Disciplines · 01 · Identity

If AD left tomorrow, could you keep running?

Microsoft's roadmap has made the direction obvious: the investment is all in the cloud, and AD has quietly slipped into maintenance mode. Your SaaS stack already knows. Your security tools already know. But most SMBs are still running identity out of an on-premises domain controller — treating AD as furniture because it's always been there. The first question worth asking is the one nobody's asked: if it went away, what would break?

The diagnostic

Two things we find almost every time.

AD has become invisible. It's been in the rack so long nobody thinks of replacing it — even when everything around it has. The SaaS apps are already SAML-federated. The security stack is already asking Entra for signal. And yet identity still lives on an on-prem domain controller, because no one's ever questioned the furniture.

Hybrid looks like the finish line. Most organizations we meet are already running Entra Connect sync alongside their domain controllers, and they treat that setup as done. It isn't. It's a transitional state — the bridge between where identity used to live and where Microsoft is steering it. How you shape the bridge matters.

The two roads

There are two kinds of hybrid, and only one ages well.

Legacy-leaning hybrid

Sync everything. Call it done.

Stand up Entra Connect, sync the whole directory — users, groups, the lot. It looks modern from the license page. Under the hood the admin model is unchanged: ADUC is still the source of truth, group management still happens on-prem, and the day AD finally sunsets is the day the whole model has to be rebuilt in a hurry.

Cloud-leaning hybrid

Curated sync. Habits move with it.

User identities sync — that's still the cleanest arrangement. Security groups don't. They get rebuilt in Entra and managed there, so admins stop reaching for ADUC and start reaching for Entra. When the on-prem estate eventually goes away, it's a quiet handover instead of a project.

The capability ceiling

Every state of identity has a ceiling.

What's reachable depends on where the estate sits. Legacy AD keeps the ceiling low — MFA is awkward, modern SaaS federation is painful, and most of the newer Microsoft capability you're already licensed for is out of reach. Each step toward cloud-leaning raises what's possible.

Capability ceiling by state of identity Four tiers of identity maturity, from legacy Active Directory at the bottom to fully cloud-native Entra-only at the top, each tier unlocking more capability. Capability unlocked Entra-only Ideal. Rarely possible today. Identity governance · Passwordless at scale · Full lifecycle automation Hybrid — cloud-leaning Curated sync. Admin surface moves to Entra. PIM · Access reviews · Entra-side group & app assignment · CA tuning ← Where most clients land Hybrid — legacy-leaning Sync everything. Tools stay AD-shaped. MFA on · Basic Conditional Access · Limited SaaS federation Legacy AD The default. Ceiling at its lowest. MFA awkward · No modern SaaS SSO · Manual provisioning

The engagement doesn't change your estate. It raises the ceiling.

What brings it to the top of the list

Usually not panic. Usually ceiling.

Identity sometimes comes to us after an incident — we've taken that call. More often it's quieter. The team keeps running into the same sentence: "you can't do that without Entra." MFA is harder than it should be. A SaaS onboarding stalls on SAML. A new security tool expects signal the on-prem estate can't give it. Enough of those moments stack up, and someone finally decides to deal with it properly.

We prefer meeting clients at that moment rather than at the post-breach one. The engagement is the same work; the pace and the cost of getting it wrong are not.

What you walk out with

Four artefacts, and everything they make possible.

The engagement itself produces the things most clients already know to ask for — MFA enabled properly, a Conditional Access policy set that fits the business's risk, and the hybrid (or cloud-only) architecture the estate can actually sustain.

The fourth artefact is the one that tends to matter most: a "what's next" roadmap. With the initial hurdle cleared, a long list of capabilities that used to be chores become tractable. A lot of the next twelve months' security and governance work lives on that list.

A note on licensing: some of what's below (PIM, access reviews, identity governance) sits behind Entra ID P2. We map the licensing picture as part of the engagement, so the roadmap arrives with the cost shape attached — no surprises.

  • PIMJust-in-time admin rights. No more permanent global admins.
  • Access reviewsAutomated and auditable. Quarterly instead of never.
  • SaaS federationEvery modern app behind Entra sign-in, conditional, logged.
  • App assignmentGroups in Entra drive who sees what. Visibility by default.
  • Identity governanceLifecycle automation for joiners, movers, leavers, contractors.
  • Passwordless pathwayPhishing-resistant auth as the default, not the exception.
Turning MFA on is a five-minute setting change. Landing it in a 400-person company without a support tsunami is the actual work — and it's what clients are really hiring us for. The work isn't the click

Connected to

04 · Security

Posture & incident response

Identity is the first security signal. The rest of the stack reads from it.

 07 · Devices

Devices & endpoint

Device compliance only matters if Conditional Access is reading it.

 06 · Workplace

Microsoft 365 as a workplace

Every Teams meeting and SharePoint file starts with a sign-in.

 11 · Governance

Data governance & compliance

Every access decision starts with identity. Governance needs the signal.

Book a call

Still running identity through a domain controller?

If AD is still the source of truth and you've been meaning to do something about it — or your last MFA rollout didn't stick and you'd like a second attempt that does — a first conversation takes thirty minutes. We'll tell you what we'd sequence first.

Book a discovery call

Or reach us directly: info@fouronesixit.ca · (647) 371-0400