Growing Pains, Governance and Healthy Hybrid Microsoft

Diana Volere

Diana Volere

The struggle of moving to the cloud is real, particularly when you’re trying to move your on-premises Microsoft investment to the cloud.  I did a whole webinar on it back in February (you can register here and watch the recording).   The only way we can fix where we are is to understand where we started.


Microsoft Active Directory (AD) was implemented, and almost everyone at the organization had an AD account so it was only practical to redirect other applications to authenticate to AD. You made groups for each redirected application and added people who should have access to that application to the group.

After time you directed authorization to AD groups as well, so you made AD groups for all sorts of different authZ combinations. The organization started using Distribution Lists, leading business users to go into AD Users and Computers (ADUC) to create DL group objects.

Unless you were trying to be secure about ADUC and placed the burden on AD admins. As AD became more business critical, your AD admins couldn’t keep up with all of the activity and requests.

One thing led to another until you suddenly had more groups than users, no good descriptions, and no understanding of what was out there!

Audit difficulties, duplicate or near-duplicate groups, and business role ownership invisibility all created a spider’s web of confusion. .


Maybe you embraced MIM, Microsoft’s Identity Manager, to automate MSFT identity lifecycle management and some more advanced capabilities. Then, maybe you added Microsoft’s Enterprise and Mobility Suite (EMS+) to help ensure security. While more efficient,  you still needed documentation to prove Governance around identities and access.

Instead, maybe you use non-MS automation to move people in and out of groups. Maybe, you bought or created a tool so non-admins don’t have to go into ADUC to create groups.

However, almost every organization faces auditing and compliance struggles with group duplication and membership staleness.


You likely want to move to Azure AD and are looking at DirSync or Azure AD Connect to extend your on-premises AD into the cloud. However, conventional wisdom says that the first thing you need to do is iron out your current group data and get a governance process in place. This clean-up project will take months (at best), and you want to be in Azure by then, not just starting the plan.

The pain of growth is real!

Over and over, companies tell me that they want to make the jump to cloud, but the process is overwhelming. They either have to scrap their present security and start anew, or they have to go through an exhaustive and predominantly manual rearrangement of nested and duplicate groups.

Over and over, I hear people say, “There has to be some easier way to do this.”


A more comprehensive, secure, and flexible way.

Saviynt Express leverages your existing investment in Microsoft AD and MIM by using these as the foundation to extend identity into the cloud and other applications such as your HR, ERP or ITSM solutions. The AD group complexity is streamlined, bringing true agility to your environment while injecting governance, approval, and auditing into the process.

Business users no longer have to have excessive administrative access to make Distribution Lists for business purposes, but instead have an easy, form-based way to create lists.

Digital transformation, often so elusive, is now attainable. You can modernize your IT infrastructure without ripping out and replacing existing implementations and processes.

Best of all, it doesn’t require a monolithic, multi-year services engagement. Rather, there’s swift deployment and value with Saviynt Express.

Here’s wishing you all a happy, healthy hybrid environment.  Stay secure, my friends!


Schedule a Demo

Ready to see our solution in action?
Sign up for your demo today.

Saviynt named a Gartner® Peer Insights™ Customers’ Choice: IGA Learn More >