Modernizing Identity Security: Why You Still Need AD in a Cloud-First World
TL;DR: Identity Security in the Cloud Requires Both AD and Entra in Most Cases
- You cannot replace Active Directory with Entra ID in most environments. Identity security in hybrid organizations requires both AD (for Kerberos, NTLM, and Group Policy) and Entra ID (for OIDC, OAuth, SAML, and cloud authentication).
- Modern identity security controls—like MFA and Conditional Access—depend on Entra ID. On-prem AD alone cannot enforce MFA or adaptive, risk-based access policies, making Entra ID essential for securing cloud and hybrid access.
- Legacy infrastructure and modern cloud applications rely on different authentication protocols. Because AD and Entra ID support fundamentally different technologies, a hybrid identity security strategy is required to secure users, devices, and applications across environments.
- Further reading: Building an Adaptive Security Perimeter Through Identity Convergence.
The migration to cloud brings with it a necessary shift to identity-centric security (vs. on-premises network management). Some believe this change in identity security strategy means a wholesale shift from Active Directory (AD) to Entra ID.
However, there are good reasons both AD and Entra ID are still in the implementation. This blog will cover some of the most compelling reasons that organizations want to include Entra ID, but also must retain AD.
The Role of AD and Entra in Modern Authentication Applications
AD relies on Kerberos and NT LAN Manager (NTLM), which are the authentication protocols that are used on a corporate network for user and computer authentication, as well as application authentication. Modern cloud applications use OpenID Connect (OIDC), OAuth 2.0 and Security Assertion Markup Language (SAML).
Entra ID can’t authenticate Kerberos and NTLM. AD can’t authenticate OIDC, OAuth 2.0, or SAML. Thus, the authentication protocols are a key design and implementation factor for hybrid AD.
Examples of modern cloud applications requiring this hybrid identity security approach would include Microsoft 365, Salesforce, ServiceNow, custom APIs, and mobile applications.
Why Can’t On-Prem AD Natively Support MFA in Hybrid Environments?
On-prem AD does not support MFA without some assistance from another tool. If a user is authenticated to an AD domain controller, that domain controller, even in a hybrid AD environment, can’t provide MFA to the user. For a user to receive MFA challenges in a hybrid AD environment, the user will need to authenticate to Entra ID for MFA to be supported. The supported authentication methods can be seen in Figure 1.
Figure 1: Entra ID MFA Authentication Methods
So, an easy way to remember this is that if a user is attempting to logon using Ctrl-Alt-Del, they will not be able to get an MFA prompt in a hybrid AD environment without some alternate technology to help.
Why Does Group Policy Require AD in a Hybrid Identity Model?
Group Policy is an on-prem AD technology and resides only within AD. Entra ID does not understand Group Policy in any way*. If an organization were to move solely to Entra ID, all identity security based on Group Policy would fail to apply. This is why many organizations stay in a hybrid AD environment, so that a user can still receive the legacy settings in Group Policy but also have the benefits that Entra ID provides, such as MFA, single sign-on (SSO), and conditional access.
*Note: InTune is a technology that is like Group Policy, but they don’t sync or can’t be tied to one another.
How do Entra ID Conditional Access Policies Enhance Hybrid Identity Security?
A very powerful aspect of identity security included in Entra ID is Conditional Access Policies (CAP). These policies can dynamically inspect the user and computer conditions to enforce controls on theauthentication. CAP can also evaluate where the user and computer are logging in from, as well as impose a risk level to help determine the controls that will be enforced.
The controls that can be enforced include MFA, device compliance, and blocking access.
The complete list of conditions that a CAP can check includes:
- Sign-in risk
- User risk
- Device platform
- Device state
- Location
- Client app type
Active Directory Still Plays an Important Role in Hybrid Cloud Identity Security
As you can see, a hybrid AD implementation is required in nearly all instances of identity security when moving to the cloud, mainly due to the authentication protocols that are required and the desire to leverage the security capabilities that Entra ID offers. Table 1 summarizes the reasons that you may select AD vs Entra ID.
| Technology | On-premises AD | Entra ID |
|---|---|---|
| Kerberos/NTLM | Yes | No |
| SAML/OAuth/OIDC | No | Yes |
| MFA | No | Yes |
| Group Policy | Yes | No |
| Intune | No | Yes |
| Conditional Access | No | Yes |
Table 1: AD vs Entra ID Technologies and Support
Many organizations think they can just migrate to Entra ID and remove AD, but that is just not the case in nearly every situation. It also shows that AD will be around for a long, long time, as there are so many reasons that Kerberos and NTLM are still required.
Ready to Advance Your Identity Security Strategy in the Cloud?
Want to learn more about implementing effective identity security in hybrid and complex environments? Check out our whitepaper, Building an Adaptive Security Perimeter Through Identity Convergence.