Phase 1: Discover and scope apps

Application discovery and analysis are a fundamental exercise to give you a good start. You may not know everything so be prepared to accommodate the unknown apps.

Find your apps

The first decision in the migration process is which apps to migrate, which if any should remain, and which apps to deprecate. There's always an opportunity to deprecate the apps that you won't use in your organization. There are several ways to find apps in your organization. While discovering apps, ensure you include in-development and planned apps. Use Microsoft Entra ID for authentication in all future apps.

Discover applications using ADFS:

  • Use Microsoft Entra Connect Health for ADFS: If you have a Microsoft Entra ID P1 or P2 license, we recommend deploying Microsoft Entra Connect Health to analyze the app usage in your on-premises environment. You can use the ADFS application report to discover ADFS applications that can be migrated and evaluate the readiness of the application to be migrated.

  • If you don’t have Microsoft Entra ID P1 or P2 licenses, we recommend using the ADFS to Microsoft Entra app migration tools based on PowerShell. Refer to solution guide:


This video covers both phase 1 and 2 of the migration process.

Using other identity providers (IdPs)

  • If you’re currently using Okta, refer to our Okta to Microsoft Entra migration guide.

  • If you’re currently using Ping Federate, then consider using the Ping Administrative API to discover applications.

  • If the applications are integrated with Active Directory, search for service principals or service accounts that may be used for applications.

Using cloud discovery tools

In the cloud environment, you need rich visibility, control over data travel, and sophisticated analytics to find and combat cyber threats across all your cloud services. You can gather your cloud app inventory using the following tools:

  • Cloud Access Security Broker (CASB) – A CASB typically works alongside your firewall to provide visibility into your employees’ cloud application usage and helps you protect your corporate data from cybersecurity threats. The CASB report can help you determine the most used apps in your organization, and the early targets to migrate to Microsoft Entra ID.
  • Cloud Discovery - By configuring Microsoft Defender for Cloud Apps, you gain visibility into the cloud app usage, and can discover unsanctioned or Shadow IT apps.
  • Azure Hosted Applications - For apps connected to Azure infrastructure, you can use the APIs and tools on those systems to begin to take an inventory of hosted apps. In the Azure environment:

Manual discovery process

Once you've taken the automated approaches described in this article, you have a good handle on your applications. However, you might consider doing the following to ensure you have good coverage across all user access areas:

  • Contact the various business owners in your organization to find the applications in use in your organization.
  • Run an HTTP inspection tool on your proxy server, or analyze proxy logs, to see where traffic is commonly routed.
  • Review weblogs from popular company portal sites to see what links users access the most.
  • Reach out to executives or other key business members to ensure that you've covered the business-critical apps.

Type of apps to migrate

Once you find your apps, you identify these types of apps in your organization:

Apps that use modern authentication already

The already modernized apps are the most likely to be moved to Microsoft Entra ID. These apps already use modern authentication protocols such as SAML or OIDC and can be reconfigured to authenticate with Microsoft Entra ID.

We recommend you search and add applications from the Microsoft Entra app gallery. If you don’t find them in the gallery, you can still onboard a custom application.

Legacy apps that you choose to modernize

For legacy apps that you want to modernize, moving to Microsoft Entra ID for core authentication and authorization unlocks all the power and data-richness that the Microsoft Graph and Intelligent Security Graph have to offer.

We recommend updating the authentication stack code for these applications from the legacy protocol (such as Windows-Integrated Authentication, Kerberos, HTTP Headers-based authentication) to a modern protocol (such as SAML or OpenID Connect).

Legacy apps that you choose NOT to modernize

For certain apps using legacy authentication protocols, sometimes modernizing their authentication isn't the right thing to do for business reasons. These include the following types of apps:

  • Apps kept on-premises for compliance or control reasons.
  • Apps connected to an on-premises identity or federation provider that you don't want to change.
  • Apps developed using on-premises authentication standards that you have no plans to move

Microsoft Entra ID can bring great benefits to these legacy apps. You can enable modern Microsoft Entra security and governance features like Multi-Factor Authentication, Conditional Access, Identity Protection, Delegated Application Access, and Access Reviews against these apps without touching the app at all!

New Line of Business (LoB) apps

You usually develop LoB apps for your organization’s in-house use. If you have new apps in the pipeline, we recommend using the Microsoft identity platform to implement OIDC.

Apps to deprecate

Apps without clear owners and clear maintenance and monitoring present a security risk for your organization. Consider deprecating applications when:

  • Their functionality is highly redundant with other systems
  • There's no business owner
  • There's clearly no usage

We recommend that you do not deprecate high impact, business-critical applications. In those cases, work with business owners to determine the right strategy.

Exit criteria

You're successful in this phase with:

  • A good understanding of the applications in scope for migration, those that require modernization, those that should stay as-is, or those you've marked for deprecation.

Next steps