Migration and its impact

Question

I have a question that while migrating on premise AD to a new ESE tenant, what will be the impact on on-premises applications in perspective of authentication and authorization?

Answer 1

Hello @Rajesh Saini ,

Regarding your scenario of migrating from on-premises Active Directory (AD) to Azure Active Directory (new ESE tenant), here are the key points to consider:

1.Traditional and legacy apps: Most on-premises apps use LDAP, Windows-Integrated Authentication (NTLM and Kerberos), or Header-based authentication to control access to users. Microsoft Entra ID can provide access to these types of on-premises apps using Microsoft Entra application proxy agents running on-premises. Using this method Microsoft Entra ID can authenticate Active Directory users on-premises using Kerberos while you migrate or need to coexist with legacy apps.

2. Role-Based Access Control (RBAC): Cloud identity systems typically utilize RBAC, which offer more granular and dynamic authorization management compared to traditional access control models like Discretionary Access Control (DAC) or Mandatory Access Control (MAC). These models help improve the management of user permissions based on roles or attributes, enhancing both flexibility and security. Your on-premises applications may require updates to support these more flexible and fine-grained access control models to align with the cloud-based system.

3.Identity Federation and Protocols: As organizations adopt cloud-based identity management, they commonly implement protocols like OAuth 2.0, SAML, and OpenID Connect for identity federation. These protocols enable users to seamlessly access both cloud and on-premises applications with consistent security standards and cross-platform compatibility. It is important to ensure that your on-premises applications are updated to support these modern authentication and authorization protocols.

4.Migration of Security Groups: When migrating your on-premises AD security groups to Azure AD, the primary concern is ensuring that the new cloud-based groups accurately reflect the permissions and memberships of the on-premises groups. It’s crucial to verify that the synchronization process through Azure AD Connect (ADC) is properly mapping these groups and their attributes. This step ensures consistency between your on-premises and cloud-based systems.

5.SaaS apps: Active Directory doesn't support SaaS apps natively and requires federation system, such as AD FS. SaaS apps supporting OAuth2, Security Assertion Markup Language (SAML), and WS-* authentication can be integrated to use Microsoft Entra ID for authentication.

6.Credential management: Credentials in Active Directory are based on passwords, certificate authentication, and smart card authentication. Passwords are managed using password policies that are based on password length, expiry, and complexity.
Microsoft Entra ID uses intelligent password protection for cloud and on-premises. Protection includes smart lockout plus blocking common and custom password phrases and substitutions. Microsoft Entra ID significantly boosts security through multifactor authentication and passwordless technologies, like FIDO2. Microsoft Entra ID reduces support costs by providing users a self-service password reset system.

For more detailed guidance, you may refer to:
https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/migrate-adfs-apps-stages
https://learn.microsoft.com/en-us/entra/architecture/migration-best-practices

I hope this information is helpful. Please feel free to reach out if you have any further questions.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".