嗯,用户让我总结一下这篇文章的内容,控制在一百个字以内,而且不需要用“文章内容总结”之类的开头。首先,我得仔细阅读这篇文章,抓住主要观点。 文章主要讲的是在混合云环境中,身份安全需要同时使用Active Directory(AD)和Entra ID。AD负责传统的Kerberos、NTLM协议和组策略,而Entra ID则支持现代的OIDC、OAuth等协议以及多因素认证(MFA)和条件访问策略。这两者各有各的优势,不能互相替代。 接下来,我需要提炼出关键点:AD和Entra ID各自的功能、它们在混合环境中的必要性、以及为什么不能完全替换其中一个。然后把这些点浓缩成大约100个字的描述。 要注意语言简洁明了,避免使用专业术语过多,让读者一目了然。同时,确保涵盖所有主要信息点:AD的作用、Entra ID的作用、它们的互补性以及在混合云中的应用。 最后,检查一下字数是否符合要求,并且表达流畅自然。 </think> 文章指出,在混合云环境中,身份安全需要同时依赖Active Directory(AD)和Entra ID。AD负责传统协议(如Kerberos、NTLM)和组策略,而Entra ID支持现代协议(如OIDC、OAuth)及多因素认证(MFA)、条件访问等安全功能。两者结合才能满足混合环境下的身份安全需求。 2026-3-11 17:10:7 Author: www.guidepointsecurity.com(查看原文) 阅读量:2 收藏
TL;DR: Identity Security in the Cloud Requires Both AD and Entra in Most Cases
- You cannot replace Active Directory with Entra ID in most environments. Identity security in hybrid organizations requires both AD (for Kerberos, NTLM, and Group Policy) and Entra ID (for OIDC, OAuth, SAML, and cloud authentication).
- Modern identity security controls—like MFA and Conditional Access—depend on Entra ID. On-prem AD alone cannot enforce MFA or adaptive, risk-based access policies, making Entra ID essential for securing cloud and hybrid access.
- Legacy infrastructure and modern cloud applications rely on different authentication protocols. Because AD and Entra ID support fundamentally different technologies, a hybrid identity security strategy is required to secure users, devices, and applications across environments.
- Further reading: Building an Adaptive Security Perimeter Through Identity Convergence.
The migration to cloud brings with it a necessary shift to identity-centric security (vs. on-premises network management). Some believe this change in identity security strategy means a wholesale shift from Active Directory (AD) to Entra ID.
However, there are good reasons both AD and Entra ID are still in the implementation. This blog will cover some of the most compelling reasons that organizations want to include Entra ID, but also must retain AD.
AD relies on Kerberos and NT LAN Manager (NTLM), which are the authentication protocols that are used on a corporate network for user and computer authentication, as well as application authentication. Modern cloud applications use OpenID Connect (OIDC), OAuth 2.0 and Security Assertion Markup Language (SAML).
Entra ID can’t authenticate Kerberos and NTLM. AD can’t authenticate OIDC, OAuth 2.0, or SAML. Thus, the authentication protocols are a key design and implementation factor for hybrid AD.
Examples of modern cloud applications requiring this hybrid identity security approach would include Microsoft 365, Salesforce, ServiceNow, custom APIs, and mobile applications.
On-prem AD does not support MFA without some assistance from another tool. If a user is authenticated to an AD domain controller, that domain controller, even in a hybrid AD environment, can’t provide MFA to the user. For a user to receive MFA challenges in a hybrid AD environment, the user will need to authenticate to Entra ID for MFA to be supported. The supported authentication methods can be seen in Figure 1.
Figure 1: Entra ID MFA Authentication Methods
So, an easy way to remember this is that if a user is attempting to logon using Ctrl-Alt-Del, they will not be able to get an MFA prompt in a hybrid AD environment without some alternate technology to help.
Group Policy is an on-prem AD technology and resides only within AD. Entra ID does not understand Group Policy in any way*. If an organization were to move solely to Entra ID, all identity security based on Group Policy would fail to apply. This is why many organizations stay in a hybrid AD environment, so that a user can still receive the legacy settings in Group Policy but also have the benefits that Entra ID provides, such as MFA, single sign-on (SSO), and conditional access.
*Note: InTune is a technology that is like Group Policy, but they don’t sync or can’t be tied to one another.
How do Entra ID Conditional Access Policies Enhance Hybrid Identity Security?
A very powerful aspect of identity security included in Entra ID is Conditional Access Policies (CAP). These policies can dynamically inspect the user and computer conditions to enforce controls on theauthentication. CAP can also evaluate where the user and computer are logging in from, as well as impose a risk level to help determine the controls that will be enforced.
The controls that can be enforced include MFA, device compliance, and blocking access.
The complete list of conditions that a CAP can check includes:
- Sign-in risk
- User risk
- Device platform
- Device state
- Location
- Client app type
Active Directory Still Plays an Important Role in Hybrid Cloud Identity Security
As you can see, a hybrid AD implementation is required in nearly all instances of identity security when moving to the cloud, mainly due to the authentication protocols that are required and the desire to leverage the security capabilities that Entra ID offers. Table 1 summarizes the reasons that you may select AD vs Entra ID.
| Technology | On-premises AD | Entra ID |
|---|---|---|
| Kerberos/NTLM | Yes | No |
| SAML/OAuth/OIDC | No | Yes |
| MFA | No | Yes |
| Group Policy | Yes | No |
| Intune | No | Yes |
| Conditional Access | No | Yes |
Table 1: AD vs Entra ID Technologies and Support
Many organizations think they can just migrate to Entra ID and remove AD, but that is just not the case in nearly every situation. It also shows that AD will be around for a long, long time, as there are so many reasons that Kerberos and NTLM are still required.
Ready to Advance Your Identity Security Strategy in the Cloud?
Want to learn more about implementing effective identity security in hybrid and complex environments? Check out our whitepaper,Building an Adaptive Security Perimeter Through Identity Convergence.
Derek Melber
Strategic Advisor for Enterprise Identity,
GuidePoint Security
Derek Melber, Strategic Advisor for Enterprise Identity, has been helping enterprises for over 25 years with identity security, Active Directory/Azure Active Directory, cloud identity, Entra ID, Microsoft 365, Intune, Microsoft Defender, CTEM, PAM, MFA, Group Policy, and other integrated technologies. His professional experience includes Active Directory and Entra ID security assessments, specializing in network, wireless, and application penetration testing. Often asked to speak at events around the world, Derek has spoken and given Keynotes in over 40 countries at events such as RSA, Gartner, Blackhat, and more. Derek has worked for and with companies leading in these areas such as Microsoft, AWS, BeyondTrust, Quest, ManageEngine, SpectreOps, Tenable, and more. You can follow Derek on LinkedIn at @derekmelber and contact him at [email protected].
Derek has been awarded 20 Microsoft MVP awards in Active Directory, Group Policy and Security over the past 22 years, where he has contributed to these communities around the world.
如有侵权请联系:admin#unsafe.sh