I'm currently exploring the transition from a hybrid Active Directory (AD) setup to an Entra-only model and would love to hear from others who have made this shift. Our current hybrid environment is using Microsoft Entra ID Connect, with on-premises AD as our main user source. Here's a breakdown of our setup:
- Most user accounts are created and managed in on-prem AD, then synced to Microsoft Entra ID.
- We have a lot of cloud-only groups (like M365 groups and security groups) and a smaller number of cloud-only users.
- Most of our Windows devices are hybrid joined, with only a few Entra joined, while macOS devices are bound to AD and managed through Jamf.
- We're using Intune for Windows management but not for Macs.
In terms of authentication and access:
- Device logins for both Windows and Mac authenticate against on-prem AD.
- Our WiFi setup relies on RADIUS through Cisco ISE, using AD security groups.
- VPN access is also managed via AD groups with Cisco ISE.
- Microsoft 365 services authenticate using cloud methods, and we have Conditional Access and MFA in place.
Some complexities include:
- A few systems still depend on LDAP.
- Our on-prem NAS (Dell Isilon) uses SMB with NTFS permissions managed by AD groups.
- We're still using Group Policy, although it's minimal and will need to transition to Intune eventually.
- RADIUS and VPN access are tied to AD groups.
- Some processes are on isolated systems.
Our main goals are:
- Making Entra ID the sole identity source.
- Getting Windows devices fully Entra joined and managed through Intune, eliminating hybrid joins.
- Reducing our reliance on on-prem AD.
We believe a phased approach is best, but are open to suggestions. I'm looking for real-world experiences, advice, or resources from anyone who has gone through this process!
5 Answers
For MDM, you can set up Intune with GPO to facilitate the join process. Creating an Autopilot configuration is key here. Once your PCs are MDM joined, they can import the hashes seamlessly into your tenant. If users need access to on-prem file servers, they’ll still need AD accounts, so you might want to move those accounts to an organizational unit (OU) that no longer syncs with Entra. Do you have plans to migrate any of your servers to the cloud?
In my experience, moving workloads entirely to the cloud simplifies a lot of challenges. Start by pushing users to Entra and get comfortable with the environment. It can streamline your operations significantly, particularly for remote work!
If you're juggling on-prem services and need to maintain things like certificates for your ISE, it might make sense to stay hybrid for now. Keeping AD on-prem simplifies authentication and permissions for systems that still depend on it. It's a strategic balance rather than a complete shift all at once.
Adopting a phased approach is definitely wise. Transitioning to Entra-only isn’t just about technical changes; it requires careful planning of workloads. As you move, outline the authentication flows to see how access will shift, especially for users who rely on specific applications.
Hey! I've got quite a bit of experience helping clients make this transition. One thing you might find tricky is reworking your WiFi and VPN setups since they currently depend on AD. Without those AD objects, you'll need to switch to a user-based authentication system or something that doesn't rely on AD. Everything else you mentioned should work fine with Entra-joined devices.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures