Migrating Workloads from Local Domain Controllers to Microsoft Entra ID for an Australian Manufacturing Firm

Summary

The local domain controller has long served as the backbone of hybrid IT environments, delivering critical network management and security services. However, for an Australian manufacturing firm, the high monthly costs associated with hosting domain controllers, Certificate Authority, and RADIUS services as Infrastructure as a Service (IaaS) virtual machine on Microsoft Azure have become a significant financial burden.

In addition to cost considerations, the company’s hybrid work model—supporting both on-site and remote employees have heightened the need for robust security and seamless access to corporate resources. Persistent authentication failures have further impacted operational efficiency and business continuity.

To address these challenges, NSN Infotech proposed a migration from traditional domain controllers and supporting services to Microsoft Entra ID. This modern, cloud-native identity and access management platform delivers scalability, remote accessibility, and advanced security features. The solution enhances operational efficiency, improves user experience, and significantly reduces ongoing cloud infrastructure costs positioning the business for greater agility in a dynamic digital landscape.

The Challenges

High Operational Costs: The ongoing expense of maintaining domain controllers, Certificate Authority, and RADIUS services as virtual machines in Azure has significantly increased the organization’s operational expenditure. These costs encompass storage, compute resources, networking, and ongoing management posing a substantial financial strain.
Inefficient Remote Access: Remote and field-based employees face inefficiencies and disruptions due to the reliance on VPN connections for authentication, group policy updates, and access to corporate resources. This dependency not only impacts user experience but also creates performance bottlenecks in a hybrid work environment.
Certification Authority Decommissioning: The organization’s local domain-based Certification Authority is nearing the end of its lifecycle and is set to be decommissioned. This presents both security and operational risks, requiring a modern, cloud-based solution to ensure the continued issuance and management of digital certificates.

Implementation and Solution

Microsoft Entra ID

The transition to Microsoft Entra ID delivered several operational benefits, enhancing both security and efficiency across the organization:

Seamless Authentication Experience: Employees no longer require VPN connections to authenticate or receive policy updates, significantly improving the user experience, especially for remote and field-based staff.
Anywhere Access: Users gain secure, frictionless access to corporate resources from any location with an internet connection, fostering greater mobility and productivity.

Microsoft Intune Cloud PKI

To replace the legacy domain-based Certification Authority, Microsoft Intune Cloud PKI was implemented, offering a modern, cloud-native solution for certificate lifecycle management:

Certificates were automatically distributed to all Intune-enrolled, trusted devices, ensuring secure device authentication without user intervention.
A cloud-based RADIUS solution, RADIUSaaS, was integrated to trust certificates issued by Intune Cloud PKI enabling certificate-based authentication for wireless users for all windows, android and iOS. This approach eliminated the reliance on username and password-based authentication, enhancing both security and user convenience.

Results

Cost Reduction

The migration to Microsoft Entra ID delivered a substantial reduction in monthly Azure costs by decommissioning domain controllers, Certificate Authority, and RADIUS infrastructure hosted as IaaS virtual machines. This transition eliminated the expenses associated with compute, storage, and network resources, significantly lowering the organization’s operational overhead.

Enhanced Remote Work Efficiency

The new cloud-native identity solution transformed the remote work experience by removing the reliance on VPN connections for user authentication and policy updates. Employees now receive security policies, certificates, and access permissions over the internet, enabling seamless, secure access to corporate resources from any location.

Certificate Services Modernization

To modernize certificate management, the company successfully transitioned from its legacy on-premises Certificate Authority to Microsoft Intune Cloud PKI:

Decommissioning Legacy Infrastructure: Local certificate services were fully retired, streamlining operations and removing the administrative burden of managing on-premises PKI.
Cloud PKI Deployment: Microsoft Intune Cloud PKI automatically issues and manages device certificates for all Intune-enrolled devices, ensuring that security policies and certificates are consistently applied across the organization.

Secure Wireless Authentication with RADIUSaaS

To enhance wireless network security, RADIUS as a Service (RADIUSaaS) was deployed and integrated with Microsoft Intune Cloud PKI:

The cloud-based RADIUS service validates Intune-issued certificates, enabling certificate-based authentication for wireless networks.
This approach eliminates the need for username and password-based authentication, enhancing both security and user experience.
The solution ensures that only trusted, managed devices gain access to the wireless network, aligning with Zero Trust security principles.

This comprehensive solution not only simplified infrastructure management but also strengthened the organization’s security posture, supporting a more flexible and resilient IT environment.