Identity and Access Management Journey to Microsoft Entra ID
In the scenario to perform the Identity & Access Management (IAM) migration from Active Directory to Microsoft Entra ID involves a strategic transformation that improves security, simplifies access, and reduces costs.
A common migration journey includes several main phases:
Discovery phase: to understand the current environment
Trials phase: to test new cloud capabilities with some users
Scaling phase: to expand trials and complete transitions
Decommissioning phase: to stop relying on the old system
During this process, it is important to consider user communication and training, as well as the implementation of features such as self-resetting passwords and multi-factor authentication to ensure a smooth transition.
The migration from Active Directory to Microsoft Entra ID begins with an environment similar to the following pillars:
Applications: Includes applications, resources, and servers that are joined to a domain
Devices: Focuses on domain-bound client devices
Users and Groups: Represent human identities and attributes and workloads for resource access and group membership for governance and policy making
In an enterprise-scale organization, IAM transformation, or even the transition from Active Directory to Microsoft Entra ID, is often a multi-year project with various stages. You analyze the surrounding environment to identify your current state, and then set a target for your next state. The goal might be to eliminate the Active Directory requirement entirely, or you might choose not to migrate certain capabilities to Microsoft Entra ID and keep them.
The following diagram shows the stages that shape the logical development of the cloud transition. The functionality you have created and the ability to transfer to the cloud within that functionality will determine your capacity to transition between phases.
State-1: Cloud attached
In this state:
Devices are joined to Active Directory and managed through Group Policy or on-premises device management tools
Users are managed in Active Directory, provisioned through an on-premises identity management system (IDM), and synced to Microsoft Entra ID via Microsoft Entra Connect
Applications are authenticated to Active Directory and to federation servers such as AD Federation Services (AD FS) through web access management tools (WAM), Microsoft 365, or other tools such as SiteMinder and Oracle Access Manager
State-2: Hybrid
In this state:
Windows client Microsoft Entra hybrid joined
Non-Microsoft software-as-a-service (SaaS) based platforms began to integrate with Microsoft Entra ID. Examples are Salesforce and ServiceNow
Legacy apps are authenticated to Microsoft Entra ID through App Proxy or partner solutions that offer secure hybrid access
Self-service password reset (SSPR) and password protection for users are enabled.
Some legacy apps are authenticated in the cloud through Microsoft Entra Domain Services and App Proxy
State-3: Cloud first
In the state:
The new Windows client joins Microsoft Entra ID and is managed through Intune
All applications that previously used an AD DS integrated federated identity provider, such as AD FS, were updated to use Microsoft Entra ID for authentication. If you use password-based authentication through that identity provider for Microsoft Entra ID, then the app will be migrated to password-hash synchronization
State-4: AD-minimized
In this state:
New users provisioned through HR provisioning are created directly in Microsoft Entra ID
Plans to move applications that depend on AD and are part of the vision for future Microsoft Entra environments are underway. Plans to replace services that will not be moved (file, print, or fax services) are being implemented
State-5: 100% cloud
100% cloud in a 100%-cloud state, Microsoft Entra ID and other Azure devices provide all IAM capabilities. This status is a long-term aspiration for many organizations
