TalksAWS re:Invent 2025 - Streamlining Active Directory Migration with AWS Hybrid Managed AD (SEC232)

AWS re:Invent 2025 - Streamlining Active Directory Migration with AWS Hybrid Managed AD (SEC232)

Streamlining Active Directory Migration with AWS Hybrid Managed AD

Active Directory Migration Pathways

  • Customers have three main options for integrating Active Directory (AD) with AWS:
    1. AD Connector: A proxy service that allows AWS services to authenticate against on-premises AD without deploying any hardware.
    2. EC2-based AD: Extending AD into EC2 instances, providing more control but still requiring management of the domain controllers.
    3. AWS Managed Microsoft AD: A fully managed AD service in the cloud, integrating with AWS services but requiring separate forest/domain management.

The Evolution of Identity Management

  • Active Directory (AD) has been a central identity management solution for over 25 years, providing centralized authentication and policy enforcement.
  • However, AD has faced challenges around cloud integration, hardware refreshes, disaster recovery, and physical boundaries.
  • While extending AD to EC2 and using AWS Managed Microsoft AD have helped, customers still faced issues like trust management and the need for separate forests/domains.

Challenges with Active Directory Migration

  • Migrating AD to the cloud involves extensive planning to preserve access and avoid disrupting users.
  • Repermissioning is often required when moving to a separate AD forest/domain, increasing complexity.
  • Tools like third-party migration utilities can help, but often require setting up trusts, adding another layer of complexity.

Introducing AWS Hybrid Managed AD

  • To address these challenges, AWS introduced the Hybrid Managed AD service in August 2025.
  • Hybrid Managed AD allows customers to extend their existing on-premises AD into the AWS cloud without the need for migration or repermissioning.
  • Key benefits include:
    • Preserving user identities, groups, and access controls
    • Eliminating the need for trust management between domains
    • Scalability through easy expansion of domain controllers
    • Ability to share the Hybrid Managed AD instance across multiple AWS accounts

Deloitte's Role and Insights

  • Deloitte, a long-standing AWS partner, participated in a 9-month beta program for the Hybrid Managed AD service.
  • Deloitte's key insights and perspectives:
    1. AD Minimalization: The trend towards reducing the footprint of on-premises AD infrastructure as cloud identity providers mature.
    2. Risk and Control Considerations: Hybrid Managed AD simplifies the control framework by eliminating the need for additional trusts and identity synchronization.
    3. Technical Validation: Deloitte was able to quickly set up a mock environment and validate the ease of use and administration of the Hybrid Managed AD service.

Business Impact and Use Cases

  • Hybrid Managed AD can significantly accelerate AD migration timelines, from months to 2-4 weeks.
  • It enables faster onboarding of new users, mergers and acquisitions, and multi-account strategies.
  • The ability to easily scale and share the Hybrid Managed AD instance across accounts provides flexibility and efficiency.
  • Compared to traditional AD migration approaches, Hybrid Managed AD reduces the overhead for security teams and simplifies the control framework.

Technical Details and Comparison

| Feature | Traditional AD Migration | AWS Hybrid Managed AD | | --- | --- | --- | | Identity Preservation | Requires repermissioning | Preserves users, groups, and access controls | | Trust Management | Requires setting up trusts | Eliminates the need for trust management | | Scalability | Manual scaling of domain controllers | Easy scaling of domain controllers through the console | | Multi-Account Sharing | Requires deploying separate AD instances | Single Hybrid Managed AD instance can be shared across accounts | | Security and Control | Requires monitoring identity synchronization and network controls | Reduces overhead for security teams and simplifies the control framework |

Key Takeaways

  • AWS Hybrid Managed AD addresses the key challenges of AD migration and integration with the cloud, enabling faster adoption and reduced complexity.
  • By preserving identities and eliminating the need for trust management, Hybrid Managed AD significantly accelerates migration timelines and simplifies the overall process.
  • The ability to easily scale and share the Hybrid Managed AD instance across accounts provides flexibility and efficiency for customers.
  • Deloitte's participation in the beta program validated the technical capabilities and business impact of the Hybrid Managed AD service, highlighting its potential to address the evolving needs of enterprise customers.

Your Digital Journey deserves a great story.

Build one with us.

Talk to us
Cookies Icon

This website stores cookies on your computer.

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.