Blog Details

Why "Cloud-First Hybrid" is the Smart Path to Microsoft 365 Modernization

The Reality of Legacy Infrastructure in 2025

If you're running an on-premises Active Directory environment in 2025, you're not alone—and you're not behind. Thousands of organizations still rely on domain controllers, file servers, and print servers because they work. But as Microsoft pushes harder into cloud-first licensing (Business Premium, E3, E5), IT leaders are facing a tough question:

"How do we get modern identity and device management without disrupting our file and print services?"

The answer isn't always "migrate everything to the cloud." Sometimes, the smartest move is a Cloud-First Hybrid architecture—and I'm seeing more organizations choose this path for good reason.

The Problem with "All or Nothing" Cloud Migrations

When organizations start planning their Microsoft 365 modernization, they're often presented with two options:

Option 1: Stay Hybrid Forever

  • Keep Azure AD Connect syncing on-premises AD to Entra ID
  • Maintain full on-premises infrastructure
  • Users stay domain-joined to local DCs
  • Result: No real modernization—just M365 licenses on top of old architecture

Option 2: Full Cloud Migration

  • Decommission all on-premises infrastructure
  • Migrate file servers to SharePoint or Azure Files
  • Implement Universal Print for cloud-based printing
  • Result: Maximum disruption, high cost, long timeline

The problem? Option 1 doesn't deliver modern security and management. Option 2 is expensive, risky, and forces users to change workflows they've relied on for years.

There's a third way.

Introducing Cloud-First Hybrid Architecture

Cloud-First Hybrid flips the traditional hybrid model on its head:

  • Users: 100% cloud-managed (Entra ID only, no AD sync)
  • Devices: Entra ID Joined with Intune management (no domain join)
  • File Server: Stays on-premises with Entra ID Kerberos authentication
  • Print Server: Stays on-premises with hybrid authentication
  • Domain Controller: Maintained in minimal footprint for server authentication only

What makes this different?

You get 90% of the cloud benefits—modern identity, device management, security features—while keeping your file and print services exactly where they are. No forced migration. No user disruption. No massive budget.

How Entra ID Kerberos Changes Everything

The key enabler for Cloud-First Hybrid is Entra ID Kerberos, a Microsoft feature that allows cloud-only user accounts to authenticate to on-premises file servers.

Here's how it works:

  1. User signs into an Entra ID Joined workstation with cloud credentials ([email protected])
  2. During sign-in, the device obtains a Kerberos ticket from Entra ID (not the on-prem DC)
  3. When the user accesses \\fileserver\share, the device presents the Entra ID Kerberos ticket
  4. The file server validates the ticket and grants access based on NTFS permissions
  5. User experience: Identical to traditional domain authentication

The magic: Users access on-premises file shares with mapped drives that work exactly as they always have—but they're authenticating with cloud identities.

No VPN required. No Azure AD Domain Services needed. No expensive file migration.

Real-World Example: American Ramp Company

Let me walk you through a recent project that illustrates this perfectly.

The Challenge

ABC Company came to us with a common scenario:

  • 125 users on traditional on-premises Active Directory
  • File server with ~450GB data across multiple shares
  • Print server with delegation controlling who accesses which printers
  • Aging Domain Controllers that needed replacement consideration
  • Budget-conscious leadership wanting to modernize without breaking the bank

Their requirements were clear:

  1. Get modern security features (MFA, Conditional Access, threat protection)
  2. Modernize device management (move away from Group Policy)
  3. Keep file server on-premises (no appetite for SharePoint migration)
  4. Maintain print server delegation (critical for their workflows)
  5. Preserve mapped drive experience (users couldn't lose productivity)

The Solution: Cloud-First Hybrid

We designed an architecture that delivered everything they needed:

Identity Modernization:

  • Migrated 125 users to cloud-only Entra ID accounts (no Azure AD Connect)
  • Enabled MFA, Conditional Access, Self-Service Password Reset
  • Eliminated on-premises user account management entirely

Device Transformation:

  • Transitioned all workstations to Entra ID Join (not domain-joined)
  • Replaced all Group Policy with Intune configuration policies
  • Users sign in with cloud credentials, get seamless SSO to M365

File Access Continuity:

  • Configured Entra ID Kerberos on the file server
  • Updated NTFS permissions to reference Entra ID users/groups
  • Deployed mapped drives via Intune PowerShell scripts
  • Result: Users access \\fileserver\share exactly as before

Print Server Preservation:

  • Kept print server on-premises with AD-based delegation intact
  • Configured hybrid authentication using service accounts
  • Deployed printers via Intune
  • Result: Printing works identically, delegation preserved

Infrastructure Optimization:

  • Maintained one Domain Controller in minimal footprint mode
  • Removed all user accounts from AD (only server computer accounts remain)
  • DC authenticates file/print servers only—no user management
  • Eliminated second DC for reduced footprint

The Results

Timeline: 30 days from kickoff to completion
Cost: $9,000 (vs. $20,000+ for full cloud migration)
User Disruption: Minimal—files and printing unchanged
Ongoing Costs: ~$20/month (DC electricity vs. $140-160/month for Azure AD DS)

Business Outcomes:

  • Modern identity security (MFA, Conditional Access) enabled immediately
  • Cloud-based device management (Intune) operational
  • Zero change to file/print workflows (users didn't skip a beat)
  • IT team eliminated user account management overhead
  • Organization positioned for future cloud migration when ready

The Economics: Why Cloud-First Hybrid Wins

Let's compare the three approaches over 5 years:

Total Cost of Ownership (5 Years)

Traditional Hybrid$0$0$0 + aging hardware risk
Cloud-First Hybrid$9,000$20$10,200
Azure AD Domain Services$11,000$150$20,000
Full Cloud Migration$20,000$160$29,600

Savings with Cloud-First Hybrid:

  • vs. Azure AD DS: $9,800 over 5 years
  • vs. Full Cloud: $19,400 over 5 years

But it's not just about cost. It's about:

  • Risk reduction: Fewer moving parts, lower chance of failure
  • Timeline: 30 days vs. 8-10 weeks for full migration
  • User adoption: No workflow changes means no resistance
  • Strategic flexibility: Can migrate files to cloud later when ready

When Cloud-First Hybrid Makes Sense

This architecture is ideal when:

You want modern identity and device management (MFA, Conditional Access, Intune)
File server needs to stay on-premises (regulatory, latency, or preference)
Mapped drives are non-negotiable (users depend on drive letters)
Print delegation is critical (AD groups control printer access)
Budget is limited (can't justify $20k+ for file migration)
Timeline is tight (need to deliver in 30-45 days)
You're risk-averse (don't want to disrupt core workflows)

When You Should Consider Full Cloud Instead

Cloud-First Hybrid isn't always the answer. You should migrate fully to cloud when:

On-premises infrastructure is failing (DCs dying, file server hardware dead)
You're ready for digital transformation (embracing SharePoint, Teams, modern collaboration)
Remote workforce dominates (VPN for file access is painful)
Compliance requires cloud (certain regulations mandate cloud storage)
You have budget and time (can invest $20k+ and 8-10 weeks)
Users are adaptable (willing to learn new file access patterns)

The Technical Deep Dive: What's Involved

For IT teams evaluating this approach, here's what the implementation looks like:

Phase 1: Discovery & Planning (Week 1)

  • Audit current AD structure (users, groups, OUs, GPOs)
  • Document file server shares, permissions, data volume
  • Map print server delegation model
  • Assess Entra ID Kerberos compatibility (requires Windows Server 2019+ with updates)
  • Inventory workstations (need Windows 10 1809+ or Windows 11)
  • Plan Intune policy migration from existing GPOs

Phase 2: Tenant Preparation (Week 2)

  • Upgrade users to Business Premium or E3 licensing
  • Create cloud-only Entra ID accounts (match existing UPNs)
  • Sever Azure AD Connect if currently syncing
  • Configure Conditional Access policies (MFA, device compliance, block legacy auth)
  • Enable Entra ID Kerberos on file server
  • Update NTFS permissions to reference Entra ID users/groups
  • Build Intune configuration policies (replacing GPOs)
  • Create mapped drive deployment scripts (PowerShell via Intune)
  • Configure print server hybrid authentication

Phase 3: Device Migration (Week 3)

  • Pilot: 10 devices representing diverse user roles
    • Unjoin from domain
    • Join to Entra ID
    • User signs in with cloud credentials
    • Validate mapped drives, printing, apps
    • Collect feedback and refine
  • Full Rollout: Remaining devices in batches
    • Schedule migration windows with users
    • IT assists with device re-join
    • Real-time support for issues

Phase 4: Optimization & Closeout (Week 4)

  • Validate all users can access files and print
  • Remove user accounts from on-premises AD
  • Disable user-facing GPOs
  • Optimize Intune policies based on feedback
  • Demote second DC (if present) to reduce footprint
  • Document architecture and procedures
  • Conduct knowledge transfer with IT team

Common Questions & Concerns

"Will mapped drives really work the same way?"

Yes. With Entra ID Kerberos, users access \\fileserver\share with drive letters (H:, S:, etc.) exactly as they do today. The authentication happens transparently using their cloud credentials. We deploy the drive mappings via Intune PowerShell scripts that run at login.

The only difference users notice: They sign into their device with their M365 email address instead of DOMAIN\username. The drives just appear—exactly as before.

"What happens if the file server goes down?"

Same as today—users can't access files. This architecture doesn't change your file server availability model. If you need high availability, you'd still need clustering, DFS, or backup file servers (just as you would in a traditional setup).

The difference: You're not adding new dependencies. The file server works with cloud identities but doesn't require internet connectivity to function locally.

"Does Entra ID Kerberos require a VPN to Azure?"

No. Entra ID Kerberos works over your standard network. The Kerberos ticket is obtained from Entra ID during user sign-in (which requires internet), but file server access after that works over your local network just like traditional Kerberos.

Remote users accessing the file server over VPN works exactly as it does today.

"What about applications that need LDAP?"

Most modern applications support SAML or OAuth and can authenticate directly to Entra ID. For legacy apps that require LDAP:

  • Azure AD Application Proxy can bridge SAML to LDAP for some scenarios
  • Azure AD Domain Services provides full LDAP (but adds cost/complexity)
  • Keep the app on a server joined to your minimal DC (it can still use LDAP locally)

In practice, we rarely encounter blockers—most "LDAP-dependent" apps have cloud authentication options that weren't configured.

"How long does the minimal DC stay around?"

As long as you need it. Many organizations run this way for 3-5 years until:

  • The file server hardware needs replacement (then migrate to Azure Files)
  • The DC hardware fails (then move to Azure AD DS if needed)
  • The business is ready for full SharePoint adoption

This architecture isn't a hack—it's a deliberate, sustainable model. You're not "stuck" in hybrid; you're choosing to keep infrastructure that works while modernizing everything else.

"What's the catch?"

Honestly? There isn't one, if your requirements align. The "catch" is:

  • You still have some on-premises infrastructure (1 DC, file server, print server)
  • You're still responsible for patching/maintaining those servers
  • If the DC dies, you'd need to rebuild or migrate to Azure AD DS

But compared to the cost, risk, and disruption of full cloud migration, this is a much smaller trade-off for most SMBs and mid-market organizations.

The Strategic Advantage: Flexibility

What I love about Cloud-First Hybrid is the optionality it preserves.

You're not locked in. You can:

  • Migrate files to cloud later when budget allows or business is ready
  • Implement Universal Print when printers need replacement
  • Move to Azure AD DS if the DC hardware fails
  • Stay in this model indefinitely if it continues to meet your needs

You've modernized identity and device management—the hard part. File migration is easy in comparison, and you can do it when the timing is right.

Final Thoughts: Pragmatism Over Purism

I've been in the Microsoft infrastructure space for 20+ years. I've seen organizations rush into cloud migrations because "cloud is the future" and regret the disruption, cost, and user backlash.

I've also seen organizations stay on-premises too long and struggle with security incidents, compliance gaps, and inability to adopt modern productivity tools.

Cloud-First Hybrid is the pragmatic middle path.

You get:

  • Modern security (MFA, Conditional Access, Zero Trust controls)
  • Modern management (Intune, cloud-based policies)
  • Modern productivity (M365 apps with SSO and collaboration)

Without:

  • Disrupting core workflows (files and printing)
  • Breaking the budget (affordable implementation)
  • Taking excessive risk (proven, supported architecture)

If you're running on-premises AD today and looking at Business Premium or E3 licensing, don't assume you need to migrate everything at once. Consider Cloud-First Hybrid—it might be exactly what your organization needs.

Want to Explore Cloud-First Hybrid for Your Organization?

I help organizations design and implement these migrations through my consulting practice. If you're evaluating your options, let's talk.

What I can help with:

  • Architecture assessment (is Cloud-First Hybrid right for you?)
  • Entra ID Kerberos compatibility validation
  • Intune policy design (GPO migration planning)
  • Implementation planning and execution
  • Knowledge transfer and training for your IT team

Contact Me

Or download my free guide: The Cloud-First Hybrid Playbook: Modernizing Microsoft 365 Without Migrating Files

About the Author:

Alexander Haynes is a Principal Security Architect specializing in Microsoft 365 security, Azure migrations, and hybrid cloud architecture. With 20+ years in enterprise infrastructure and certifications including SC-100, SC-200, SC-300, SC-400, and AZ-500, he helps organizations modernize their identity and security posture while maintaining operational continuity. Based in New York City, Alexander works with SMBs and mid-market organizations across North America.

Search Here

Categories

Latest Blogs