I've been using Okta for six years, and it's been working well. However, our CFO noticed that we are paying for Okta while already having Microsoft E5, and they're questioning the necessity of both. I get that it's a valid concern, but I'm worried about how to switch 2000 users and 80 apps over to Entra without causing chaos.
Currently, all apps are set up with Okta as the identity provider, which means I'll have to tweak SAML settings in many places. Some apps we have control over, while others are vendor-managed SaaS apps where I'll have to submit tickets and wait for changes. Plus, user MFA enrollment won't transfer, meaning everyone has to redo it, and group and policy settings will need to be set up from scratch in Entra. If we start using both systems during the transition, it creates confusion with users having dual identities, plus all the access management will be duplicated. A phased approach seems logical, but that means App A in Entra will need to communicate with App B still in Okta, which raises questions about how to manage those dependencies without custom federation. I've heard a consultant estimate this process would take six months and cost $200K, which my CFO thinks is outrageous for changing SSO providers. If we try to handle it ourselves, I anticipate months of work after hours, risking access issues for vital applications. Has anyone here successfully managed a migration of this scale with minimal downtime, or is there something I might be overlooking?
2 Answers
I've been through a similar migration and it can take quite a lot of time since every app needs individual attention. Start by migrating your session and authentication policies over to Entra's conditional access. Then make Okta an external authentication method while adding Entra back to Okta as a provider. This way, users can log in with either until you've updated everything. It's a big job but completely doable if you break it into manageable steps.
Thanks for the insight! Keeping both systems running in the interim does sound like a practical solution.
If I have to be blunt, that timeframe and budget feel reasonable to me too. You have a lot of moving parts to juggle, and it's better to be realistic about the time needed than to rush it and face fallout later.
Exactly! Setting it up so users can log in through either system during the transition is key to minimizing disruption. It does take a chunk of time, but having a solid plan helps.