I'm in the discovery phase of transitioning from a hybrid Active Directory (AD) setup to an Entra-only model. Currently, we use Microsoft Entra ID Connect with on-premises AD acting as the primary user database. Most of our users are created and managed in the local AD, then synced to Entra, while we also have many cloud-only groups and users. Our devices are mostly hybrid joined, with a small number already fully Entra joined. We also have macOS devices managed through Jamf and Windows devices managed via Intune.
User authentication relies heavily on AD, with logins for both Windows and Mac authenticating against the on-prem AD. Our VPN and WiFi connections depend on AD security groups as well. We're aiming to have Entra as the sole identity source and eliminate our dependency on AD, but I'm aware there will be challenges ahead, especially with some of our existing systems.
If you've made this transition, I would love to hear your advice, share any experiences you've had, or point me to resources that could help!
4 Answers
Before completely moving away from hybrid, assess what servers or services must remain on-prem because those will complicate your transition. For some systems like your ISE, a hybrid approach could ease the move by maintaining key functionalities. You could keep using a smaller scale of AD for those necessities.
I've done this for several organizations, and a key issue to address will be your WiFi and VPN setups. Since you’re moving away from AD, you'll need to rework those systems to rely on user-based authentication rather than machine AD objects. Everything else should work well with Entra, just keep that in mind!
You can still use Intune policies for WiFi setups by potentially transitioning to Azure AD groups instead!
Thanks for this! I’ll look into user-based options for WiFi.
Consider using a GPO to manage MDM and create an Autopilot scenario. Once a PC is MDM joined, it will start pulling inventory into the Entra tenant. I strongly suggest wiping user PCs to let Autopilot streamline the process. It’s a lot smoother than trying to keep user profiles intact while transitioning from AD. If you still need something from AD, ensure those accounts are in a non-syncing OU.
Accessing on-prem file servers from devices set up with Entra joining is possible; you just need to plan it out.
The transition could take years, so it’s crucial to have a detailed plan. You’ll need to map out your user authentication flows and detail how they would change after the switch. Tools like Bloodhound can also provide insight into your new environment to better understand dependencies.
I appreciate the suggestion to visualize the flows, that can really highlight the potential challenges!
Totally reasonable! We’d like to shift as much as we can to Entra while keeping the essential AD tools operational.