In the first quarters of 2020, when organizations were confronted with the demand to work any place, any device, all the time, some had to scramble to make things work. One of the common approaches we found was creating a “COVID Microsoft 365 tenant” and provisioning other temporary solutions.
However, in IT, things that were meant as temporary solutions often turn out to be the most permanent solutions.
There are many technological advantages to integrating these “COVID tenants” with your on-premises environment. Everything starts with identity with Microsoft, so let’s see why integrating your COVID Azure AD tenant with your on-premises Active Directory is a good idea and an important step in successful Active Directory Monitoring.
Even though a lot of Active Directory environments still use *.local DNS domain names, these environments are rarely air-gapped. They’re not completely disconnected from the Internet. Interestingly, that was the main intent for the *.local DNS domain name. Emerging trends like federation and cloud have placed organizations further on the path of connectivity with the outside world. Even before COVID, installing updates often dictated connectivity.
COVID, however, provided the ultimate push. Every organization embraced Zoom, WebEx, Teams and the likes. This way, organizations offered solutions to their suddenly geographically dispersed teams. With this push also came a new importance for Active Directory Monitoring in order to fully support these new tools. These tools also replaced face to face meetings with partners, even on the highest government and international levels. Now, being connected to the Internet proved to be the organization’s lifeline. In the second quarter of 2020 it was a matter of adapt or die.
Sitting in the war rooms of this type of organizations, one can certainly envision the security-savvy person raising a hand and exclaiming: “But surely that doesn’t mean we need to integrate our cloud stuff with our on-premises infrastructure!?”. Good point. Indeed, it doesn’t. Not necessarily.
Not integrating Azure AD with Active Directory saves time and effort. Not having to trust an outside service means not having to verify its intentions or traffic flows… and repeating the process every few months.
I get it.
Not integrating an Azure AD or Microsoft 365 tenant, however, also has some serious drawbacks:
Single sign-on is often regarded as an employee productivity nice-to-have. Less credential prompts mean employees can work seamlessly with multiple applications, including cloud applications. There are more serious benefits from single sign-on, though:
Ironically, all these outcomes are beneficial to the security department.
The Microsoft Cloud provides meaningful opportunities to strengthen the security of on-premises Active Directory and AD FS environments:
-Azure AD Connect HealthAgain, these services are especially beneficial to the security department. All user objects don’t even need to be synchronized from Active Directory to Azure AD in all cases.
For on-premises organizations, providing high availability is a heavy burden. Multiple datacenter locations, (virtually) private interconnectivity between the datacenters, synchronous storage and active-active implementations of high-priority workload chains; it all adds up.
By extending into Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS), making on-premises infrastructure and platforms geographically redundant is easy. By design, services like SharePoint Online and OneDrive for Business are spread out over multiple geographies within legal boundaries. When using Teams, SharePoint Online and OneDrive for Business are automatically part of the mix. Yet, your organization also meddles on-premises with technologies like Distributed File System, SQL Server Always On Availability groups, etc. to make files geographically redundant and databases for SharePoint Server highly available.
If the data is not too sensitive, you can migrate functionality from on-premises Exchange Server, SharePoint Server and file server implementations to Microsoft 365 services, going forward. Even if this move does not include all mailboxes, sites, files and folders, at least the on-premises burden diminishes. The cost of synchronous data replication, storage and the associated complexity to manage them diminishes significantly when your organization only needs it for some of its business.
Cloud adoption doesn’t have to be a matter of principle. It can be a matter of practicality.
But wait a minute. “Don’t we want to use credentials with the same information security assurances as we do on-premises?”, would be what your security team asks. Indeed, for this purpose synchronizing user objects and (a subset of) their attributes would be required.
For large organizations, manually provisioning and deprovisioning user objects in directory systems only leads to long provisioning times and loss of attribute integrity. Many solutions to automate these processes – and even introduce pre-provisioning and pre-deprovisioning process steps – seem to be moving away from supporting Active Directory and its 20-year-old protocols. Instead, a lot of solutions now feature support for Azure AD, with its open protocols.
As more vendors switch to Azure AD, the table will be turned on identity and access management. Competitors are already reaping the benefits of expedited provisioning through their Azure AD investments, while your organization still holds on to a point solution based on clunky protocols to keep things going…
Integrating Microsoft 365 and Azure tenants with your organization’s on-premises identity and access management (IAM) systems makes sense for the security-savvy departments in organizations. Of course, they will need to warm their cold feet into cloud feet.
Board members may ask the uncomfortable question if the security department’s overcautiousness towards the cloud simply leads to:
- higher costs for IT infrastructure;Adding single sign-on, artificial intelligence for security incidents and high availability through a cloud tier can significantly improve these three areas and are is an integral component of Active Directory Monitoring, but only when the security department and regulations allow an organization to do so.
If the benefits add up for your organization, it’s best to start integrating your COVID tenant into your infrastructure today.
Active Directory is the foundation of your network, and the structure that controls access to the most critical resources in your organization. The ENow Active Directory Monitoring and Reporting tool uncovers cracks in your Active Directory that can cause a security breach or poor end-user experience and enables you to quickly identify and remove users that have inappropriate access to privileged groups (Schema Admins, Domain Administrators). While ENow is not an auditing software, our reports reduce the amount of work required to cover HIPAA, SOX, and other compliance audits.
Access your FREE 14-day trial to accelerate your security awareness and simplify your compliance audits. Includes entire library of reports.