I'm looking to gather insights on the pilot program for Azure Entra's Source of Authority (SOA) conversion feature. For those unfamiliar, this tool allows users to transfer management of users and groups from on-premises Active Directory to Entra ID without the hassle of deleting and recreating objects. It utilizes the isCloudManaged attribute to direct sync tools to cease syncing certain objects while keeping identities and their relationships intact. I'm particularly interested in people's experiences regarding:
• The smoothness of the conversion process and any potential pitfalls.
• Any issues faced with access to on-prem apps post-conversion.
• How others are managing Kerberos-based applications (like Application Proxy or Cloud Kerberos Trust).
• Problems with group provisioning back to AD after the conversion.
• The state of managed devices (Entra joined, hybrid, etc.).
• Recommendations or warnings about hidden risks that Microsoft documentation might not address.
• Impacts on mail-enabled accounts.
We're currently operating in a hybrid environment with both cloud and on-prem apps. We're thinking of starting the conversion with an OU that has minimal legacy dependencies, but we want to make sure we understand the complexities involved before making a commitment. I'd love to hear both positive experiences and cautionary tales! Additionally, I'm curious if anyone has encountered the universal group limitation or issues with nested groups during conversion, as well as any challenges with legacy on-prem apps.
3 Answers
Oh, right—this reminds me! We converted some user accounts to shared mailboxes. Would this conversion allow us to make those accounts cloud-only?
I just started migrating some users this week. All our devices are Entra joined and we don’t have many on-prem apps. The conversion process was surprisingly easy—like, the end-users didn’t even realize anything had changed! This feature is a game changer for us because it means we can finally start separating from on-prem AD and look forward to decommissioning it. Before this, I had to migrate users the old-fashioned way which was a hassle, but this new approach is so much better!
Thanks for the update! I’d love to hear more as you continue through the process!
From what I understand, the isCloudManaged attribute is crucial here. If your objects are already in Azure, this is really the heart of the transformation. I think nested groups should be fine, too.
Thanks for clarifying that! I appreciate it.
I believe so, but keep in mind there might be other dependencies in your Group Policy that still require Local AD. You might want to test it out: change the SOA settings and once the source of authority is set to Azure AD, try moving or deleting the test account object to a non-sync OU to see how that works. We had to migrate our Group Policies first, just to be safe.