Skip to content
Chimera readability score 0.5041 out of 100, reading level.

Modernizing Identity Security: Why You Still Need AD in a Cloud-First World
Posted by: Derek Melber
TL;DR: Identity Security in the Cloud Requires Both AD and Entra in Most Cases
- You cannot replace Active Directory with Entra ID in most environments. Identity security in hybrid organizations requires both AD (for Kerberos, NTLM, and Group Policy) and Entra ID (for OIDC, OAuth, SAML, and cloud authentication).
- Modern identity security controls—like MFA and Conditional Access—depend on Entra ID. On-prem AD alone cannot enforce MFA or adaptive, risk-based access policies, making Entra ID essential for securing cloud and hybrid access.
- Legacy infrastructure and modern cloud applications rely on different authentication protocols. Because AD and Entra ID support fundamentally different technologies, a hybrid identity security strategy is required to secure users, devices, and applications across environments.
- Further reading: Building an Adaptive Security Perimeter Through Identity Convergence.
The migration to cloud brings with it a necessary shift to identity-centric security (vs. on-premises network management). Some believe this change in identity security strategy means a wholesale shift from Active Directory (AD) to Entra ID.
However, there are good reasons both AD and Entra ID are still in the implementation. This blog will cover some of the most compelling reasons that organizations want to include Entra ID, but also must retain AD.
The Role of AD and Entra in Modern Authentication Applications
AD relies on Kerberos and NT LAN Manager (NTLM), which are the authentication protocols that are used on a corporate network for user and computer authentication, as well as application authentication. Modern cloud applications use OpenID Connect (OIDC), OAuth 2.0 and Security Assertion Markup Language (SAML).
Entra ID can’t authenticate Kerberos and NTLM. AD can’t authenticate OIDC, OAuth 2.0, or SAML. Thus, the authentication protocols are a key design and implementation factor for hybrid AD.
Examples of modern cloud applications requiring this hybrid identity security approach would include Microsoft 365, Salesforce, ServiceNow, custom APIs, and mobile applications.
Why Can’t On-Prem AD Natively Support MFA in Hybrid Environments?
On-prem AD does not support MFA without some assistance from another tool. If a user is authenticated to an AD domain controller, that domain controller, even in a hybrid AD environment, can’t provide MFA to the user. For a user to receive MFA challenges in a hybrid AD environment, the user will need to authenticate to Entra ID for MFA to be supported. The supported authentication methods can be seen in Figure 1.
Figure 1: Entra ID MFA Authentication Methods
So, an easy way to remember this is that if a user is attempting to logon using Ctrl-Alt-Del, they will not be able to get an MFA prompt in a hybrid AD environment without some alternate technology to help.
Why Does Group Policy Require AD in a Hybrid Identity Model?
Group Policy is an on-prem AD technology and resides only within AD. Entra ID does not understand Group Policy in any way*. If an organization were to move solely to Entra ID, all identity security based on Group Policy would fail to apply. This is why many organizations stay in a hybrid AD environment, so that a user can still receive the legacy settings in Group Policy but also have the benefits that Entra ID provides, such as MFA, single sign-on (SSO), and conditional access.
*Note: InTune is a technology that is like Group Policy, but they don’t sync or can’t be tied to one another.
How do Entra ID Conditional Access Policies Enhance Hybrid Identity Security?
A very powerful aspect of identity security included in Entra ID is Conditional Access Policies (CAP). These policies can dynamically inspect the user and computer conditions to enforce controls on theauthentication. CAP can also evaluate where the user and computer are logging in from, as well as impose a risk level to help determine the controls that will be enforced.
The controls that can be enforced include MFA, device compliance, and blocking access.
The complete list of conditions that a CAP can check includes:
- Sign-in risk
- User risk
- Device platform
- Device state
- Location
- Client app type
Active Directory Still Plays an Important Role in Hybrid Cloud Identity Security
As you can see, a hybrid AD implementation is required in nearly all instances of identity security when moving to the cloud, mainly due to the authentication protocols that are required and the desire to leverage the security capabilities that Entra ID offers. Table 1 summarizes the reasons that you may select AD vs Entra ID.
| Technology | On-premises AD | Entra ID |
|---|---|---|
| Kerberos/NTLM | Yes | No |
| SAML/OAuth/OIDC | No | Yes |
| MFA | No | Yes |
| Group Policy | Yes | No |
| Intune | No | Yes |
| Conditional Access | No | Yes |
Table 1: AD vs Entra ID Technologies and Support
Many organizations think they can just migrate to Entra ID and remove AD, but that is just not the case in nearly every situation. It also shows that AD will be around for a long, long time, as there are so many reasons that Kerberos and NTLM are still required.
Ready to Advance Your Identity Security Strategy in the Cloud?
Want to learn more about implementing effective identity security in hybrid and complex environments? Check out our whitepaper, Building an Adaptive Security Perimeter Through Identity Convergence.
Derek Melber
Strategic Advisor for Enterprise Identity,
GuidePoint Security
Derek Melber, Strategic Advisor for Enterprise Identity, has been helping enterprises for over 25 years with identity security, Active Directory/Azure Active Directory, cloud identity, Entra ID, Microsoft 365, Intune, Microsoft Defender, CTEM, PAM, MFA, Group Policy, and other integrated technologies. His professional experience includes Active Directory and Entra ID security assessments, specializing in network, wireless, and application penetration testing. Often asked to speak at events around the world, Derek has spoken and given Keynotes in over 40 countries at events such as RSA, Gartner, Blackhat, and more. Derek has worked for and with companies leading in these areas such as Microsoft, AWS, BeyondTrust, Quest, ManageEngine, SpectreOps, Tenable, and more. You can follow Derek on LinkedIn at @derekmelber and contact him at [email protected].
Derek has been awarded 20 Microsoft MVP awards in Active Directory, Group Policy and Security over the past 22 years, where he has contributed to these communities around the world.

Facts Only

Derek Melber is a Strategic Advisor for Enterprise Identity at GuidePoint Security.
The article discusses Active Directory (AD) and Entra ID in the context of hybrid identity security, particularly in cloud environments.
AD relies on Kerberos and NT LAN Manager (NTLM), while Entra ID supports OpenID Connect (OIDC), OAuth 2.0, and Security Assertion Markup Language (SAML).
Entra ID can't authenticate Kerberos and NTLM, and AD can't authenticate OIDC, OAuth 2.0, or SAML.
On-prem AD does not support Multi-Factor Authentication (MFA) without assistance from another tool.
Group Policy is an on-prem AD technology that resides only within AD and Entra ID does not understand Group Policy.
Intune is a technology like Group Policy, but they don't sync or can't be tied to one another.
Conditional Access Policies (CAP) are included in Entra ID for dynamically inspecting user and computer conditions to enforce controls on authentication.

Executive Summary

The article discusses the necessity of both Active Directory (AD) and Entra ID in modern identity security, particularly in hybrid environments that involve both on-premises and cloud resources. The authors argue that AD is still crucial for supporting Kerberos, NTLM, and Group Policy while Entra ID provides essential capabilities such as OIDC, OAuth, SAML, MFA, and conditional access policies for cloud applications.
The article emphasizes the differences in authentication protocols between AD and Entra ID, which necessitates a hybrid identity security strategy for organizations with a mix of legacy infrastructure and modern cloud applications. The authors also highlight the benefits of Entra ID's Conditional Access Policies (CAP) for enhancing hybrid identity security by dynamically inspecting user and computer conditions to enforce controls on authentication.
The article concludes that a hybrid AD implementation is required in nearly all instances of identity security when moving to the cloud, mainly due to the authentication protocols that are required and the desire to leverage the security capabilities that Entra ID offers. The authors also acknowledge that some organizations may believe they can migrate solely to Entra ID, but this approach is not feasible in most cases.

Full Take

**Steelman:** The article presents a strong case for the continued relevance of both AD and Entra ID in modern identity security, particularly in hybrid environments that involve both on-premises and cloud resources. It emphasizes the need to leverage the unique capabilities of each system to provide comprehensive authentication and authorization across different protocols and technologies.
**Pattern Scan:** None detected
**Root Cause:** The paradigm driving this narrative is the ongoing evolution of identity security in response to the increasing adoption of cloud technologies. The article highlights the need for a hybrid approach that combines on-premises solutions like AD with cloud-based solutions like Entra ID to address the diverse authentication needs of modern organizations.
**Implications:** Organizations must adopt a hybrid approach to identity security, combining on-premises solutions like AD with cloud-based solutions like Entra ID, to effectively secure their resources in a world where the boundaries between on-premises and cloud environments are increasingly blurred. This approach requires a thoughtful integration of these systems, as well as an understanding of the unique capabilities and limitations of each technology.
**Bridge Questions:** How can organizations best integrate AD and Entra ID to create a comprehensive identity security strategy? What are the challenges in integrating these two systems, and how can they be addressed? What other factors should organizations consider when designing their hybrid identity security strategies?

Sentinel — Human

Confidence

This article appears to be human-written, with evidence of a personal voice and idiosyncratic emphasis. However, AI-generated text can sometimes mimic these characteristics, so it is important to remain cautious when evaluating the authenticity of content.

Signals Detected
low severity: Sentence length variance deviates from AI trend toward uniformity
high severity: Text includes idiosyncratic emphasis and personal voice
low severity: No instances of argumentative skeleton matching known template patterns or talking points appearing nearly verbatim across sources
Human Indicators
The article includes personal anecdotes, such as the speaker's experience at events and their professional associations.