@Lain Robertson 

Hi, the link you shared just links back to this page. Please can you share the article to which you were referring?

Thanks

@SallyWeston 

Oh! That's embarrassing! Clearly a copy-and-paste fail there.

I've done a quick bit of searching and can't find any articles that ring any bells, however, I vaguely recall that it spoke to the ongoing need for Active Directory for large enterprise customers who are expected to remain hybrid for the foreseeable future.

I'll keep looking for that "authoritative" post I claim to have found, but in the meanwhile, here's some (highly-opinionated, but experiential all the same) additional concerns I've got where the marketing rhetoric doesn't match the on-the-ground deliverables.

The first is aimed squarely at Graph, since this is how Azure AD and many other Azure-centric Microsoft services are being exposed.

My biggest issues with Graph are that:

1. It's focused almost exclusively at front-end automation, leaving it next-to-useless in dealing with hybrid-specific back-office automation;
2. Azure AD is effectively the only back-office component integrated and even then it's only done to an average degree. The flexibility you have in controlling an on-premise Active Directory schema - such as control over indexing, leveraging multi-valued attributes to represent business structures accurately, and create new classes - isn't even remotely well matched in Azure AD. This presents multiple challenges, particularly in the space of identity management where you find yourself scratching around trying to create sub-optimal solutions to work around Graph's limitations;
3. Rather than enumerating the raft of issues with other products, I'll just focus on Teams, where if you measure what can be achieved through Graph against the APIs and commandlets that exist for Skype for Business and SharePoint Server, there's just too many gaps with respect to getting Teams into alignment with corporate policy requirements.

Point 2 reflects limitations of Azure AD itself when compared to on-prem Active Directory, however, Graph has more issues. The multi-valued attributes is a good example where, technically, Azure AD does indeed handle them properly but it let down by Graph, which doesn't surface them in the JSON response, leaving things like often-asked for features like using multi-valued attributes in dynamic licencing groups still out of reach.

This - for me - raises questions around the overarching Azure strategy which is further evident in the availability of no less than three Azure AD PowerShell modules. I feel like what we're getting as enterprise customers is a "make it up as you go" Agile-based approach to product development that's delivering a lot of new - and potentially nice - features, but poorly thought through and executed with a great many holes in the implementation.

Bringing the discussion back to Active Directory for a moment, I've listened to some people saying there's no further development planned and that's evidence of it's limited future. This to me only serves to demonstrate their lack of understanding of a directory service's obligation, which is firstly to act in accordance with the relevant standards, and from a practical perspective, deliver on its purpose which is to provide authorisation services. Additional roles and features were always a vendor add-on designed to benefit the customer, but you have to ask yourself, what more do I need from a directory service?

In that context, I don't really feel that further development of the service has really been all that important for at least the last decade. I think this is somewhat reflected in the schema changes from Server 2012 onwards where by and large, the only changes have largely been to facilitate cloud integration. To me, this is an acknowledgement that not much more could be added to the directory service itself.

Shifting contexts for a minute, on-premise Active Directory (or any other directory service, really) has tremendous value - when paired with a formal identity management strategy - in the context of handling on-boarding and offloading (think merger and divestment-like activities) where it's quite possible the external entity is not positioned well for integrating natively with Azure AD.

Lastly, but importantly, from a data governance perspective - particularly sovereignty as a subtopic; you're implicitly operating at a higher level of risk in storing your entire identity data set in Azure AD (or any cloud-based alternative) rather than just the operational metadata that if compromised might be embarrassing, but not in breach of legal frameworks such as your country's legislation (which we're seeing an increasing amount of here in Australia in the past five years).

This all reads like a lot of naysaying and that isn't deliberate for my part. I think Azure (and the other cloud platforms) is a wonderful tool that could use a good deal of love in playing catch-up to important feature parity with on-premise Active Directory as well as other on-premise products.

Where I diverge from the marketing fluff is that it is just that: a valuable tool in your arsenal that when adopted strategically can improve service delivery (including the over-touted, poorly understood "digital transformation"), not a panacea where wholesale adoption makes sense when considering your legal and commercial requirements. That I've seen a couple of clients back out from the cloud seems to lend some credibility to that observation (though I only have superficial awareness of the "whys" in those cases - I think OpEX cost was actually a prominent component).

I'd love to do more with Azure - particularly via Graph which enjoys good support from all the key identity management system vendors, but it's simply not mature enough to be all-encompassing when compared to the benefits from a hybrid approach.

Cheers,

Lain

Hi Sally,

I can't find the exact article I referred to earlier, but to take a couple of extracts from Microsoft's current guidance on docs.microsoft.com:

From Define a hybrid identity adoption strategy, under "Define an integration strategy":

• From the "federated identity" column in the image, note the reference to "additional flexibility" as this is entirely under-represented in discussions, decisions and planning;
• Cloud identities only: "Easier to manage for small organization";
• Synchronised and federated: "Easier to manage for small, medium, or large organization" and "Supports advanced scenarios".
•  My opinion on the disadvantages of federation is that they're overstated. The cost (direct and indirect) of a geo-redundant federation solution is small to non-existent for large and many medium sized organisations - so long as you already have geo-redundant facilities to begin with. The benefits to governance significantly outweigh the cost.

From What is hybrid identity with Azure Active Directory?

• The entire introduction;
• Example of this "greater flexibility" as per the AD FS column, albeit for the one topic of authentication.

I know what you're hoping to see is some form of hard end date (if one were to exist) for Active Directory, but I haven't seen or heard of such a thing in discussion. Even were it to be formally announced, it would take years upon years to effect and customers with high risk and compliance (governance) requirements - sovereignty is a common subtopic - would be at great risk of moving platforms entirely.

The fact that Microsoft has an integration strategy (as per the first article that outlines the current three-pronged approach to integration) recognises this and reinforces the notion that on-premise Active Directory (amongst a great many other things in the application space) is still very current and relevant.

Don't be misled by CSPs (Cloud Solution Providers) who would have you believe that Azure is exclusively the future as there are commercial motivators behind such rhetoric. The reality is quite different. It's also important to explicitly state that once you are integrated, you can adopt new cloud features as they're released just as readily as a "cloud only" customer. You are not going to "miss out".

Ultimately, you can come up with some amazing customer solutions/strategies through integrating on-premise services and applications (Active Directory being just one service) with the cloud (Microsoft and others). Nothing is forcing/advising you (CSPs aside) to limit your options through becoming a cloud-only organisation.

Cheers,

Lain

@Lain Robertson From what I heard at ignite 2019, and from a few others. It sounds as if Microsoft is going to bring all the features of on-prem AD to Azure AD in the future. Since there is nothing like nested groups, ou, group policy, kerberos auth, etc ... in Azure AD. Hell, ADDS is the recommended way of setting up machine auth for Linux boxes in Azure. I see the two growing together to be one eventually. I just hope the on-prem keeps parity with the cloud version