The future of Active Directory: Why it's not going anywhere soon
Here's why the future of Active Directory looks nothing like the industry expected.
Published June 29, 2026)
A relic from the 1990s, Active Directory (AD) should be long gone. The fact that it isn't tells us something important about the future of Active Directory, networking, and identity management.
In 2018, respected Gartner Research vice president Dave Cappuccio made a striking prediction: by 2025, 80% of enterprises would have shut down their traditional datacenters and moved to the cloud. After a decade of rapid cloud growth, few would have argued with him at the time. The cloud was turning applications into services, freeing organizations from the limitations of running their own networks.
"The role of the traditional data center is being relegated to that of a legacy holding area, dedicated to very specific services that cannot be supported elsewhere, or supporting those systems that are most economically efficient on-premises," Cappuccio wrote.
He wasn't alone. Cisco made a similar prediction the same year: the future of computing lay with vast hyperscalers, a trend that spelled economic doom for the traditional datacenter.
Both were partially right. There has been a seismic shift towards the cloud. But a large majority of organizations are still running on-premise datacenters, and there's no sign that this will change anytime soon.
So why are organizations still running on-premise infrastructure? And will this continue indefinitely? Or is this just the right prediction on the wrong timescale?
The tech industry is heavily invested in the idea that new developments wait for no one. When something new arrives, the argument goes, organizations and individuals should jump aboard or risk being left behind.
Eventually, the new thing will in turn be replaced by something better still. It's a never-ending cycle that journalist Michael Lewis famously satirized as a restless search for the next disruptive "new new thing."
Skeptics have long pointed out that while this repeating cycle of disruption serves the companies selling new technology, it doesn't necessarily work as well for the customers buying it. The problem is that sales hype ignores or misunderstands the adoption cycle. Organizations don't buy tech because it's fashionable. They buy it because they perform a necessary task at an economically-viable price. Inevitably, new tech has drawbacks just as older tech does. The trick is to work out where the balance lies to best support business outcomes.
Put another way, when organizations adopt something new, it doesn't mean they automatically abandon what they already have if it still works. History is full of examples: television replaced radio and cinema as the dominant entertainment medium in the 1960s, but both radio and cinema have remained hugely popular. It wasn't a question of better or worse, old or new. Each served a different need.
It turns out that cloud adoption follows the same principle. Organizations deploy it where they see value, while continuing to use on-premise applications and Active Directory identity and access management (IAM) where it makes sense. Since 2018, organizations have invested heavily in cloud platforms for application and data development while keeping on-premise infrastructure, built around Active Directory, to do the things that cloud platforms still do less well, or with greater complexity or cost.
While it's true that enterprise datacenters support legacy applications that won't run in the cloud, there's always more going on beneath the surface.
In 2025, a Microsoft survey of 246 hands-on IT professionals investigated the continuing popularity of Active Directory in an era supposedly pivoting inexorably towards Azure and Entra ID. They got some revealing answers.
32% of organizations were using Entra ID for IAM
93% described themselves as "hybrid"
54% still run workloads on-premise with Active Directory
In total, 28% believed it would take them 5–10 years to reach a 50-50 split between environments
19% predicted an even split might take 10 years or more
And remember, these are only the numbers to reach an even split.
Notably, 36% believe their organizations will never be cloud-only. They expect their networks will be hybrid indefinitely.
On this evidence, the notion that cloud is about to wipe out on-premise is not only exaggerated and unlikely for the next few decades, but a significant number of customers will simply never reach this state.
As Microsoft principal software engineer Linda Taylor summed up the findings: "Customers feel pressure to move to the cloud, but they see the benefit of having both on-premises AD and Entra ID living side by side together."
This points toward a future of Active Directory that is more diverse and complex than the industry often acknowledges.
Some environments, new setups built by startups and tech companies, will be cloud-only. But more will embrace a hybrid by default. And a smaller percentage, concentrated in highly regulated sectors, will remain largely on-premise.
If big tech promotes disruptive cloud migration, customers are clearly more pragmatic. And this is not ideological.
According to the Microsoft survey, organizations sticking with on-premise datacenters do so for good reason:
A need to support specific applications
A desire for control
Cost concerns
This shouldn't surprise anyone. Sending data and applications to the cloud means becoming dependent on a service provider in ways that can become uncomfortable in sectors trying to meet the demands of tight compliance and regulation. For these organizations, independence and sovereignty over their own infrastructure isn't optional.
Cost is another operational reality that trumps convenience for many organizations. Migrating applications to the cloud can be expensive. Even more so when measured against the already-sunk cost of a datacenter network already paid for over years. Survey feedback also cited concerns about cloud availability, something which has only grown more acute recently.
The world got an extreme demonstration of this vulnerability during recent conflict in the Middle East, when several Gulf State datacenters were badly disrupted by drone strikes.
The lesson isn't that identical attacks will happen elsewhere. It's what the incident illustrates: that massive disruption to digital societies can be triggered by targeting centralized cloud infrastructure. Over-centralization is a strategic risk.
When IS Decisions was founded in 2000, almost everything we're talking about here would have been hard to imagine. Running Windows Server and Active Directory on-premises was simply how everybody operated. UserLock added value in this world by offering concurrent session controls, an important security capability that Active Directory still lacks today.
Active Directory was the world's most popular identity platform. It was, and still is, far from complete or perfectly secure.
Many features now seen as essential barely existed back then. A vast ecosystem of organizations such as IS Decisions filled in the missing pieces Microsoft had left out. It's a model that has been extended over time by adding security layers such as multi-factor authentication (MFA), single sign-on (SSO), and contextual access controls now considered mandatory for well-run IAM. Organizations in air-gapped environments or with datacenter-specific requirements have particularly relied on this kind of layered approach.
The real question is why Active Directory didn't die years ago. Thirty years is a long time for any computing technology to hang around. By rights, it should be long gone. And yet it not only survives, but it's viewed by many organizations as an asset worth continuing to invest in.
Microsoft de-prioritized Active Directory because it believed the future of identity management lay with its centralized cloud database, Entra ID. And in the long run, for most organizations, they'll eventually be proven right. But the assumption that Active Directory would quickly wither hasn't proven correct yet, and won't anytime soon. Customers continue to use it for all the reasons discussed above.
Despite its age and limitations, Active Directory is not a pure legacy system. A legacy system is one you hang on to for bad reasons, or because you're trapped. Something you plan to retire the moment it's practical. This is not a good description of how most organizations use Active Directory today.
At IS Decisions, we view Active Directory less as an aging identity store than as a full-fledged platform. One for organizations that use cloud applications, of course, but want to retain control over their own security.
The point about Active Directory being a platform matters because it expresses that its core, Group Policy Objects (GPOs), can be built on top of and extended using a separate system. It is not secure or easy to defend out of the box, but it is as securable as any other system when modernized and extended with the right technology.
Most modern identity security tools are built cloud-first and reach back toward on-premises Active Directory as an add-on. A legacy edge case to be tolerated until migration is complete.
We start from the opposite premise. Active Directory is a foundation, not a way station. That means organizations don't have to choose between securing the environment they have today and moving toward the one they'll have tomorrow. They can do both, at their own pace, without being forced to a destination they haven't chosen.
In other words, there's no need to migrate to Entra ID simply to implement IAM. Cloud and Active Directory can be integrated while retaining internal control over identity. For many organizations, if they take that journey, it will take years, not months. We're built to walk it with them.
For many organizations, this is what the future of Active Directory actually looks like: a multi-polar world where some services run remotely and others run in-house, in a modernized datacenter running Active Directory, an identity platform whose usefulness has somehow outlived every prediction of its demise.
)
)
)