Establish a Microsoft Entra footprint

Before you migrate identity and access management (IAM) from Active Directory to Microsoft Entra ID, you need to set up Microsoft Entra ID.

Required tasks

If you're using Microsoft Office 365, Exchange Online, or Teams, then you're already using Microsoft Entra ID. Your next step is to establish more Microsoft Entra capabilities:

Optional tasks

The following functions aren't specific or mandatory to move from Active Directory to Microsoft Entra ID, but we recommend incorporating them into your environment. These items are also recommended in the Zero Trust guidance.

Deploy passwordless authentication

In addition to the security benefits of passwordless credentials, passwordless authentication simplifies your environment because the management and registration experience is already native to the cloud. Microsoft Entra ID provides passwordless credentials that align with various use cases. Use the information in this article to plan your deployment: Plan a passwordless authentication deployment in Microsoft Entra ID.

After you roll out passwordless credentials to your users, consider reducing the use of password credentials. You can use the reporting and insights dashboard to continue to drive the use of passwordless credentials and reduce the use of passwords in Microsoft Entra ID.


During your application discovery, you might find applications that have a dependency or assumptions around passwords. Users of these applications need to have access to their passwords until those applications are updated or migrated.

Configure Microsoft Entra hybrid join for existing Windows clients

You can configure Microsoft Entra hybrid join for existing Active Directory-joined Windows clients to benefit from cloud-based security features such as co-management, Conditional Access, and Windows Hello for Business. New devices should be Microsoft Entra joined and not Microsoft Entra hybrid joined.

To learn more, check Plan your Microsoft Entra hybrid join implementation.

Next steps