Active directory is dying along with local computer networks. Microsoft is pushing customers to Entra (formerly Azure Active directory).
Modern, hybrid AD is not easy to use and difficult to manage.
This is 100% the current situation, and it's worth mentioning because clearly you have a finger on the pulse here - and that needs to be stated for others.
But, I wonder if Microsoft might reverse their stance on EntraID being SaaS; with the handwringing about sovreignty from Europe.
Back when "the deal" was made with Microsoft to basically embed itself into the digital ecosystem of every government, major institution and company in Europe: it was not the case that a member of the european parliament could have their mail disabled arbitrarily by Microsoft- such a thing was technically possible through a lot of hoops but it was significantly less feasible.
If Microsoft was to reverse course then I'm sure it would stop all the handwringing, even if people would continue to use the EntraID product in reality.
Ideally you want to run all those trusted (read: security critical, if compromised entire system is no longer trustworthy) processes on separated and audited machines, but instead busy people end up running them all together because they happen to be packaged together (like FreeIPA or Active Directory), and that makes it even harder to secure them correctly.
There's a very good reason to package these things together on the same machine: you can rely on local machine authentication to bootstrap the network authentication service. If the Kerberos secret store and the LDAP principal store are on different machines and you need both to authenticate network access, how do you authenticate the Kerberos service to the LDAP service?
bzzzt|11 days ago
jabl|11 days ago
dijit|11 days ago
But, I wonder if Microsoft might reverse their stance on EntraID being SaaS; with the handwringing about sovreignty from Europe.
Back when "the deal" was made with Microsoft to basically embed itself into the digital ecosystem of every government, major institution and company in Europe: it was not the case that a member of the european parliament could have their mail disabled arbitrarily by Microsoft- such a thing was technically possible through a lot of hoops but it was significantly less feasible.
If Microsoft was to reverse course then I'm sure it would stop all the handwringing, even if people would continue to use the EntraID product in reality.
esseph|11 days ago
I have seen the exact opposite, with people moving to things like jumpcloud, keycloak, authentik, etc.
ElectricalUnion|11 days ago
tremon|11 days ago