Hey everyone! I've recently started a new job, and one of my main objectives is to shift our identity management from the traditional Active Directory to a completely cloud-based setup by the end of the year. However, I'm beginning to feel a bit lost about our current infrastructure. Here's a quick rundown of what we have:
- We're currently using on-premises Active Directory for managing identities.
- All our file storage is done via OneDrive and SharePoint.
- We utilize Exchange Online for our email needs.
- We've set up AAD Connect, which syncs our on-prem AD with Entra ID (formerly known as Azure AD).
- Users log into their computers using Azure credentials.
- Interestingly, in the Entra admin portal, it shows our devices as Entra registered but not Azure AD Hybrid Joined.
I initially thought we had a hybrid setup due to AAD Connect, but now I'm starting to think there might be a misconfiguration preventing it from working properly. Any insights on our current setup or what steps I should take to fully migrate to the cloud would be much appreciated!
4 Answers
So, what servers do you have aside from AD? If you're still using on-prem DNS and GPO, that could complicate things a bit, especially for account creation and management.
I totally get what you're going through! From what you’ve shared, it seems like if devices are registered, that’s often showing that a local account is in play while using their Entra accounts to access resources. Do you have any servers besides AD? Also, consider how you're going to apply GPOs in the cloud since that's a big part of the transition.
Exactly! That's the vibe I'm getting too. We don't have many GPOs, so I've been setting up different conditional access policies and configuration profiles. When I brought in some new users from a recently acquired company, I made them Entra-only users, so they're fully on the cloud.
Nope, if the device is registered and you're saying users log in with "Azure Credentials," it means those devices might still be domain-joined but not properly synced to the cloud. To go fully cloud-based, you'll need to remove those from the domain and join them to Entra instead. After that, then you can think about decommissioning AAD Connect.
I'm a freelance consultant who used to be a Lead Cloud Engineer. I’d be happy to offer some free advice if you want to chat! No pitch, just help. I remember being in a similar boat and wished for guidance instead of guessing through documentation. Let us know how it goes!
Have you thought about how you're going to handle password resets and account write-back? AD is usually the source of truth here, but I’m curious about your setup.
Yeah, if we need to change passwords, we do it on the server. We don’t seem to have SSPR or any write-back enabled either, which might be something to address in the transition.
We actually don’t have any servers aside from a tiny one that isn't even being used — it holds a few gigs of data! We run our AAD and DC on virtual machines, but that's about it.