Episode Details
Back to Episodes
Master AD to Entra ID migration: fix source of authority without breaking logins
Season 1
Published 5 months, 2 weeks ago
Description
(00:00:00) The Hybrid Identity Dilemma
(00:00:09) The Dual Identity System Burden
(00:01:21) The Source of Authority Conundrum
(00:04:05) Preparing for Migration
(00:07:38) Migrating Groups to Cloud Management
(00:11:11) Migrating Users to Microsoft Entra ID
(00:15:07) Troubleshooting Common Sync Issues
(00:18:40) Optimization and Long-Term Strategy
(00:21:10) The Path to Modern Identity Management
In this episode of M365.fm, Mirko Peters tackles the dual‑directory dilemma of running Active Directory on‑premises and Microsoft Entra ID in the cloud, and shows how to safely shift your source of authority without locking out users or breaking apps. He explains why hybrid identity was meant as a bridge, not a forever home, how dual sources of authority undermine Zero Trust, and why the IsCloudManaged flag is the tiny property that decides whether AD or Entra ID really owns a user or group. You will learn how outdated sync models, stale OUs, and legacy password policies create drift between directories—and how moving groups and users into cloud‑managed status unlocks Conditional Access, MFA, access reviews, and modern identitygovernance.
Mirko walks step by step through environment preparation before any migration: running a full directory census, cleaning up ghost accounts and duplicate UPNs, validating Entra Connect or Cloud Sync health, and documenting custom rules so you are not surprised mid‑cutover. He then shows how to design a sane sequence—migrating critical groups first, piloting regular users, and leaving complex cross‑domain identities for last—so production stays online while ownership quietly moves from AD to entracloud. Along the way, you hear concrete guidance on modern authentication: enforcing MFA, Conditional Access, and device compliance so that cloud‑managed objects land directly in a Zero Trust‑ready posture instead of inheriting legacy modernauth gaps.
The episode dives deep into group migration as the connective tissue of identity. Mirko explains how to identify application‑critical security groups, read their Source value, and flip them to cloud‑managed using Graph or PowerShell while preserving memberships and accesscontrol. He covers common failure patterns—bad attribute hygiene, broken sync filters, missing connectors—and how to troubleshoot them before they cascade into app outages. You also get a practical checklist around Entra Connect Health, Kerberos and certificate trusts, and hybrid access so that on‑prem resources continue to recognize cloud‑managed identities through SID matching and synchealth.
By the end of the episode, you will see AD as heritage and Entra ID as your living identity fabric. If you follow Mirko’s sequence—clean, prepare, move groups, then users—your migration becomes a controlled transfer of authority rather than a risky big‑bang that leaves helpdesks drowning in “I can’t log in” tickets. This conversation arms you with both the technical playbook and the narrative you need to explain to security, compliance, and leadership why moving Source of Authority to Entra ID is less about fashion and more about operational integrity.
WHAT YOU WILL LEARN
(00:00:09) The Dual Identity System Burden
(00:01:21) The Source of Authority Conundrum
(00:04:05) Preparing for Migration
(00:07:38) Migrating Groups to Cloud Management
(00:11:11) Migrating Users to Microsoft Entra ID
(00:15:07) Troubleshooting Common Sync Issues
(00:18:40) Optimization and Long-Term Strategy
(00:21:10) The Path to Modern Identity Management
In this episode of M365.fm, Mirko Peters tackles the dual‑directory dilemma of running Active Directory on‑premises and Microsoft Entra ID in the cloud, and shows how to safely shift your source of authority without locking out users or breaking apps. He explains why hybrid identity was meant as a bridge, not a forever home, how dual sources of authority undermine Zero Trust, and why the IsCloudManaged flag is the tiny property that decides whether AD or Entra ID really owns a user or group. You will learn how outdated sync models, stale OUs, and legacy password policies create drift between directories—and how moving groups and users into cloud‑managed status unlocks Conditional Access, MFA, access reviews, and modern identitygovernance.
Mirko walks step by step through environment preparation before any migration: running a full directory census, cleaning up ghost accounts and duplicate UPNs, validating Entra Connect or Cloud Sync health, and documenting custom rules so you are not surprised mid‑cutover. He then shows how to design a sane sequence—migrating critical groups first, piloting regular users, and leaving complex cross‑domain identities for last—so production stays online while ownership quietly moves from AD to entracloud. Along the way, you hear concrete guidance on modern authentication: enforcing MFA, Conditional Access, and device compliance so that cloud‑managed objects land directly in a Zero Trust‑ready posture instead of inheriting legacy modernauth gaps.
The episode dives deep into group migration as the connective tissue of identity. Mirko explains how to identify application‑critical security groups, read their Source value, and flip them to cloud‑managed using Graph or PowerShell while preserving memberships and accesscontrol. He covers common failure patterns—bad attribute hygiene, broken sync filters, missing connectors—and how to troubleshoot them before they cascade into app outages. You also get a practical checklist around Entra Connect Health, Kerberos and certificate trusts, and hybrid access so that on‑prem resources continue to recognize cloud‑managed identities through SID matching and synchealth.
By the end of the episode, you will see AD as heritage and Entra ID as your living identity fabric. If you follow Mirko’s sequence—clean, prepare, move groups, then users—your migration becomes a controlled transfer of authority rather than a risky big‑bang that leaves helpdesks drowning in “I can’t log in” tickets. This conversation arms you with both the technical playbook and the narrative you need to explain to security, compliance, and leadership why moving Source of Authority to Entra ID is less about fashion and more about operational integrity.
WHAT YOU WILL LEARN