{"id":113074,"date":"2024-07-23T11:30:00","date_gmt":"2024-07-23T15:30:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=113074"},"modified":"2024-08-15T15:18:13","modified_gmt":"2024-08-15T19:18:13","slug":"how-to-plan-an-active-directory-migration","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/how-to-plan-an-active-directory-migration","title":{"rendered":"How to Plan an Active Directory Migration"},"content":{"rendered":"\n

Microsoft\u2019s Active Directory (AD) runs your Windows network and keeps mission-critical legacy apps and workflows running at some organizations. Replacing<\/a> can be a big commitment and migration planning is an essential step to undertake before kicking off your project.<\/p>\n\n\n\n

Big commitments are made for very good reasons. Consider that AD has become a top target for cyber attackers and doesn’t meet modern IT requirements. AD makes it difficult to support hybrid and decentralized organizations that use a variety of device types, and has become progressively harder to administer. AD also requires a suite of other solutions in order to connect identities to cloud infrastructure, web applications, networking gear, and more.<\/p>\n\n\n\n

Those are some of the drivers behind why many organizations are eliminating or modernizing AD with cloud directories. Successful migrations start with understanding your objectives and continue on through support, feedback, and validation. <\/p>\n\n\n\n

Every migration is different, but every organization requires a migration plan. Organizations that inherit extensive customizations and custom, homegrown applications may still require AD, but can reduce its usage and attack surface area. Most organizations can migrate to a modern cloud directory completely, enabling them to benefit from greater efficiency, security, and simplicity.<\/p>\n\n\n\n

This article is a guide to determine whether AD should be contained or replaced. Then you\u2019ll learn about why cloud directories work differently and how to draft a detailed migration plan. Many organizations have successfully migrated to independent cloud directory services, and you can rest assured that they all invested some time upfront for planning and preparation.<\/p>\n\n\n\n

Why Replace AD<\/h2>\n\n\n\n

AD is a 25+ year-old technology that was built for a Window\u2019s centric, on-premises world. It\u2019s officially a legacy product<\/a> that\u2019s often the weakest link<\/a> in any security platform. It doesn’t even matter how skilled and experienced the admins are. The costs, complexity, and risks of using AD will always be a problem, but there are solutions depending on how it\u2019s being used.<\/p>\n\n\n\n

<\/p><\/div>

Note:<\/strong> \n

Capital costs, energy, and labor costs combined with supply chain challenges have made running a data center more expensive<\/a>. Learn about the hidden costs<\/a> of using AD.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n

Microsoft recommends using AD in a hybrid configuration with Azure Active Directory\u2019s (now called Entra ID) most premium subscription plan. That means maintaining your data center or a colocation facility while adopting cloud services. Still, it doesn\u2019t stop there. Microsoft\u2019s popular Microsoft 365 (M365) bundles don\u2019t include everything that\u2019s needed for your protection.<\/p>\n\n\n\n

Microsoft\u2019s Strategy for AD: Sell More Products<\/h3>\n\n\n\n

Defender for Identity and Defender for Servers are security products to safeguard identities against attacks that hackers use to steal credentials and move laterally through networks. Otherwise, you run the risk of AD being compromised and becoming a pathway to your systems and data. Running AD without protection is increasingly risky<\/a> as attackers set their sights on AD to exploit its architectural limitations. Microsoft understands that problem too.<\/p>\n\n\n\n

Eliminating or containing AD is a more straightforward approach. Cloud directories provide IT simplification and modernization with unified identity, device, and access management. Microsoft has moved in this direction with its cloud identity and security products. It has given less emphasis to improving AD; it sells security products instead of eliminating AD\u2019s defects.<\/p>\n\n\n\n

The next section will help you understand when it\u2019s better to replace or contain AD. You\u2019ll also have to decide whether Microsoft\u2019s prescribed path is what\u2019s best for your organization. We\u2019ll share more about 探花大神 to help you make that comparison after plotting out the migration.<\/p>\n\n\n\n

Prerequisites for Migrations<\/h2>\n\n\n\n

AD may not be as irreplaceable as you may believe. Most organizations can modernize it and begin to benefit from cloud directories without any breaking changes. For example, your firewall, WiFi infrastructure, or core switch can likely handle DHCP\/DNS for your office networks. Every organization has unique requirements and available resources that will inform its migration decisions.<\/p>\n\n\n\n

First, it helps to spend some time learning about cloud architecture.<\/p>\n\n\n\n

Learn About Cloud Architecture<\/h3>\n\n\n\n

Cloud directories don\u2019t always provide a 1:1 replacement to AD, but that should be viewed as an opportunity to increase IT efficiency and security. Cloud directories are built to overcome many of the weaknesses of AD\u2019s legacy architecture using open web standards and modern identity and access management (IAM). Other AD services can be substituted out as needed.<\/p>\n\n\n\n

Nested groups are a prime example of why AD\u2019s legacy approach to access control doesn\u2019t exist in the cloud<\/a>. Cloud directories handle authorization via groups rather than through an indirect inheritance from the parent group object. It\u2019s easier for admins to determine why a user object has a particular entitlement. This more mature approach to managing entitlements can increase IT efficiency with automated membership changes. The immediate benefits are easier on\/off boarding, increased efficiency, and more responsiveness to meet business objectives.<\/p>\n\n\n\n

<\/p><\/div>

Note:<\/strong> \n

We offer a free and comprehensive Active Directory to cloud “translation” guide<\/a>.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n

Understanding the differences in architecture between AD and the cloud is the first step in planning a migration strategy. AD can be replaced or enhanced to strengthen IAM with modern authentication and other features that reduce reliance on AD \u2026 and its downsides and risks.<\/p>\n\n\n\n

The next step is knowing which approach to take for AD: replace it or contain it.<\/p>\n\n\n\n

Know When to Replace AD<\/h3>\n\n\n\n

These criteria are generally a \u201cgreenlight\u201d for a migration to a cloud directory:<\/p>\n\n\n\n