Removing Active Directory: Cloud-Native Migration

Nathan Berger

Director of Security

As your organization increasingly adopts cloud-focused tooling across your IT stack, you may ask: “Can we remove Active Directory from our environment?”

You may have noticed the near-total lack of public documentation for shifting to cloud-native architecture. We find Microsoft’s own Road to the Cloud guide useful, but insufficient to guide a full enterprise migration (as of Jan 2024, there are only 5 pages on Microsoft Learn for this topic). Yet clients frequently ask us if this journey is possible, and many allocate time & budget to support a cloud-native migration.

This post showcases Cyclotron’s approach to enterprise-scale cloud-native migrations.

Why migrate to cloud-native architecture?

Active Directory can slow down technology growth and complicate security posture. A cloud-native IT organization drives greater business value at a faster pace, using simpler architecture and less reliance on legacy tools.

Cloud-native orgs benefit from:

• Reduced attack surface by removing the possibility of on-premises attacks targeted to end-users. 

• Simpler IT architecture with company assets and resources protected agnostic of network location.

• Removal of VPN in favor of simpler, HTTPS-based security and modern application access.

• Increased stability, given uptime is now a function of Microsoft's 99.99%+ uptime SLAs for Azure and Microsoft 365 services.

• Simpler feature enablement including Autopilot. Windows Hello for Business, and DLP tools that are otherwise complex to implement in on-prem environments.

• Removal/reduction of on-premises datacenter management, instead leveraging Azure compute and Entra for critical workloads.

• Alignment with Zero-Trust principles, including easier implementation of layered security, least-privilege access, and explicit verification of access.

• Access to the latest innovations and features from Microsoft, ensuring your organization stays modern. Microsoft usually enables new features for the cloud first, then hybrid compatibility second.

What’s the scope of this effort?

Cyclotron helps organizations shift the following areas to cloud-native architecture:

The above workloads capture most of the infrastructure migration effort, though you should make additional consideration for DNS, physical badging systems, and other services.

A few key notes:

• Cloud-native migration takes time. Cyclotron sees clients take on multi-year efforts to establish a strong cloud-native footprint, let alone migrate all infrastructure to cloud-only controls.

• Cloud-native migration takes budget. Successful organizations plan out a vision roadmap, carefully plan dependencies, and allocate budget on a multiple-year cycle for this effort.

• Cloud-native migration takes careful consideration. You risk breaking anything relying on Active Directory as part of migration, meaning significant business impact if reliant services are not properly audited and assessed.

• Even a partial effort drives immediate value. Though the final step may be years away, orgs often use cloud-native migration efforts to modernize device provisioning with Autopilot, refine identity & access management policy, shift applications to cloud infrastructure & access, and many other areas that show tangible benefit before removing AD. So if your organization gets partway complete but slows down or stops part way, you’ll still receive a huge amount of security & IT value from the effort that was completed.

Frequently asked questions

How long will a cloud-native migration take?

Prepare for a multi-year journey. It’s rare to see on-prem-reliant organizations complete this effort in under three years, even if they take an aggressive modernization posture.

Will Microsoft fund my organization’s effort to remove Active Directory?

Only if you increase your licensing as part of the effort. Removing Active Directory itself does not provide new revenue to Microsoft, so don’t expect to ask your Microsoft reps to fund the journey. A major exception to this rule is if your organization adopts E5, Azure services, or other add-ons to replace AD-reliant services as part of the journey, which is likely.

How do I migrate our Windows devices to Entra join without wiping the user profile?

This is the most common question we receive. We think third-party migration tools are the only viable option yet, such as ForensiT or Quest ODM with AADJ add-on. Microsoft’s Autopilot Reset function can migrate devices to cloud-native state, but it wipes the entire device – meaning you can’t restore applications or configurations other than settings covered in Enterprise State Roaming and content synced on cloud storage like OneDrive. Cyclotron leverages these tools in our own deployments, though note that adding another tool in the mix can complicate the migration.

How much would it cost to work with Cyclotron on this effort?

Cyclotron will provide a free planning session for your enterprise’s cloud-native migration. Reach out to nathan.berger@cyclotron.com to schedule this.

With that in mind, Cyclotron conducts cloud-native migrations in a variety of models (full service, guidance-only, certain workloads only, etc.), so it’s truly a function of how much handholding your organization needs. A full-service, enterprise-scale migration can cost over seven figures across consultants, development work, and migration tools, but most clients only request help in specific areas where internal knowledge lacks. Average project costs are significantly lower. We’ll work with you to right-size the project for your budget and needs.

This topic is wildly complex, so we’ll likely follow up with more blog posts. If you don’t want to wait, reach out to nathan.berger@cyclotron.com to schedule your free planning session.