In today’s cloud-driven landscape, businesses are increasingly seeking to migrate their on-premises applications to cloud-based solutions for better scalability, security, and manageability. One critical component of this migration journey is moving from on-premises Active Directory Federation Services (ADFS) to Microsoft Entra ID (formerly Azure AD) for authentication and Single Sign-On (SSO). This comprehensive guide will walk you through the entire migration process, providing detailed steps and best practices to ensure a seamless transition.
1. Introduction
Active Directory Federation Services (ADFS) has long been a staple for managing authentication and Single Sign-On (SSO) for the applications. However, with the rise of cloud computing and the need for more flexible, scalable solutions, many organizations are transitioning to Entra ID for the authentication and authorization of the applications. Entra ID offers robust security features, seamless integration with Microsoft 365, and simplified management, making it an ideal choice for modern enterprises.
This blog post aims to provide a step-by-step guide for migrating application authentication and authorization from on-premises ADFS to Microsoft Entra ID. We’ll cover pre-migration checks, detailed migration steps, common claims mapping, and post-migration activities, ensuring you have a clear roadmap for a successful migration.
2. Why Migrate to Entra ID?
Entra ID, formerly known as Azure AD, is Microsoft’s cloud-based identity and access management service. It offers seamless integration with Microsoft 365 and other cloud services, providing secure single sign-on (SSO), multi-factor authentication (MFA), and advanced identity protection.
Migrating to Entra ID is not just about replacing ADFS; it’s about leveraging a modern, robust identity platform that enhances security, improves user experience, and streamlines IT operations. By making this move, you align your organization with the latest technological advancements and prepare for future growth and challenges.
Migrating from on-premises ADFS to Entra ID is a strategic move that brings numerous advantages to your organization:
- Scalability: Entra ID can easily scale to accommodate growing user bases and application demands.
- Security: Enhanced security features like Multi-Factor Authentication (MFA), Conditional Access, and Identity Protection.
- Integration: Seamless integration with Microsoft 365 and other cloud services.
- Simplified Management: Centralized management of identities and access across your organization.
- Cost Efficiency: Reduced infrastructure and maintenance costs compared to on-premises solutions.
3. Pre-Migration Checks
Before embarking on the migration journey, it’s essential to conduct thorough pre-migration checks to ensure a smooth transition.
-> Inventory and Assessment
List All Applications: Create a detailed inventory of all applications currently using ADFS for authentication. Document application names, URLs, authentication methods (SAML, OAuth, OpenID Connect), specific configurations, and claims used.
Categorize Applications: Sort applications by criticality (high, medium, low), complexity (custom vs. standard integration), and type of authentication mechanism.
Dependency Analysis: Identify and document any dependencies or integrations with other systems, databases, or services. Understanding these dependencies is crucial for planning the migration sequence and avoiding disruptions.
Assess Compatibility: Verify each application’s compatibility with Entra ID. Check vendor documentation or conduct initial tests to anticipate potential issues. Ensure that your applications can support Entra ID’s authentication protocols and claims.
-> Environment Readiness
Entra ID Subscription: Ensure you have an appropriate Entra ID subscription. For SSO and advanced security features, Entra ID Premium P1 or P2 is recommended.
Network Readiness: Confirm that your network configuration allows seamless connectivity between your on-premises environment and Entra ID. Ensure that firewalls, VPNs, and proxies permit traffic to Entra ID endpoints.
Identity Synchronization: Users should be synchronized from on-premises AD to Entra ID via Azure AD Connect. Verify synchronization is working correctly and there are no sync errors. This ensures that your user identities are already present in Entra ID, simplifying the migration process.
Security Policies: Review and update your security policies to align with Entra ID features like Conditional Access, Multi-Factor Authentication (MFA), and Identity Protection. Ensure compliance with regulatory and corporate requirements.
-> Access and Permissions
Admin Access: Verify that you have the necessary administrative roles and permissions in Entra ID (Global Administrator or Application Administrator). Ensure that your team has the required access to perform the migration tasks.
Application Ownership: Confirm ownership and contact details for each application. Communicate with application owners and stakeholders about migration plans and their roles in testing and validation.
-> Backup and Contingency Planning
Backup ADFS Configuration: Perform a complete backup of the current ADFS configuration, including relying party trusts, claims rules, certificates, and custom configurations. Store this backup securely.
Rollback Plan: Develop a detailed rollback plan outlining steps to revert to ADFS if issues arise. Ensure the rollback process is tested and documented. Having a solid rollback plan is essential for mitigating risks and ensuring business continuity.
3. Migration Steps
With pre-migration checks completed, you can now proceed with the actual migration. The migration process is divided into several phases to minimize downtime and ensure a smooth transition.
-> Planning and Communication
Create a Detailed Project Plan: Develop a project plan with timelines, milestones, resource allocation, and key deliverables. Outline each phase of the migration, including pre-migration checks, pilot migration, phased migration, and post-migration activities.
Communication Plan: Create a communication plan to keep stakeholders, application owners, and end-users informed about the migration process. Include regular status updates, maintenance windows, and support contact information.
-> Pilot Migration
Select Pilot Applications: Choose a few non-critical, low-complexity applications for initial migration. Ensure these applications represent various authentication methods to test different scenarios.
Configure Entra ID:
- Register Applications: Register the selected pilot applications in Entra ID by creating an application registration and configuring the appropriate authentication methods (SAML, OAuth, OpenID Connect).
- Configure SSO Settings: Set up single sign-on (SSO) settings for each application, including necessary claims, certificates, and endpoints in Entra ID. Map ADFS claims to corresponding Entra ID claims.
Test Authentication: Perform thorough testing to ensure users can authenticate and access the pilot applications using Entra ID. Test various user scenarios, including different browsers, devices, and network conditions.
Gather Feedback: Collect feedback from users and application owners about the pilot migration. Identify and resolve any issues before proceeding with the full migration.
-> Phased Migration
Batch Applications: Group the remaining applications into batches based on criticality, complexity, and dependencies. Plan each batch’s migration to minimize business operation impacts.
Migrate in Phases:
- Register Each Batch: Register each batch of applications in Entra ID, following the same process as the pilot migration.
- Configure Authentication Methods: Set up the necessary authentication and SSO settings for each application in Entra ID.
- Test Thoroughly: Perform comprehensive testing for each batch, involving a subset of users to validate the migration. Ensure all use cases are covered, including MFA and conditional access policies.
Monitor and Adjust: Continuously monitor performance and user feedback during each phase. Address issues promptly and adjust the migration plan as needed.
-> Final Migration and Cutover
Schedule Cutover: Plan the final migration during a low-traffic period to minimize user impact. Communicate the cutover schedule to stakeholders and end-users.
Migrate Remaining Applications: Complete the migration of the remaining applications to Entra ID, following the same process as previous phases.
Update DNS and Firewall Rules: Ensure all DNS and firewall configurations are updated to route traffic correctly to Entra ID. Update Service Principal Names (SPNs), CNAME records, and firewall rules as needed.
Decommission ADFS: Gradually phase out ADFS after confirming all applications function correctly with Entra ID. Disable ADFS services, remove ADFS roles, and decommission ADFS servers.
-> Post-Migration Activities
User Training: Provide training and support for users on new authentication processes or login procedures. Update user documentation and FAQs to reflect Entra ID-based authentication.
Documentation: Update all relevant documentation, including architecture diagrams, configuration guides, and operational procedures, to reflect the new Entra ID setup.
Monitoring and Support:
- Continuous Monitoring: Implement monitoring solutions to continuously monitor application performance, authentication success rates, and user activity in Entra ID.
- Ongoing Support: Provide ongoing support to address user issues or questions. Establish a dedicated support team or helpdesk for handling post-migration queries.
4. Common Claims Mapping
During the migration, it’s crucial to map the claims used in ADFS to their corresponding claims in Entra ID. Here are some common claims and their mappings:
ADFS Claim | Entra ID Claim |
---|---|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | user.mail |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name | user.displayName |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn | user.userPrincipalName |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | user.givenName |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | user.surname |
http://schemas.microsoft.com/ws/2008/06/identity/claims/role | user.assignedroles |
Properly mapping these claims ensures that your applications continue to function as expected after the migration.
5. Subscription Considerations
Entra ID offers several subscription options. For a migration at scale and complexity, it’s recommended to use either Entra ID Premium P1 or P2 due to the advanced security features, conditional access policies, and comprehensive monitoring capabilities they offer.
- Entra ID Free: Basic features for user and group management, cloud authentication, and device management.
- Entra ID Premium P1: Includes all Free features plus advanced administration, conditional access, and self-service capabilities.
- Entra ID Premium P2: Includes all P1 features plus advanced identity protection, privileged identity management, and comprehensive monitoring and reporting.
6. Internal Applications via Application Proxy
For internal applications that need to be accessed from external networks, you can leverage Entra ID Application Proxy. This service allows you to securely publish on-premises applications for remote access without requiring a VPN. The Application Proxy acts as a reverse proxy, forwarding requests from authenticated users to the internal application servers.
Steps to Set Up Entra ID Application Proxy:
- Install the Application Proxy Connector: Deploy the Application Proxy connector on a server within your internal network that can access the internal applications.
- Register the Application in Entra ID: Create an application registration for the internal application in Entra ID.
- Configure the Application Proxy: Set up the Application Proxy configuration in Entra ID, specifying the internal URL of the application and any necessary pre-authentication settings.
- Test External Access: Verify that users can access the internal application securely from external networks using their Entra ID credentials.
7. Conclusion
Migrating applications from on-premises ADFS to Entra ID for authentication is a significant step towards modernizing your organization’s authentication infrastructure. By following this comprehensive guide, you can ensure a smooth and successful migration with minimal disruption to your users and applications. Thorough pre-migration checks, detailed planning, phased execution, and continuous monitoring are key to achieving a seamless transition. Embrace the enhanced security, scalability, and manageability that Entra ID offers, and position your organization for future growth and success.
This blog post aims to provide a detailed roadmap for IT professionals and organizations looking to migrate from ADFS to Entra ID for authentication. If you have any questions or need further assistance, feel free to reach out to me. Happy migrating!