Kerberos can’t survive in untrusted networks, and products like Azure AD and Okta are far more profitable, especially since the license that pays for AD (ie windows, even for Linux clients), is required anyway!
I don't think this trend is as large as SV web devs think it is, nor do I think the trend will continue indefinitely in that direction. My current corporate masters hate the cloud because they want to be in control of their own data and services. They don't want to twiddle their thumbs when somethings wrong while waiting for BigCorp to get around to fixing it. They really, really don't like paying rent on business essential tooling.
And they've pretty much been proven right in all their concerns so far.
Consider both ways: even if you run 100% of your backend on-prems, a significant portion of your routes may go outside to reach roaming employees, remotes, maybe customers for some apps, etc. You likely have some Infrastructure-as-a-Service, dynamic subnetting and addressing for containers, VPNs, firewalls to cross, etc. AD and MS Server DCs in general are just not suited to this environment, where IPs may change on-the-fly, hosts die quickly, etc.
You typically need a more robust, web-compliant solution using e.g. tokens + MFA and web-compliant centralization of authority and certs on e.g. Consul or Red Hat Identity Management.
That being said, IMHO, it's a much saner and safer approach to bite that bullet and setup a rock-solid ID/Auth system on-prems (or at least vendor-agnostic and load-balanced over at least 2 major providers). It's really the kind of low-level infra that you can setup properly once and use for a decade, + cost of extra features you may want to add later.
I think that really big and really small companies will go the way you describe.
Most places want to control capex and limit capacity wastage. Nobody wants to invest in datacenter facilities. Even the government, which has access to super cheap capital, is embracing cloud.
The shift is real. In my area, a major infrastructure OEM like HPE has like 2 CEs that cover the region. There was probably 14-16 20 years ago.
That's not a trend we're interested in following. You bring your own device? Fine, it's on the guest network that is treated like the internet as far as our services are concerned. This isn't rocket science.
Kerberos can’t survive in untrusted networks, and products like Azure AD and Okta are far more profitable, especially since the license that pays for AD (ie windows, even for Linux clients), is required anyway!