The End of Active Directory: Why Your Cybersecurity Strategy Demands Entra ID Now

Right, let's have a honest discussion about Microsoft Active Directory. For ages, it’s been the bedrock of how most businesses handle logins and access – the familiar, reliable workhorse humming away in the server room. It did its job, absolutely.

But here’s the rub: the world it was built for vanished years ago. Is it appropriate to keep clinging to legacy technology foundations as your main line of identity defence in today's world? Frankly, that’s looking increasingly like bringing a knife to a gunfight.

The simple fact is, Active Directory is legacy tech. It was dreamed up in the late 90s, long before the cloud took off, before hybrid working became the norm, and certainly before cyber-attacks reached their current level of terrifying sophistication. It just wasn't designed to cope with the threats we face now.

Decades of Updates, But Security Left Behind?

We've all been through the upgrade cycles, haven't we? Server 2003, 2008, 2012, right up to the latest versions. We ticked the boxes, updated the Domain Controllers. But here’s where many organisations slipped up: just upgrading the server OS doesn't automatically beef up your actual AD security.

Think about it – did your organisation meticulously go back and enable all those newer, more secure features hidden away in higher functional levels? Did you implement things like LAPS properly everywhere, get serious about privileged access, or tune your auditing to spot modern attack techniques? Often, the answer is 'maybe not thoroughly'. Convenience, budget, or just plain lack of time meant many vital security enhancements got left on the shelf, leaving doors open that really should have been bolted shut years ago. We ended up with newer servers running old, vulnerable configurations.

The Sheer Grind of Keeping Active Directory Secure

Anyone who's actually managed Active Directory knows securing it properly isn't a walk in the park. It's complex, fiddly, and demands deep expertise. Keeping track of permissions, patching constantly, hunting for misconfigurations that attackers love (hello Kerberoasting!), and trying to stay one step ahead of threats – it's a relentless, resource-draining battle.

And let's be honest, convenience is always whispering in our ear, isn't it? "Just grant that permission quickly," "That patch can probably wait," "Setting up proper auditing is too noisy." Every time we take the easy path with Active Directory, we’re potentially weakening our most critical security system. The sheer operational effort needed to keep on-premises AD genuinely secure against modern attackers is enormous, and arguably, unsustainable for most.

Examples of Cyber Attacks involving Active Directory

These examples illustrate how central Active Directory is to network operations and why it remains a prime target for various cyber threat actors aiming for widespread impact, whether for financial gain, espionage, or disruption.

Ransomware Attacks Leveraging Active Directory

1. Ryuk Ransomware Campaigns: Numerous Ryuk attacks involved gaining administrative privileges within AD and then using Group Policy Objects (GPOs) or logon scripts to distribute the ransomware across the entire domain efficiently. Source: Mandiant/Google Cloud Blog describing Ryuk post-compromise TTPs including credential access via Mimikatz/Kerberoasting and noting its frequent association with initial access trojans like TrickBot, which CISA links to Ryuk campaigns
2. Conti Ransomware: Leaked playbooks and attack analyses showed Conti operators routinely targeted AD using tools like AdFind for reconnaissance, aiming to gain Domain Admin rights to disable security tools and deploy ransomware en masse. Source: CISA brief on Conti Ramsomware
3. DarkSide (Colonial Pipeline Attack, 2021): This high-profile attack reportedly involved the attackers gaining initial access via compromised credentials associated with a disused Active Directory account, highlighting how AD identity management weaknesses can be exploited. Source: Bloomberg report citing sources on the compromised VPN account linked to AD
4. SamSam/Samas Ransomware (e.g., City of Atlanta Attack, 2018): This group often exploited server vulnerabilities for initial access, then used tools to steal privileged AD credentials and perform reconnaissance within AD to identify and encrypt critical systems network-wide. Source: US Department of Justice indictment detailing SamSam TTPs including domain compromise
5. Egregor Ransomware (e.g., Kmart Attack, 2020): Attackers confirmed compromising the victim's Active Directory domain as part of their attack, likely using this access for widespread ransomware deployment and data exfiltration. Source: Semperis blog analysis discussing the Kmart attack and AD compromise
6. LockerGoga Ransomware (e.g., Norsk Hydro Attack, 2019): While initial entry varied, the rapid spread across Norsk Hydro's global network strongly indicates attackers compromised AD to move laterally between systems and facilities before deploying the ransomware. Source: Scadafence analysis discussing AD as the likely propagation mechanism
7. Maze Ransomware: Known for data exfiltration alongside encryption, Maze operators frequently used tools like Mimikatz (to steal credentials from memory, often targeting AD-related processes) and BloodHound (to map AD permissions and find attack paths) to take over accounts and navigate the network. Source: Semperis blog discussing Maze and other ransomware targeting AD, mentioning tool usage
8. SaveTheQueen Ransomware: This strain was observed spreading by writing malicious files to the SYSVOL share on Domain Controllers, leveraging AD's replication mechanism to distribute itself. Source: Same Semperis blog discussing SaveTheQueen's use of SYSVOL
9. LockBit Ransomware: This prominent RaaS group explicitly advertises capabilities targeting Domain Controllers, recognising them as key infrastructure for deploying ransomware effectively across an organisation. Source: Microsoft Security Blog detailing how ransomware actors exploit DCs
10. Akira Ransomware: Microsoft detailed an incident where Akira attackers, after gaining Domain Admin credentials, connected directly to a Domain Controller, created new privileged accounts within AD for persistence, and launched the encryption process from the DC itself. Source: Microsoft Security Blog case study on Akira and DC exploitation 11.AlphaV/BlackCat: This group has targeted numerous organisations (including the Change Healthcare incident). Their tactics often involve compromising AD to create rogue admin accounts, facilitating deeper network access and data theft before ransomware deployment. Source: Picus Security analysis of ALPHV TTPs including Valid Accounts (T1078) and potential credential theft
11. Marks & Spencer (2025): The "Scattered Spider" threat collective attacked Marks & Spencer systems, breached their Active Diurectory and used its porivielged connection to VMWARE platform to encrypt the virtual machines. https://www.theguardian.com/business/2025/apr/29/m-and-s-cyber-attack-linked-to-hacking-group-scattered-spider

APT / State-Sponsored Attacks Exploiting Active Directory

1. Nobelium/Midnight Blizzard (SolarWinds Attack, 2020): This sophisticated supply chain attack involved multiple AD exploitation techniques. Attackers compromised on-premises AD for privilege escalation and lateral movement. Crucially, they also targeted Active Directory Federation Services (AD FS) servers to forge SAML authentication tokens (a "Golden SAML" attack), allowing them to access cloud resources federated with the compromised AD environment. Source: CISA Alert AA21-008A detailing Nobelium TTPs including AD FS/SAML abuse
2. Volt Typhoon: This state-sponsored group is known to target critical infrastructure and specifically exploits vulnerabilities and configurations within Active Directory as part of its "living off the land" techniques to maintain stealth and control. Source: CISA Advisory detailing Volt Typhoon TTPs including credential access from AD and lateral movement
3. General APT Activity (e.g., APT28/Fancy Bear, APT29/Cozy Bear): Numerous Advanced Persistent Threat groups target AD as standard practice. Gaining control over AD provides long-term persistence, access to sensitive data, and the ability to move undetected within the victim network for espionage or future operations. Source: MITRE ATT&CK profile for APT28 detailing techniques like credential dumping and domain account exploitation

Destructive Attacks Where AD Was Central

1. NotPetya (2017): While primarily using SMB exploits (like EternalBlue) and credential theft tools (like Mimikatz, often used against AD data in memory) for propagation, NotPetya's devastating impact was amplified by its ability to spread rapidly within corporate networks heavily reliant on Active Directory. Compromising AD facilitated this rapid, destructive spread. Source: Wired's definitive account "The Untold Story of NotPetya" detailing the attack spread

These examples illustrate how central Active Directory is to network operations and why it remains a prime target for various cyber threat actors aiming for widespread impact, whether for financial gain, espionage, or disruption.

Time to Get Real: Prioritise the Move to Entra ID

So, what’s the answer? It isn't about finding yet another sticking plaster for AD. It's about recognising that the game has changed and moving to a platform designed for this era: Microsoft Entra ID (what we used to call Azure AD).

Entra ID wasn't bolted onto an old chassis; it was built cloud-first. It handles things like Conditional Access (blocking dodgy logins based on risk), proper Multi-Factor Authentication that frustrates attackers, seamless sign-on for cloud apps, and Privileged Identity Management in a way that’s just leagues ahead of what you can realistically wrestle out of traditional AD.

This is why the conversation needs to shift. We shouldn't just be tinkering with hybrid setups forever. The strategic priority has to be planning for a full migration to Entra ID as the core identity system. Yes, that means aiming to eventually sunset your organisation-wide traditional Active Directory. Shut it down. Put it out to pasture.

Stop Propping Up the Past

Look, Active Directory served its purpose. But its architecture is dated, securing it is a nightmare, and it fundamentally struggles with the modern IT landscape. Relying on it as your primary identity system today is building your house on increasingly shaky foundations.

Yes, migrating fully to Entra ID takes planning, effort, and budget – nobody's pretending it's a five-minute job. But the risks and operational headaches of not moving are growing by the day. It’s high time organisations got serious about this, prioritised the shift to Entra ID, and started building their security around an identity platform actually designed for the challenges we face right now, and those still to come.