With the final release of Windows 10, the use of traditional Active Directory may be waning, and Azure AD on the rise. Here are some security concerns that need to be addressed when making the switch. Credit: amgun / Shutterstock What enforces your security boundary today? What will enforce it in the next few years? For many years, Microsoft Active Directory has been the backbone and foundation of network authentication, identity, and connection. But for many organizations moving to cloud applications or having a mixture of operating systems, the need for cloud-based network management is on the rise.Some firms are merely adding synchronization between on-premise networks and cloud environments and calling it a day. But too often user habits that were acceptable in a traditional domain are no longer acceptable in a cloud-first environment where you may not be quite as aware of attacks and how attackers target you. Over the past few years, I’ve seen more and more organizations question whether they should be deploying traditional Active Directory anymore, given that Windows 10 has seen its final rollout (aside from security updates) and will no longer be supported as of 2025. But we all know that one cannot have unmanaged computers, thus there is the need for some sort of management mechanism.Chances are that many are considering Azure Active Directory and cloud applications to replace traditional Active Directory functions — especially newly formed or geographically dispersed organizations and possibly those employing other operating systems in addition to Windows. The question is, is Azure Active Directory robust enough to be relied upon completely? With Microsoft having announced Windows 10 22H2 as the final release of Windows 10 and deployments now turning to Windows 11, it may be time to review options for adopting Azure Active Directory.Take the time to get to know Azure AD basicsWhen deciding to transition to Azure AD, take the time to understand the basics. You can start with Microsoft’s documentation on the differences between on-premises Active Directory and Azure AD. For example, it’s handy to know that with Windows 11, you can immediately join a workstation to Azure Active Directory to take advantage of its authentication process. With an Azure P1 license, you can use conditional access to further protect and manage deployment. Rather than using group policy to manage devices, you can pivot to Microsoft Intune to manage security patches.And Microsoft recently released a Windows Local Administrator password solution replacing its Legacy LAPS toolkit. Windows LAPS and Intune can be used to manage a local administrator password. Note that the ability to manage and store the password in Azure AD is in preview at this time. Clearly, Microsoft sees that more of us are wanting to move to cloud-only deployment.Evaluate the costs and benefits of switching to Azure ADIn addition, you’ll want to evaluate the costs and benefits of the licensing you will need to properly protect your organization. While Microsoft provides a basic Azure AD, I would strongly recommend that you choose either Premium P1 or P2 option to deploy in your organization. P1 includes device-based conditional access, whereas P2 provides risk-based conditional access.Reviewing the tools you have been using to control traditional Active Directory and determining the cloud equivalents is critical. But don’t just take what you do on-premise and do exactly the same thing in the cloud — for one thing, the types of attacks on and the weaknesses of the two systems are of a different nature. The boundary of the cloud tends to be authentication and identity and it’s less reliant on firewalls as a protective outer barrier. If an attacker can acquire credentials in a cloud environment, they can often pivot into entering cloud-based resources as well.Azure AD setup in Windows 11 is straightforwardJoining a Windows 11 workstation to Azure AD is now part of the out-of-box setup experience, though it will require a Windows 11 Professional, Enterprise, or Education version to perform this function. When you turn on Windows 11 there is a prompt that asks: “How would you like to set up this device?” If you choose “set up for work or school” this provides onboarding for Azure. Use the credentials you have set up in Microsoft 365/Azure Active Directory.The user will be prompted by the Microsoft account process and if you have mandated multifactor authentication, you will be prompted accordingly. Then Azure AD will check whether enrollment in mobile device management is required, after which the overall Azure AD enrollment is performed. To verify that a device has been enrolled in Azure AD you can go to Settings > Accounts, which will indicate whether the device is connected and provide information regarding what is managed. In the Azure portal, you can review those devices that are compliant as well as non-compliant with your policies. You’ll also be able to manage Bitlocker keys, conditional access, as well as Intune. Do note that as with many cloud deployments, one has to be patient when onboarding computers. New devices will not show up in the portal for several hours, thus it’s wise to plan accordingly.Be aware of how attackers target Azure AD deploymentsIt’s also wise to also be aware of how attackers are targeting Azure deployments. Many attacks start with password-spraying techniques for Microsoft Online accounts. Thus, it’s highly recommended that your deployment techniques should include multifactor authentication as a default verification option.Conditional access that allows you to set boundaries and alerts for unusual activities is another tool that will allow you to better protect your network from threats and attacks. Your password processes and policies should be reviewed as you begin the process to prove to Azure AD.Finally, you can take advantage of Azure AD even If you aren’t yet fully migrated to Azure. You may not have realized you have access to several tools with a hybrid deployment, such as Azure AD password protection, which is available in Azure AD P1 or P2 licensing. Using this feature, you can set a password policy for your Azure AD that mimics what you already have in your on-premises active directory. Password protection prerequisites in Azure ADYou will need the following prerequisites:Azure AD Password Protection Proxy installed on one (or more, ideally) servers in your environment.An Azure subscription with a Log Analytics WorkspaceDomain Controllers on DFS-R for Sysvol replicationAll Domain Controllers installed with Azure AD Password Protection agentDomain Controllers onboarded via Azure Arc (or forwarding specific event logs to Azure via another method).Azure AD Password Protection Proxy servers onboarded via Azure Arc (or forwarding specific event logs to Azure).You can then build a workbook to synchronize your password policies so that your Azure AD will have the same structure as your on-premise Active Directory policies.Even if you are still fully entrenched in on-premise Active Directory, you should always keep an eye out for new options and new techniques to protect and expand your network. Azure Active Directory should be seen as another tool in your arsenal of identity and protection. Related content news Amazon debuts biometric security device, updates Detective and GuardDuty Amazon’s latest security offerings, announced at its re:Invent conference, cover everything from advanced biometrics to new tools for defeating runtime and cloud threats, including identity and access management (IAM) capabilities. By Jon Gold Nov 29, 2023 3 mins Biometrics Security Monitoring Software Threat and Vulnerability Management news Almost all developers are using AI despite security concerns, survey suggests About 96% of developers are using AI tools and nearly eight out of 10 coders are bypassing security policies to use them, while placing unfounded trust into AI’s competence and security, according to the report by Snyk. By John Mello Jr. Nov 29, 2023 4 mins Development Tools Security Practices Supply Chain news FBI probes Pennsylvanian water utility hack by pro-Iran group Federal and state investigations are underway for the recent pro-Iran hack into a Pennsylvania-based water utility targeting Israel-made equipment. By Shweta Sharma Nov 29, 2023 4 mins Cyberattacks Utilities Industry feature 3 ways to fix old, unsafe code that lingers from open-source and legacy programs Code vulnerability is not only a risk of open-source code, with many legacy systems still in use — whether out of necessity or lack of visibility — the truth is that cybersecurity teams will inevitably need to address the problem. By Maria Korolov Nov 29, 2023 9 mins Security Practices Vulnerabilities Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe