AD is EOL

Recently I had this discussion, about managing identities in a company and what strategy to follow towards future developments like Attribute Based Access Control. A very interesting discussion, because this company was quite big and employs several tens of thousands of personnel. And only a few thousand of those have a Windows account. These people need an account because they have an email address and need access to folders and shares. The others don't have a Windows account, because they don't use any information systems.

AD is a silly tool: it's a user directory, a domain controller, an authentication service, an authorization server, a federation server. Too big too fail, but no focus.

During the discussion the IT manager of the company stated thet he wants every employee to get an Active Directory account, because he feels that in the near future everyone need to access some information resources on a Windows server or Sharepoint. Everyone needs an AD account (no, licensing costs is not yet a problem, as long as they don't use the account actively).

In my opinion this is not the right strategy. In the near future we don't access data on Windows of Sharepoint servers anymore. We will use web services on web servers that we access with a digital identity that can come from any (trusted) source. Active Directory will become Passive Directory.

It already happened: my company doesn't even have an AD anymore. I think it will be end-of-life before it's end-of-support...



Yes, I know, I must be wrong, everyone is expanding AD and so growing their legacy base. And we all move to Azure AD. But just think about this mind experiment...