---

🔧 1. Legacy Applications and Systems

• Many mining environments still use legacy ERP, SCADA, or other operational systems that depend on traditional AD for authentication and cannot integrate directly with Entra ID.
• Examples include:
  • Old Windows services or servers using NTLM/Kerberos
  • On-premise SQL Servers tied to domain accounts
  • Equipment management software that doesn’t support modern auth

---

🛠️ 2. Industrial Control Systems (ICS) and OT Environment Integration

• Operational Technology (OT) in mining sites may not be internet-facing and often relies on air-gapped or isolated domains.
• Integrating Entra ID directly into these environments is risky or impractical due to:
  • Limited or no cloud access from OT networks
  • Strict regulatory requirements
  • Need for real-time, local authentication with low-latency

---

🧰 3. Group Policy and Local Machine Management

• Group Policy Objects (GPOs) are still only available via on-prem AD, not Entra ID.
• This is crucial for:
  • Controlling security settings
  • Device configuration for domain-joined Windows machines
  • Managing shared resources (e.g., file servers, print services)

---

🔐 4. Kerberos Authentication and Advanced Access Controls

• Some mining systems require Kerberos authentication, which Entra ID does not support in the same way as AD.
• On-premise AD allows for:
  • Delegated authentication
  • Fine-grained service account permissions
  • Trust relationships between domains (for joint ventures, etc.)

---

🚧 5. Site Reliability and Offline Operation

• Remote mining sites can suffer from limited or unreliable internet connectivity.
• On-prem AD ensures:
  • Continued user and service authentication during outages
  • Access to local resources even if the cloud is unreachable
  • Independence from cloud-based identity during network failure

---

🧾 6. Compliance, Audit, or Sovereignty Requirements

• Some mining companies are subject to Australian data sovereignty, ISO, or other compliance requirements that mandate local identity controls.
• On-prem AD supports:
  • Centralized audit logging
  • Custom security models aligned with internal policies
  • Easier integration with local SIEM and compliance tools

---

🛤️ 7. Hybrid Model is Often the Best Fit

• Most mining companies today operate in a hybrid identity model:
  • On-prem AD + Entra ID via Entra Connect (Azure AD Connect)
  • Use Entra ID for M365, SaaS apps, and mobile workers
  • Retain AD for core infrastructure, OT, and reliability

---

Summary Table

Reason	On-Prem AD	Entra ID
Legacy apps support	✅	❌
GPO support	✅	❌
OT/ICS integration	✅	❌
Offline operations	✅	❌
Kerberos authentication	✅	❌
Modern cloud-based services	❌	✅
Mobile workforce & SaaS auth	❌	✅
Zero Trust & Conditional Access	❌	✅

---

If you’re modernising, the goal should be to minimize reliance on on-prem AD over time — but in mining, it’s rarely safe or practical to eliminate it entirely without a long and careful transition, especially in sites where uptime and legacy system integration are critical.