For most businesses, the cost and difficulty of shifting away from Microsoft outweigh the benefits
replies(4):
Some things go deep, true. However most businesses don't use most of Microsoft products - even the ones that do, the usage of the more complicated products is far more minuscule than imagined by e.g. CFOs, etc.
The real thing keeping many "in the fold" as it were would be authentication services.
Which are overcomplicated and probably easier to manage without...
We’ve looked into FreeIPA and similar options, but honestly, nothing really holds a candle to Active Directory yet.
From what I gather, the bigger challenges for businesses are more about the tech ecosystem Microsoft has built. It's hard to just swap out core services like AD without huge disruptions.
Other countries reliant on US based cloud giants are understandably alarmed at his behavior, and it is now a strong possibility that Trump will attempt to use their reliance on our tech companies to wring from them whatever he wants.
So the idea of escaping US tech monopolies has become very popular among those paying attention.
Still seems like, for most businesses, the biggest hurdle is how deeply Microsoft’s services are embedded rather than politics
There's still a few that don't have direct equivalents, but the list is growing smaller and smaller.
Microsoft is king at "Good enough." It's rarely the best option of anything, but what they do put out is bundled aggressively and is generally "good enough."
So, you have a business where a large portion of the user base needs Excel. So you have licensing for that. Sure you can still use other services - you can use Okta instead of EntraID, some other MDM besides InTune, some other EDR besides Defender but once you have 1 product, why would you, when it's significantly cheaper (both in terms of actual cost per user per month and in terms of employing talent that can administer a MS ecosystem) to just go all in with Microsoft.
Because of the way Microsoft designed their suite of software and services, the only realistic choice is either all in on Microsoft, or no Microsoft at all, and to fix that we need antitrust action.
Microsoft Active Directory has excellent tooling for middle-management-heavy businesses. For better or for worse it provides the most integrated solution to reduce a desktop PC to a perfect thing for repetitive, boring, soul crushing office work. No other software solution comes close.
While I like Windows as a desktop platform, the reasons that it was designed as it is are very clear. To make cheapest laptops as dystopian as possible, you need systems that can run the same boring software for decades. Not for the good for the environment but for profits.
Windows provides all APIs to deeply integrate with Active Directory and MS Office. All engineering, accounting and finance software are deeply integrated with them. They literally run entire countries. I have seen engineering software that used Visio diagrams for designing factory pipelines. It is near impossible to pull the bigger businesses and governments out of this trap without completely upending entire sectors worth trillions. I think only very determined regimes like China can pull it off.
what is state of the art today that compares to ActiveDirectory (not talking azureAd - or whatever they call it these days) ?
Like if orgs need this capability why is there no good open source solution?
The first paragraph links to an article about how the International Criminal Court ’s chief prosecutor has lost access to his email.
This has caused some governments to worry. What if MS was ordered to block access to their software because the US wanted to apply pressure?
Yeah, I can see how events like that raise real concerns for foreign governments relying on US-based infrastructure. Even if Microsoft isn’t directly doing anything aggressive, the potential for state pressure is enough to make countries want more control over their tech stack
Here is a typical office use case in an engineering environment:
A user logs into their Windows laptop. It uses a Windows domain which is part of Active Directory system. It connects to the domain server to check the credentials. Those credentials are regularly cached into the Windows laptop. Moreover the company issues smartcards for sensitive access. The user can use the smartcard to login to the laptop too. Active Directory handles the certificates. The manufacturer's driver software integrates with Windows and the Active Directory system.
Group Policy is also stored by the domain server and depending on the user's credentials and the roles in the Active Directory system, the relevant engineering apps can be automatically installed on the user's laptop (let's say Altium or Autodesk). The engineering app then integrates with Active Directory to associate the license with the user's identity on Active Directory.
The user does their work and want to save a report from the engineering app (let's say a Bill of Materials report), it can be automatically saved to user's OneDrive account as an Excel file. The user can then take this report and share it on SharePoint which is OneDrive but more businessy and it supports creating web pages. So now the user can publish this as a web page in their department's SharePoint instance which they use as the main documentation portal. All of the other third party software like VPN logins, HR systems etc. are all also depend on Active Directory to get the credentials.
The scenario above is not just hypothetical. A majority of the biggest conglomerates and even smaller companies are completely locked in. Most of the Western governments too. The usual infrastructure roads, pipelines, power lines etc. were all designed and managed in Active Directory connected Windows PCs.
You cannot just replace Active Directory. You need to replace all the infrastructure around it. That includes not only Microsoft systems but also all the third party software that integrates with it. It is a multi-hundered billion dollar industry of proprietary apps all integrating with each other.
> Out of curiosity, how hard would it be to copy Active Directory in an open source project (like how Excel is copied by LibreOffice)? > > Like if orgs need this capability why is there no good open source solution?
Btw if you think LibreOffice Calc is anywhere close to being an alternative to Excel, you are very mistaken. Just in the basic set of functionality, Calc is 2 decades behind. Excel has a lot of integration with databases to automatically fetch data and update the fields accordingly. If you have a big spreadsheet, Calc struggles a lot while Excel can scale millions of rows quite easily.
Why there is no open-source solution? Because it requires a central entity to develop those elementary APIs combined with an operating system and office suite combo. The entity needs to convince all those multi-billion dollar companies to buy their product. Then it needs to send engineers to work with both clients and software vendors to handle all sorts of kinks and weird use cases.
Microsoft has been doing this since 90s. The entire corporate desktop ecosystem has developed around them and they ensured that Windows and Office would be a centerpiece of all those systems. A bazaar-style open source ecosystem will not be able to manage the scale. Without a central vision and strong product management, it is not possible to mesh multiple projects together. The current open-source systems cannot even agree on which GUI display protocol to use which is just microscopic compared to everything else.
Only a very determined government with virtually unlimited funds and very stable decision making (very likely to be authoritarian) can force all the companies to switch something else. China is that government and they are somewhat successful but not entirely.
Samba, krb5 &co can handle small cases, but it's architecture is still stuck in the nt4 days, and there's limited cohesive integration with LDAP and the other services.
Cloud AD also works seamlessly with on-prem AD, allowing things like online, self-service password reset for the domain, and in the reverse direction to use TPM-backed certificates/WebAuthn for securing web apps or anything behind MS-linked SSO. Of course, it also integrates tightly with Azure, so you can do RBAC for any VM/service in Azure, since they automatically get service identities in your AD.
That level of integration is so far above anything else on the market that it isn't even a discussion.
That sounds nice, but that's not exactly a feature specific to AD.
All perfectly possible with a couple well placed scripts and some remote logins.
> TPM-backed certificates/WebAuthn for securing web apps or anything behind MS-linked SSO
Yeah this is the overengineered stuff that is therefore difficult to replicate. Certs and auth predate AD and Azure, the lock-in comes from the overcomplicated SAML style rickety tower of doom that just barely functions...
Autopilot locks Windows OOBE to your Intune instance based on the serial number. The user only has to know their email and a temp password if they're new, or existing login/otp if not. The device can be remotely wiped, and it will start back over at the OOBE (Windows install), ready for the next user.
You can't achieve that with scripts. That requires the ubiquity of Windows as an OS (so device manufacturers play ball). You may find that lock in distasteful, but if that's the world you're already in, it's a magical timesaver.
Have the vendor ship your image?
Or provide your own bootstrap.
Probably something with netboots as well...
If your point is there is a heavy vendor presence, yeah, sure.
But yes, it is all scriptable. Someone has to provision the device, whether that's you or Dell, that's your choice as the customer, not some inherent superiority of one system over another.
It's a rigged monopoly and has nothing to do with a market economy. Once you have been forced to use Windows, you are doomed.
What's something that AD provides that this does not?
It certainly sounds like an (almost) drop-in replacement.