Why AWS is Losing the Enterprise Control Plane

Most organizations believe AWS is winning the cloud war. They’re looking at the wrong battlefield. Yes, AWS dominates infrastructure.
Yes, they run more workloads than anyone else.
Yes, they won the first era of cloud computing. But the enterprise war has moved. The fight is no longer about compute, storage, or service catalogs.
It’s about identity, policy, and governance across hybrid environments. Over 80% of enterprises are hybrid — and hybrid isn’t a transition state. It’s the end state. In a hybrid world, the winner isn’t the provider with the most instances.
It’s the provider that controls identity, policy enforcement, and compliance. That company is Microsoft. SECTION 1: The Infrastructure War Is Over — AWS Won Let’s be clear:

• AWS holds ~32% global cloud infrastructure market share.
• 230+ services across compute, storage, networking, AI.
• 33 regions, 105 availability zones.
• Deep DevOps maturity and cost optimization tooling.

AWS built the modern cloud. But infrastructure dominance does not equal governance dominance. Around 2020, enterprises hit architectural sprawl:

• AWS
• Azure
• Google Cloud
• On-prem
• SaaS everywhere

The real problem stopped being “where do we run this?”
It became “how do we govern identity and policy across all of it?” AWS IAM governs AWS resources. Microsoft Entra ID governs people. That distinction matters. AWS owns compute.
Microsoft owns the employee surface area. And governance always lives where work happens. SECTION 2: What a Control Plane Actually Is A control plane isn’t servers. It’s the system that governs:

• Who gets access
• Under what conditions
• Across which environments
• With what audit trail

A true enterprise control plane requires:

1. Identity origin — one authoritative source of truth
2. Context-aware policy — real-time evaluation, not static roles
3. Unified governance — one compliance and audit framework across clouds

AWS IAM is resource-centric. Microsoft Entra ID is identity-centric. When Entra federates AWS, Microsoft issues the token. AWS becomes downstream. That’s not coexistence.
That’s architectural hierarchy. SECTION 3: Entra ID’s Gravity — 1 Billion Active Users Microsoft Entra ID has over 1 billion monthly active users. That scale creates gravity. Because:

• 95% of Fortune 500 use Microsoft 365
• Teams is where decisions happen
• SharePoint is where documents live
• Outlook is where authority flows

When employees authenticate, Entra issues the tokens. When they access AWS, Entra evaluates the policy first. Even if the workload runs on AWS: Microsoft controls the gate. That’s control-plane gravity. SECTION 4: Conditional Access — Policy That Moves With Identity AWS IAM:

• Static policies
• Role-based permissions
• Infrastructure-scoped access

Microsoft Conditional Access:

• Context-aware evaluation
• Location-based enforcement
• Device compliance checks
• Real-time risk assessment

Same user.
Different access outcome.
Based on context. That’s governance before breach. AWS Security Hub detects.
Conditional Access prevents. One is reactive.
One is preventative. In hybrid environments, prevention defines the control plane. SECTION 5: Defender for Cloud — Multi-Cloud Governance AWS Security Hub aggregates AWS signals. Microsoft Defender for Cloud governs Azure, AWS, GCP, and on-prem under one policy engine. That’s the difference. When an AWS incident occurs:

• Defender correlates identity
• Evaluates policy context
• Enforces remediation

AWS provides infrastructure telemetry. Microsoft provides cross-platform governance. In a hybrid world, the cross-platform layer wins. SECTION 6: Sentinel & Purview — Compliance as a Competitive Weapon Infrastructure compliance ≠ enterprise compliance. AWS Config:

• Infrastructure configuration state
• Encryption status
• Resource hygiene

Microsoft Purview + Sentinel:

• Data classification
• DLP enforcement
• Insider risk detection
• eDiscovery
• Unified audit logs

Regulators don’t audit EC2. They audit access, data, retention, and proof of enforcement. Microsoft owns that layer. Even when workloads run on AWS. SECTION 7: The M365 Gravity Well Work happens inside Microsoft 365. And governance follows work.

• Identity through Entra
• Approvals via Power Automate
• Data classification via Purview
• Monitoring via Sentinel
• Policy via Conditional Access

Even if compute sits on AWS:
Governance sits on Microsoft. AWS doesn’t own the workflow layer. Without owning workflow, you can’t own governance. SECTION 8: Copilot — Control Plane Acceleration Copilot is not just AI. It is governance acceleration. To deploy Copilot safely, you need:

• Data classification
• Tight identity scoping
• Strong DLP
• Context-aware policy

AI forces enterprises to harden governance. And that governance stack is Microsoft. AWS Bedrock offers compute. Copilot forces control-plane reinforcement. AI increases Microsoft’s gravity. SECTION 9: Azure Arc — Governing Competitor Infrastructure Azure Arc projects Azure policy onto:

• AWS EC2
• On-prem servers
• Edge infrastructure

This is governance abstraction. AWS Outposts extends hardware. Arc extends policy. In enterprise IT, software abstraction always wins. Microsoft abstracts infrastructure away entirely. SECTION 10: Entra Kerberos — Killing the Domain Controller Historically: Kerberos required on-prem AD. Entra Kerberos turns Entra ID into a cloud-native KDC. Now:

• Cloud-only identities
• No domain controllers
• No VPN dependency
• No line-of-sight requirements

Microsoft removed the last technical reason to maintain legacy identity infrastructure. Identity gravity deepens. AWS cannot replicate this because IAM was never built as workforce identity. SECTION 11: The Hybrid Inevitability — 90% by 2027 Hybrid is not a failure mode. It is the final architecture.

• Data residency requirements
• Cost optimization
• Latency demands
• Security isolation
• AI burst workloads

Hybrid is optimal. In a hybrid world, governance > infrastructure. Microsoft governs hybrid. AWS optimizes infrastructure. Different layers. Different winners. SECTION 12: Licensing Lock-In — The Financial Control Plane Microsoft Enterprise Agreements bundle:

• M365 E5
• Entra ID P2
• Defender
• Sentinel
• Purview
• Copilot

Identity.
Compliance.
AI.
Workflow.
Security. Bundled into one integrated control layer. AWS cannot bundle workforce governance because they don’t own it. Enterprises extend Microsoft governance across AWS workloads

Become a supporter of this podcast: https://www.spreaker.com/podcast/m365-fm-modern-work-security-and-productivity-with-microsoft-365–6704921/support.

If this clashes with how you’ve seen it play out, I’m always curious. I use LinkedIn for the back-and-forth.