Effects of migrating security groups from on-premise AD to Azure AD cloud based groups

Dee Wilsone 0 Reputation points
2024-01-17T18:49:08.26+00:00

Hello everyone. A little background. My company is migrating from an on-premise AD to a fully integrated Azure AD platform where we host our O365 tenant including service where we fully utilize Intune for automation and also have SSO integrations with various applications for everyday work. Here is my question. We have several on-premise security groups that we sync up to Azure via ADC and then we apply those security groups (all users and a few others) to various apps, device sign-ins, SSO, SAML etc. I understand the process of stopping DirSync to migrate all the security groups from on-premise AD to Cloud based groups but once the security groups get migrated, what are the repercussions of migrating the security group and how will they affect all the services we have running? Intune is one of our biggest solutions that we have built heavily with automations, config and compliance policies that are tied to the security groups from on-premise (all users). Will Intune services resume when the on-premise security group get converted to Cloud based group.? Thank you for any input. Dee

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,887 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,555 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,259 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Carlos Solís Salazar 18,086 Reputation points MVP
    2024-01-17T19:36:51.8133333+00:00

    Hello Dee, your scenario of migrating from an on-premise Active Directory (AD) to Azure Active Directory (Azure AD) while ensuring smooth operation of services like Intune, SSO, and SAML integrations, is indeed a complex but common undertaking in cloud migration strategies. Let's break down your concerns and address them systematically:

    1. Migration of Security Groups: When you migrate your on-premise AD security groups to Azure AD, the primary concern is ensuring that the new cloud-based groups mirror the permissions and memberships of the on-premise groups. It's important to verify that the synchronization process via Azure AD Connect (ADC) is correctly mapping these groups and their attributes.
    2. Impact on Services (Intune, SSO, SAML, etc.): Services that are dependent on these security groups might be affected if the migration leads to changes in group memberships, permissions, or identifiers. For instance, if an application is configured to grant access based on membership in a specific on-premise AD group, it needs to be updated to recognize the corresponding Azure AD group post-migration.
    3. Intune Considerations: Since Intune heavily relies on these security groups for automations, configuration, and compliance policies, it's crucial to ensure that the migration process does not disrupt these associations. When on-premise security groups are converted to cloud-based groups, Intune should ideally resume its services without issues, provided the following are ensured:
      • The Azure AD groups have the same members and permissions as the on-premise groups.
      • Intune policies and configurations are updated to recognize the new Azure AD groups.
      • Any scripts or automation tools are updated to point to Azure AD groups instead of on-premise AD groups.
    4. Testing and Validation: Before completely stopping DirSync and migrating all security groups, it’s advisable to conduct a phased approach. Migrate a smaller set of groups first and monitor how services like Intune react to these changes. This will allow you to identify and mitigate any issues before a full-scale migration.
    5. Post-Migration Support: After migration, closely monitor the services for any anomalies. It might be necessary to tweak configurations or update policies to align with the new Azure AD environment.

    For more detailed guidance, you may refer to:

    Remember, a successful migration often hinges on thorough planning, testing, and continuous monitoring. If this information was helpful, please consider accepting this response. If you need further clarification or assistance, feel free to ask.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.