Identity has been the slowest-moving piece of the SME IT estate. Servers got virtualised, files moved to the cloud, email moved to Microsoft 365 (M365, the Microsoft cloud bundle: email, Word, Excel, Teams, file storage), but a lot of 30-to-100-seat businesses still had a domain controller (the server that holds your staff logins and permissions) sitting in a comms cupboard humming away, running Active Directory (AD, Microsoft’s identity-and-permissions system, the thing that knows who can log in to what) the way it had since 2015.
That’s changing, and 2026 is the year we’ve seen the centre of gravity actually shift, not because anyone’s running a big cloud-first marketing push (that ship sailed years ago) but because the remaining reasons to keep an on-prem domain controller are running out.
Here’s where the typical SME estate is landing this year, what’s driving the move, and the bit nobody mentions in the migration deck.
The three patterns we see
Across our managed-services book, call it eighty clients in the 20-to-200-seat range, there are basically three identity patterns in 2026.
Pattern 1: Entra-only (cloud-native). No on-prem domain controller. Joins are Entra-joined laptops (Microsoft Entra ID, formerly Azure AD, the cloud version of Active Directory). Sign-in is M365. Conditional access does the work group policy used to do. We see this on every greenfield SME we onboard, and on most companies under 50 seats by their second cloud-first review.
Pattern 2: Hybrid with a token DC. There’s still an on-prem domain controller, but it’s there for one or two specific things: a line-of-business application that won’t authenticate any other way, a print server that needs Kerberos (an older sign-in protocol some apps still require), a legacy file share that hasn’t been migrated. Everything else is cloud-managed. This is the majority of our 50-to-150-seat clients right now.
Pattern 3: Full on-prem AD with M365 layered on top. Domain controller doing the heavy lifting, M365 federated via Entra Connect. Five years ago this was every SME. Now it’s the smallest of our three buckets and shrinking.
The interesting move is Pattern 3 to Pattern 2. We’ve done about a dozen of those in the last eighteen months. Pattern 2 to Pattern 1 is rarer and harder, usually a longer project because somebody, somewhere, is using the on-prem authentication for something nobody documented.
What’s actually driving the shift
It isn’t the marketing pushing the change, it’s three concrete things.
Hardware end-of-life. The 2018-vintage Windows Server box running the domain is hitting end of support, the host hardware is older than that, and replacing the lot to keep doing the same job feels, correctly, like throwing good money after old patterns. The renewal moment forces the decision.
Conditional access has actually got good. Five years ago, cloud-only meant losing the granularity of group policy (the Windows tool that controls what users can and can’t do on a domain), and that’s no longer the case. The Entra conditional-access policies that used to require an enterprise licence are accessible to SMEs, and they do the things SMEs actually need: block sign-ins from unexpected countries, require multi-factor authentication (MFA, needing a code as well as a password) for risky sessions, restrict access to managed devices.
Cyber-insurance and Cyber Essentials Plus. Both push toward the same controls (MFA on everything, conditional access, endpoint compliance) and both are easier to demonstrate on a cloud-managed estate. We’ve watched clients fail a Cyber Essentials Plus renewal on a control that was theoretically configured on the domain but couldn’t be evidenced. Same control in Entra produces a screenshot in thirty seconds.
What’s coming next
A few things we think will be commonplace by 2027.
Passwordless as default for new estates. Windows Hello for Business and FIDO2 keys (a passwordless sign-in standard using hardware keys or built-in biometrics) are starting to move from “the security-conscious 5%” to “the new-laptop-onboarding default” for SMEs. The cost has dropped, the management story is now in Intune (Microsoft’s device-management tool, the thing that pushes configuration to laptops and phones) rather than a separate console, and the user experience is genuinely better than typing a password into a sign-in page.
Intune as the management layer. Group policy on the way out, Intune in for new device estates. This one’s been promised for years, but the tooling has finally caught up. We’re now setting up Intune policies on greenfield clients in a day, where the on-prem equivalent used to take a week.
File-server retirement gathering pace. SharePoint and OneDrive aren’t a perfect file-server replacement, but they’re now closer than they were, and most of the holdouts are running on a file server that’s about to need a hardware refresh. The replacement conversation is increasingly “do we migrate, or do we just turn this off”.
What we see on the ground
Three patterns worth flagging because they’re where projects go sideways.
The application that won’t move. Every SME has at least one: a bespoke CRM, a finance package on an old version, a job-management system written in 2009. It needs a domain controller because the vendor said so in 2014. The honest question is whether the vendor’s “needs AD” answer still holds, or whether they just never tested anything else. About half the time, when we actually push the vendor, the answer is “modern auth has been supported since v6”. The other half, the application is the project blocker and the migration plan needs to account for it.
The print situation. Print servers and domain joins are still entangled in ways that make migrations untidy. Universal Print is good now, but it’s another moving piece.
Group nesting nobody documented. Hybrid migrations stumble on inherited permissions: the shared drive that’s accessible to three groups, one of which is nested inside another, one of which has a service account in it. None of this is hard to migrate; it just takes finding it first.
Practical implication for SMEs
If you’re running Pattern 3 today and your domain controller has more than a year of life on the hardware, you’ve got time to plan a proper move. Don’t wait for the hardware to die, because that’s the worst possible moment to design a migration, when the only question on the table is “how fast can we replace it”.
The cleanest sequence we’ve run is: audit what’s actually authenticating against the DC (it’s usually less than people think), pick the application or share that’s the biggest single blocker, find out whether that blocker is real or assumed, and then design the migration around the answer. Most SMEs are six to nine months out from being able to retire their domain controller, but they don’t know it because nobody’s done the audit.
That’s our Managed Services practice. We run the audit, plan the migration, and sit alongside the in-house IT team (or do the work directly) through the transition.
If your DC dies before you’ve planned the move, the migration becomes an emergency, with all the cost and risk that comes with that: extended-hours rebuild, staff locked out of files, a Cyber Essentials renewal you can’t evidence, and a board asking why nobody saw this coming. Six months of planning is a different project from six days of firefighting. The hardware doesn’t give you much notice when it goes.
Looking at a domain controller refresh and wondering whether to replace or retire? Drop us a note at info@jmopartners.co.uk. One of us will read it.
JMO|Partners · Enterprise IT, sized for SMEs.