Episode Details

Opening: AD Groups Are a Comfortable LieMost admins believe their Active Directory groups are sacred, perfectly representing some universal truth about who belongs where. They’re not. They’re fossils—meticulously conserved, synchronized into Entra, and paraded around as if they still rule the kingdom. Meanwhile, the cloud laughs quietly in OAuth. These on‑prem lords cling to their domain controllers like medieval nobles refusing to abdicate even as the world runs on APIs and access reviews.Here’s the uncomfortable fact: “Source of Authority,” or SOA, doesn’t mean “where a group happened to be born.” It means who actually governs its existence right now—Active Directory or Entra ID. The difference controls everything from whether you can edit a membership list to whether HR provisioning can actually complete without manual interventions that should’ve died with Windows Server 2008 R2.Modern identity isn’t about replication; it’s about responsiveness. Yet, most organizations still treat Active Directory as scripture. Every group synchronized northward becomes a zombie—visible in Entra but lifeless, grayed out, obeying distant LDAP priests.And that rigidity costs you. Workflow automation breaks, access governance stalls, and any illusion of agility collapses the second a property field says “read‑only because controlled by on‑premises.”By the end of this episode, you’ll know when to flip that Source‑of‑Authority switch and how to do it without setting your hybrid environment on fire. Let’s expose the lie and start liberating your groups from their aging monarch.Section 1: How We Got Here—The Myth of Active Directory SovereigntyOnce upon a time, there was no argument: Active Directory was the sovereign ruler of identity. Users, computers, and groups existed only inside its limestone towers—domain controllers humming with authority. It was the single source of truth for everything that mattered, and for years, that simplicity felt divine.Then came the cloud, and Microsoft was polite enough to invite AD’s relics to visit. The result was synchronization—objects mirrored upward into Azure Active Directory, now known as Entra ID. But while Entra displayed those objects, it never owned them. Think of it as a constitutional monarchy where the royal decrees still came from on‑prem, and Entra merely broadcast them. The result? A system where the local crown keeps issuing laws, but the new parliament can’t amend them.You could see the hierarchy right in the interface. Cloud consoles filled with gray fields—unchangeable memberships, locked roles, and governance tools refusing to launch because the Source of Authority said “Active Directory.” To alter anything meaningful, you descended back into the dark ages of MMC snap‑ins and PowerShell sessions pointed at domain controllers. All because AD refused to relinquish its scepter.Here’s the key correction most admins miss: Source of Authority isn’t a global toggle; it’s per object. Each group, each user, carries its own little flag defining who commands it. Create something on‑prem, and AD claims dominion. Create it in Entra, and the cloud presides. For decades, that boundary was impermeable—the tributaries all flowed north; no river ever returned. Cloud admins could observe but never decree.When hybrid was new, that made sense. The kingdom’s economy still depended on local servers, Exchange clusters, and policies that only AD understood. But as workloads migrated, the crown’s laws grew obsolete, and the parliament in Entra gained better governance, automation, and intelligence. Microsoft didn’t abolish the monarchy; it built a representative government beside it. OAuth and OpenID became the new diplomatic language, while AD kept mumbling about Kerberos tickets and function levels.The tragedy is inertia. Many organizations still behave as if AD’s judgment is absolute, even while their infrastructure lives in the cloud. They tolerate gray menus and blocked automation scripts instead of acknowledg