Organisations should keep Active Directory when they still rely on legacy protocols, on-premises operational control, data residency constraints, or resilience requirements that cloud identity cannot replace. The decision is driven by workload fit and governance needs, not by cloud migration pressure. If identity supports critical local systems, on-premises control can remain the safer operating model.
Why This Matters for Security Teams
The AD versus Entra ID decision is usually not about preference, but about control boundaries. active directory still matters where legacy Kerberos, LDAP, NTLM, Group Policy, file shares, OT systems, or line-of-business applications depend on local directory services. Entra ID can modernise access, but it does not automatically replace every on-premises trust dependency or every operational recovery path. Security teams that collapse the two questions of “modernise identity” and “remove AD” often create avoidable outages or force brittle workarounds.
This also intersects with broader NHI risk. Many critical environments still depend on service accounts, API keys, and other secrets that are anchored to local systems, and those identities are often poorly inventoried or rotated. NHI Mgmt Group notes that only 5.7% of organisations have full visibility into their service accounts, which is why identity decisions should be tied to operational reality, not migration slogans. See also Ultimate Guide to NHIs and the NIST Cybersecurity Framework 2.0 for the control perspective. In practice, many security teams discover the dependency graph only after authentication breaks or a legacy workload fails during a rushed cutover.
How It Works in Practice
The practical answer is to retain AD for the workloads that genuinely require it, while using Entra ID where cloud-native controls are sufficient. That usually means keeping AD for domain-joined servers, applications that still rely on integrated Windows authentication, and environments that need local admin control, offline recovery, or tightly bounded network segmentation. Entra ID can then handle modern SaaS access, conditional access, MFA, and device-based policy enforcement.
A workable model is hybrid identity with clear role boundaries. AD remains the authoritative directory for legacy and local systems, while Entra ID becomes the front door for cloud access and federation. Security teams should map each workload to its identity dependency before deciding where credentials, group policy, and admin workflows live. Use Cisco Active Directory credentials breach as a reminder that directory choice does not remove the need for credential hygiene, and that compromised directory-linked secrets can still drive lateral movement. For cloud-connected authentication patterns, the NIST Cybersecurity Framework 2.0 is useful for framing protect, detect, and recover capabilities across both directories.
- Keep AD where Kerberos, LDAP, GPO, or on-prem app dependencies are still real requirements.
- Use Entra ID for SaaS, remote access, and conditional access controls that do not need local directory semantics.
- Document which identities are anchored to which directory, including service accounts and administrative accounts.
- Reduce trust expansion by limiting sync scope and avoiding unnecessary bidirectional dependencies.
For organisations with resilience requirements, the key test is whether the identity plane still works during a cloud outage, a network isolation event, or a site-level recovery scenario. These controls tend to break down when legacy applications are assumed to be cloud-ready before their authentication, authorization, and recovery dependencies have actually been removed.
Common Variations and Edge Cases
Tighter identity consolidation often increases migration cost and operational risk, requiring organisations to balance simplification against business continuity. That tradeoff is especially visible in regulated sectors, manufacturing, healthcare, and public sector environments where local control, data residency, or deterministic recovery matters more than a single cloud identity plane.
Best practice is evolving, but there is no universal standard that says AD must be removed once Entra ID is adopted. Many organisations instead use a staged model: keep AD for the systems that still need it, move new applications to Entra ID, and gradually retire AD only when the dependency map is truly empty. This is safer than a symbolic “full migration” that leaves hidden dependencies in scripts, scheduled tasks, VPN auth, printer paths, or admin tooling. For a broader governance lens, the NHI guidance in Ultimate Guide to NHIs is useful because the same inventory and lifecycle discipline applies to service accounts in hybrid identity estates.
The main edge cases are resilience and sovereignty. If an organisation requires local authentication during an internet outage, or must keep certain directories inside a specific jurisdiction, AD may remain the safer operating model. Conversely, if all critical dependencies are SaaS-native and the remaining AD footprint is only historical, the case for retirement becomes much stronger. The right answer is workload fit, not platform loyalty.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Identity architecture must fit workload access needs and control boundaries. |
| OWASP Non-Human Identity Top 10 | NHI-01 | Legacy AD estates still rely on non-human identities and secret lifecycle control. |
| NIST AI RMF | The decision is a governance and risk choice about operational fit and resilience. |
Use AI RMF-style risk evaluation to document business, resilience, and control tradeoffs for identity migration.
Related resources from NHI Mgmt Group
- Why do organisations keep Active Directory even after moving heavily to the cloud?
- How should banks strengthen Active Directory security without moving to cloud identity?
- Why do Active Directory service accounts complicate zero trust programs?
- How should teams govern hybrid Active Directory and Entra ID at the same time?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on July 8, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org