![]() ![]() ![]() Lateral movements in on-premises domains are one of the most common methods attackers use to escalate their privileges and establish dominance in your infrastructure. Securing Active Directory Domain Services is no simple task. There’s a strong security case for Azure AD join as well. While it’s true that credentials are cached for offline sign-in in both join scenarios, the massive advantage Azure AD join has is for provisioning new devices with services like Autopilot when straight-to-user drop shipping – you don’t need to factor in pre-logon VPNs, for example. With this, dependencies on VPNs and connections to on-premises servers (and the management overhead associated with them) begin to matter less. This brings instant benefits, magnified because of the pandemic and global adoption of remote work. A device is issued with a Primary Refresh Token (PRT) which enables SSO to Azure AD resources such as Office 365. One of the main differences is, instead of Windows sign-ins authenticating against domain controllers and requiring line of sight to them, Azure AD joined devices authenticate against Azure AD in the cloud. ![]() Any change to a well-established process must be fully understood and justified. This represents a fundamental change in how IT teams have dealt with computers for the past twenty years, partially explaining the aversion around Azure AD join rather than on-premises domain join. When a Windows device is Azure AD joined, its computer object is no longer stored in the on-premises Active Directory Domain Services environment. Read more: Azure Active Directory Premium – Where to Start What is Azure AD join, and why bother? In this article, I will delve into the justifications for switching to Azure AD join, break down some myths around it, and explain why your default position should be Azure AD join. Adoption boomed.īut despite the growing acceptance of Azure AD to manage identities, one of its main advantages as a platform that manages and secures identities is Azure AD join (AADJ) – still a bit controversial, eliciting hesitation amongst many IT professionals. As time went on, IT professionals began to realize it provided so much more – from Single Sign-On (SSO) to Software-as-a-Service (SaaS) applications easy deployment of multi-factor authentication (MFA) and guest users, even a self-service password reset. However, it didn’t speak the same protocols (out went Kerberos, in came OAuth), it didn’t have the same hierarchical nature, and it didn’t provide a way of controlling device policies.įor many, Azure initially existed as a gateway to Office 365. There was this new thing called Azure Active Directory, which was sort of like our old on-premises friend and even synchronized with it. Then, around 2010 Azure came on to the scene and started to disrupt things. For around two decades, Active Directory Domain Services has been the backbone of that infrastructure. However, there’s still a lot of on-premises – dare I say “legacy” – infrastructure that remains in place for various reasons, not positioned to migrate any time soon.įor instance: file servers mapped to network drives, and Group Policies running on a Windows server that controls devices and applications are the most common examples. There’s no dispute that the direction of IT travel is toward the public cloud.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |