Implement a cloud-first approach

It's mainly a process and policy-driven phase to stop, or limit as much as possible, adding new dependencies to Active Directory and implement a cloud-first approach for new demand of IT solutions.

It's key at this point to identify the internal processes that would lead to adding new dependencies on Active Directory. For example, most organizations would have a change management process that has to be followed before the implementation of new scenarios, features, and solutions. We strongly recommend making sure that these change approval processes are updated to:

• Include a step to evaluate whether the proposed change would add new dependencies on Active Directory.
• Request the evaluation of Azure Active Directory (Azure AD) alternatives when possible.

Users and groups

You can enrich user attributes in Azure AD to make more user attributes available for inclusion. Examples of common scenarios that require rich user attributes include:

• App provisioning: The data source of app provisioning is Azure AD, and necessary user attributes must be in there.

• Application authorization: A token that Azure AD issues can include claims generated from user attributes so that applications can make authorization decisions based on the claims in the token.

• Group membership population and maintenance: Dynamic groups enable dynamic population of group membership based on user attributes, such as department information.

These two links provide guidance on making schema changes:

• Understand the Azure AD schema and custom expressions

• Attributes synchronized by Azure AD Connect

These links provide more information on this topic but are not specific to changing the schema:

• Use Azure AD schema extension attributes in claims - Microsoft identity platform

• What are custom security attributes in Azure AD (preview)?

• Customize Azure Active Directory attribute mappings in application provisioning

• Provide optional claims to Azure AD apps - Microsoft identity platform

These links provide more information about groups:

• Create or edit a dynamic group and get status in Azure AD

• Use self-service groups for user-initiated group management

• Attribute-based application provisioning with scoping filters or What is Azure AD entitlement management? (for application access)

• Compare groups

• Restrict guest access permissions in Azure Active Directory

You and your team might feel compelled to change your current employee provisioning to use cloud-only accounts at this stage. The effort is non-trivial but doesn't provide enough business value. We recommend that you plan this transition at a different phase of your transformation.

Devices

Client workstations are traditionally joined to Active Directory and managed via Group Policy objects (GPOs) or device management solutions such as Microsoft Configuration Manager. Your teams will establish a new policy and process to prevent newly deployed workstations from being domain joined. Key points include:

• Mandate Azure AD join for new Windows client workstations to achieve "no more domain join."

• Manage workstations from the cloud by using unified endpoint management (UEM) solutions such as Intune.

Windows Autopilot can help you establish a streamlined onboarding and device provisioning, which can enforce these directives.

For more information, see Learn more about cloud-native endpoints.

Applications

Traditionally, application servers are often joined to an on-premises Active Directory domain so that they can use Windows Integrated Authentication (Kerberos or NTLM), directory queries through LDAP, and server management through GPO or Microsoft Configuration Manager.

The organization has a process to evaluate Azure AD alternatives when it's considering new services, apps, or infrastructure. Directives for a cloud-first approach to applications should be as follows. (New on-premises applications or legacy applications should be a rare exception when no modern alternative exists.)

• Provide a recommendation to change the procurement policy and application development policy to require modern protocols (OIDC/OAuth2 and SAML) and authenticate by using Azure AD. New apps should also support Azure AD app provisioning and have no dependency on LDAP queries. Exceptions require explicit review and approval.

  Important

  Depending on the anticipated demands of applications that require legacy protocols, you can choose to deploy Azure Active Directory Domain Services when more current alternatives won't work.

• Provide a recommendation to create a policy to prioritize use of cloud-native alternatives. The policy should limit deployment of new application servers to the domain. Common cloud-native scenarios to replace Active Directory-joined servers include:

  • File servers:

    • SharePoint or OneDrive provides collaboration support across Microsoft 365 solutions and built-in governance, risk, security, and compliance.

    • Azure Files offers fully managed file shares in the cloud that are accessible via the industry-standard SMB or NFS protocol. Customers can use native Azure AD authentication to Azure Files over the internet without line of sight to a domain controller.

    • Azure AD works with third-party applications in the Microsoft application gallery.

  • Print servers:

    • If your organization has a mandate to procure Universal Print-compatible printers, see Partner integrations.

    • Bridge with the Universal Print connector for incompatible printers.

Next steps

Introduction

Cloud transformation posture

Establish an Azure AD footprint

Transition to the cloud