Moving your On-Prem AD to Cloud – Part 2

Apr 01, 2021

Moving your On-Prem AD to Cloud – Part 2

Part-1 of this blog talked about moving our local Active Directory domain to the cloud.

This post is all about cleaning up the mess and finishing the job.

Do you really want to keep password expiry?

We were surprised to discover that when AD password expiry is enabled (which it was for us) and AAD password sync is enabled (which it also was) then the cloud password for the synchronised user is set to “never expires”!  The effect of this is that if a local AD password expires, the user can still log onto Microsoft 365.  The user does not receive a prompt that the local AD password needs to be changed!

This is discussed more in this Microsoft Tech Community article here.

It’s also interesting to note Microsoft disables password expiry in Microsoft 365 by default and in fact will give you a lower security score if password expiry is enforced.  Their words on this are “Research has found that when periodic password resets are enforced, passwords become less secure. Users tend to pick a weaker password and vary it slightly for each reset. If a user creates a strong password (long, complex and without any pragmatic words present) it should remain just as strong in the future as it is today. It is Microsoft's official security position to not expire passwords periodically without a specific reason, and recommends that cloud-only tenants set the password policy to never expire.

This is a mega trend that really started to gain traction when NIST reversed its stance on organisational password management recommendations back in 2018.  This needs to be taken in content however, and disabling password expiry policies needs to be done alongside a review of password complexity, user education and enforcing multi-factor authentication.  You can read more about Microsoft password policy recommendations here.

Microsoft’s Security Risk Score and dashboard is good by the way.

Step 4: Migrate to Endpoint Manager (ex Intune)

The other piece I didn’t mention in part.1 is that Microsoft 365 Business Premium grants full access to EndPoint Manager.  This used to be known as Intune and can, pretty much for everyone, replace the functionality of Active Directory GPOs.  It’s gotten a lot better over recent years so if you’re a doubter and haven’t looked at it for a while it’s worth revisiting.  You might be surprised.  It’s also a mobile device and application management platform (MDM/MAM) so migrating away from on-premises AD presents an opportunity to review how you manage your mobile devices at the same time.

For important settings you’d take this step prior to migrating your computers away from your old AD domain (joining Azure Active Directory) – especially if you run a tightly controlled OSE/COE with a lot of GPOs.

Step 5: Be bold and turn off your old infrastructure

Provided everything looks good and, after running Wireshark for a while on our old DCs, I was pretty convinced our old AD controllers weren’t doing much apart from some miscellaneous DNS.  We had previously transferred our active zones to a Fortigate VDOM (which was already doing our DHCP) and so after a bit more monitoring turned the old DCs off.

We took a minor risk here – judging it more pragmatic to fix the few things that still looked to the DCs for DNS would be easier than undertaking an exhaustive search.  A few thinigs did come out of the woodwork like a hardcoded DNS settings our office document scanner, but overall it went pretty smoothly.  We haven’t restarted the old DCs and everything seems normal.  I’m thankful to the wider team for being supportive of this approach tidying up a few things as they came up.

The nice thing about this piece is that it’s easy to turn them back on if something bad did happen.

Step 6: Get used to managing things in the Cloud

So now we have no more Active Directory Users and Computers.  It’s all Microsoft 365 and Azure Active Directory now.  To summarise this project we successfully:

  • Reclaimed infrastructure capacity (retire old DCs)
  • Decreased patching overheads
  • Reduced our security footprint

…And got rid of 10-years of history and AD mess (which originated from a Small Business Server).  In some ways it feels a bit sad ditching all those memories - like getting rid of a used car you’ve loved, but it also feels fresh and…good.  I’m pleased we made this move and there’s not much chance we’ll look back.

Peter Brook

Peter is our vBridge Operations and Information Security Manager. He has over 20 years experience in many NZ organisations including PGG Wrightson, CDHB, Lyttelton Port Company and Spark Digital.