Active Directory is Microsoft's directory service and is in common use at Penn.
As the IAM program proceeds, a complementary effort has begun to find a path forward from the University's complex current Active Directory state:
- This effort will make suggestions related to both on-premise Active Directory instances and Azure Active Directory instances and how they fit into the University's overall IAM environment.
- An enterprise-wide Microsoft strategy for Penn was delivered to IT Roundtable in Q2/FY19. This document includes a strategic view of the future of IAM as related to Active Directory (see below). Building on the strategy document, a detailed inventory of the University's Active Directory instances will proceed over the next six months.
Strategic View of the Future of IAM as Related to Active Directory
Evaluating Active Directory services involves considering these technologies in both their current prevalent form at Penn (on-premise) and in their definitive direction (Azure Active Directory, commonly referred to as Azure AD). These services have been in use in at least some portions of the University since Active Directory's first release with Windows 2000 Server in early 2000. Penn currently has at least 51 on-premise Active Directory instances, which are used for authentication, authorization, and many other things.
The University’s general direction should be to substantially reduce the number of Active Directory instances, with the expectation that most of the instances that exist in the long term (three to eight years) will be on Azure. This strategy does not necessarily mean the elimination of all on-premise Active Directory instances—the belief is that this will be a small number with a long tail.
This general direction is relatively easy to state, but the devil is in the details. Significant further evaluation will be required to understand (among other things) how to concatenate and modularize the University’s Active Directory instances (wherever they may reside) for maximum effectiveness and efficiency.
University constituents should be aware that Azure AD currently does not have full feature compatibility with on-premise Active Directory, though it is highly likely that Azure AD will build out almost all of these features along with many others that on-premise Active Directory will never support. Because of this uneven feature support, Microsoft is increasingly making hybrid solutions available that use both Azure AD and on-premise Active Directory instances. Like most hybrid solutions, Microsoft’s offerings are transitional and may not be a long-term direction.