think of the relationship between on-prem as the cloud, as a matter of projection. Sure. Now, so I don't know what you mean by Federation. It could mean Federation can mean two things. You could be talking sort of high level Strat strategic sense. Yeah. Or you could be talking protocols, what are you talking? No, your pro protocols. Yeah. You do not have to federate. One of, one of the things that we we can do is to do, I'm actually rather proud of this. You can, we, you, you can do the equivalent of password sync, except we don't sync the passwords. We sync a hash of the passwords, but it's not simply a hash of the passwords.
It's a hash of the passwords with salts that is specific to that particular ad on, on premise relationship. So it doesn't turn into a, a very nice Microsoft generated password attack machine it's it's, it's, it's actually something that is that's entirely safe. And one of the Mo one of the most interesting things that I saw recently was it's sufficiently it's sufficiently. You know, I think, I don't know if anyone noticed this, but in my, or came to my keynote, but in the keynote, I showed just a screen of this new mechanism we have, where we take the signals from, for example, all of the leaked passwords, all that are posted into the dark space. And then we run those against the password hashes in Azure active directory. And so we can produce reports for the tenant administrators saying, and these are, these people had their, their passwords compromised in the last two weeks.
And, you know, like it's really shocking when, when people first start to get those reports, because in beforehand, of course, there was no way to do that. But if you think about it, you could, we could actually, and I hope to see us and do this. I think we, I think it's on the schedule for some time. I I'm just an architect. I schedules are beyond my level of competence, but because of the architecture of the password sync, password, hash sync, you can actually verify whether anybody's passwords on premise have been compromised as well. So anyway, that's a good example really, of how cloud and on-premise can reinforce each other and of how we have invested equally in both on-premise and cloud. If you go, if you look at our analytics, all of the, we we've come out with a whole series of analytics for active directory, which analyze the network traffic and use machine learning, perhaps a number of people with active directory have already seen this, but it's using machine learning and all of the latest stuff that we use in the cloud in order to see if people are attacking active directory in the local on premises situation.
So that's what I mean by hybrid really. Does that make sense?
I have, I have a question. I think maybe some people might used about the password sync and Federation, and maybe this will clear it up. I have a hybrid environment with some domains and active directory and some in AAD and the users are kind of logging in and using resources across that environment. Can I log in to either side and function the same way in that? Can I have a forest across a and AAD and function in the same way, regardless of where I logged in?
I, I, I wouldn't know that isn't the way we do well, there are two there. The problem here is that you can set it up in several ways. Okay. So one way you can set it up, I mean, is that the truth lives on premise, and then it federates using actual Federation protocols with the cloud and the cloud is a relying party STS. And then, then it converts the token that it gets from your on-premise into a new token that can be used across the cloud. And for any piece of software that takes advantage of the cloud. So that on-premise password is driving the local STS, that then drives the cloud STS. And so yes, you end up being able to use or take advantage of that password anywhere in the system. Similarly, you could log into the, the, you know, Azure, if you set it up differently, some people don't want to do all of that stuff around Federation.
They would prefer to have the same accounts, same account names and so on, but just replicate these hashes of passwords. Now, in that case, you can log in your login point becomes the cloud. And so you can go around and you can access all of the things that accept the cloud tokens. And we're able to take the cloud tokens and through this gateway back into on-premises, those that, that authentication can be used to access on-premise. So you, you actually have bidirectional connectivity of the end user to the resources that they want in both cases, but the underlying for anybody who is crazy enough to be interested in the underlying identity protocols, the, you know, the actual steps that are being used are different, but the net result for the user is the same. Does that make sense? And so, yeah. Yeah, I think that's what I was. And, but a lot of people, like I personally hate password synchronization. I've been against password synchronization since day warm. And so that's why I say I'm, I'm very pleased with the way we, we, we ended up with this mechanism of doing these, this hash synchronization. So it satisfies all the different requirements.
So you mentioned identity management terminology and the presentation. And I know we're talking about active directory. However, I have to ask that question. So are you doing anything with the journalist movers, levers and governance, or are you still living that to the vendors that are, cause it's kind of looks like you are expand to that world as well? I'm trying to figure out how that hybrid solution gonna look like.
Well, I, I'm gonna give you my, my view and my view is always right. So, you know, govern that the kind of really professionalized governance tech technology, for example, that a company like who like sales point for example, and, and do I have to compliment IBM, I love, I love IBM. No, no look, people, you know, there are people who are gonna put more IQ because it's really a question you need IQ and you need lots of attention to the detail of that, of particular environments. There are people gonna do that better than Microsoft. And so we, we actually, we love that. We love those people and we want those people to, we're trying to build a, a platform that is a source of, of utility for the, for the entire world and, and a source of wealth for everybody in the industry. So, you know, we love the idea that you could get, you know, the most professional compliance capabilities possible running on top of our platform. We of course will provide compliance capabilities up to a certain level, but there will be the need for specialization. And we support the specialization. If anybody is interested in moving in that direction, please don't, don't think we aren't open or, or, you know, enthusiastic about having your, you know, providing ways for you to, to, to do that for us, not for us, for our mutual customers.
I, I would see the, the competition with players like Okta, how do you differentiate from them?
Well, you know, we have 96% of the authentications and they have one half of a percent of the authentications. So that's the main way that we are
Differentiate. Okay. But more from a functional standpoint than a market share standpoint.
Oh, do you want me to say something good about Okta
Pianist?
No, come on now, you know, I've, I've, I've been in spiritual study for many years, so I should be able to rise to this occasion. No, anybody who, who provides, who makes it anybody who makes a customer's life better is doing good work. And, and, and we, we, we support that. Okay. And that includes, you know, even people who, who denigrate us and, you know, say that we're not doing a good job. Oh, that doesn't bother me really. I'm I've already been there. So yeah, Okta, Okta has. I don't like their, their, I don't like their go to market, you know, it's, it's extremely aggressive, not only towards us, but towards many other people in the industry. So I don't like that, but I think they do provide good service for the customers who adopt them. So yeah, in that sense, they're welcome on top of our platform. Do I think, do I think that they're offering, I'm not convinced of, of any capabilities that they have that we don't have, and I'm not convinced in other words, that they're doing a specialization above the platform level. So something like governance really is a specialization. Does that make sense to people that it's a make sense to me
Here? Those companies, last question.
Oh,
Is, is it a question
The
Interesting,
So however, possibly it's gonna be a discussion about, I like the question, especially, and I'm having my own view as well. So I think those companies filling just a gap comp other customers don't want to fill up, you know, the, you know, Microsoft does a good job providing a platform, but in, in some cases you, it leaves it to some partners and vendors, which then, you know, need to do programming against the API and as an end customer or a company, I don't like to do that. So that's where this space is filled by companies like October, because I'm kind of, you know, I'm missing stuff like, yeah, you're having your 2,500 or 4,000 app gallery, whatever it is, but it has, doesn't help me to provision that's my own problem. Yeah.
And, and,
You know, and that's exactly where those,
Yeah. And I just don't want to be misread because we are really happy to have people like that, filling the gaps that, that we're, that we're leaving on the other hand, you know, we, we are also inevitably gonna fill a lot of those gaps. And so as we do that, we try and help our partners, you know, fill the next set because, you know, we have one team that's working to create new gaps and the other teams that are filling the old ones. So there's, there's always lots of opportunity in the, in this world. But PE we, we used to say, people are moving up the stack. Right. And I agree with you. I agree with you. And there have been gaps in, in, in some of our things have been, some of our me mechanisms have been too hard to use and Okta has focused on some of those areas and developed a good solution for the areas that were too hard to use. And so, and I congratulate them for that. Yeah.
So Kim, I want to thank you very much on behalf of the audience for enlighting us on the mysteries of ad and AAD. And so that we don't get a D D
And it's also, that's unfair. You've been working on that way.
I knew I had to get a D in here somehow. And
It's
Been fun to talk with you again about multi-master replication and Federation. And it's great to see new things coming into the cloud, but some of the technologies that the patterns that we've been familiar with still, still having relevance and the life goes on. So what I think we should do now is let the official part of the panel come to a close and let the people that are anxious to go down to the closing keynote gracefully, depart, and we'll give Kim a big hand and then we'll see if we have any follow on after discussion.
Thank you.

Video Links

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Ensuring the Security of Microsoft Active Directory and Azure AD

In the face of increasing cyber-attacks by cybercriminals and nation-states, most organizations are investing in filling in the gaps in their cyber defenses, but as the landmark SolarWinds supply chain breach showed, securing Microsoft Active Directory (AD) is vital, but often…

Analyst Chat

Analyst Chat #77: Don't Manage Access in Active Directory Groups

Maintaining finer grained access by administering AD groups through dedicated and delegated application administrators is the reality in many organizations. Martin Kuppinger and Matthias discuss these types of indirect authorization management and why they are no good choice, even more…

Webinar Recording

Managing Azure AD – Regardless of How You Use It

Microsoft Azure Active Directory (Azure AD) has gained widespread adoption. Coming with Microsoft Azure Cloud as well as Microsoft 365 (i.e. Office 365), it appears in many organizations just because of decisions made outside of the IAM team.

Webinar Recording

What’s Really Going on in Your Microsoft Active Directory and Azure AD Infrastructure

Most small and mid-sized businesses rely on Microsoft technology in their IT infrastructure. For the vast majority of larger organizations, solutions such as Microsoft Active Directory also form a vital part of their IT infrastructure. Understanding what is going on in these infrastructures…

Webinar Recording

Identity and Access Management Strategies That Grow With Your Business

For these organizations, an adaptable Active Directory-centered (AD) approach can address the areas of highest impact. By adding cloud-based access request and access certification functionality to the mix, a company can achieve a basic IGA solution for a fraction of the cost, complexity,…

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00