The Forced March to Cloud Identity
Microsoft isn’t asking if you’ll migrate to Entra ID. They’re deciding when by systematically retiring on-premises dependencies:
- March 2026: Service principal-less authentication ends. Apps without service principals will fail.
- 2026: WAF V1 (which supports NTLM) reaches end-of-life. Legacy auth breaks.
- Ongoing: Azure AD Connect V1.x already dead (October 2023). V2.x is “supported” but Cloud Sync is the future.
The “hybrid forever” dream is over. You’re migrating to cloud identity whether you’re ready or not.
The reality: While exact figures vary by source, the majority of enterprises still run on-premises Active Directory infrastructure, but Microsoft’s licensing model now penalizes hybrid deployments. Entra ID P2 is $9/user/month. Maintaining on-prem AD Domain Controllers costs ~$180K/year (hardware, power/cooling, Windows Server licensing, SQL licensing for Azure AD Connect, admin overhead). CFOs are doing the math.
Go / No-Go Assessment
Before committing to Entra ID migration, assess your readiness.
| Criteria | Threshold for "Go" | Score (0-10) |
|---|---|---|
| **GPO Complexity** | ≤50 Group Policy Objects with minimal Group Policy Preferences. | |
| **Legacy App Dependency** | ≤5 apps hardcoded to NTLM, all have documented modern auth alternatives. | |
| **Device Join Strategy** | Devices can be Entra ID joined (cloud-only) or accept hybrid join temporarily. | |
| **Nested Group Usage** | Low usage of deeply nested groups (Entra ID supports nesting but with limitations). | |
| **IT Team Readiness** | Team understands Intune, Conditional Access, and Azure management. |
Top 3 Failure Modes
1. The "Intune Does Everything GPO Did" Myth (52% of failures)
The Trap: Assuming Microsoft Intune directly replaces all Group Policy functionality.
The Reality: Group Policy Preferences (drive mappings, scheduled tasks, file operations) have NO direct Intune equivalents. User-specific registry settings (HKEY_CURRENT_USER) require custom OMA-URI profiles or Proactive Remediations (scripting). Legacy app configurations that relied on GPOs often break. Result: Devices join Entra ID but can't access network shares, printers fail, custom apps malfunction.
Example: Financial services company migrated 2,000 devices to Entra ID. Their custom trading application expected a specific registry key set via GPO. Intune couldn't replicate it without custom PowerShell scripting. Trading desks were offline for 6 hours.
2. NTLM Authentication Hardcoded Everywhere (35% of failures)
The Trap: Not discovering NTLM dependencies until legacy apps break post-migration.
The Reality: Custom internal apps, SharePoint workflows, SQL Server connections, and even some Microsoft products hardcode `domain\username` authentication. When WAF V1 retires (2026) or you disable NTLM, these apps fail silently. Modernizing to OAuth 2.0 or SAML requires code changes developers don't have time for.
Example: Healthcare org migrated to Entra ID. Their patient scheduling system (built in-house in 2012) used NTLM for SQL authentication. After migration, the app couldn't connect. Developers had retired. Vendor wanted $400K to rebuild the auth layer.
3. The March 2026 Service Principal Deadline (25% of failures)
The Trap: Ignoring Microsoft's deadline for service principal-less authentication retirement.
The Reality: Many custom apps and scripts authenticate to Entra ID without properly registered service principals. After March 2026, these will fail authentication. Audit requires digging through legacy code, PowerShell scripts, and cron jobs to find hardcoded credentials or OAuth flows without principals.
Prevention: Run `Get-AzureADApplication` to list all apps. Any without an associated service principal needs remediation NOW.
5 Technical Traps: Active Directory to Entra ID
1. Group Policy Preferences ≠ Intune Settings Catalog
The Problem: GPPs (drive mappings, scheduled tasks, printer deployments) have no Intune equivalent.
- Win: Drive mappings work via AD domain membership.
- Fail: Entra ID-joined devices don’t see domain shares without explicit Azure File Share integration.
- Solution: Use Intune Proactive Remediations (PowerShell scripts) to map drives, or migrate file shares to SharePoint/OneDrive.
2. Nested Groups & Dynamic Membership
The Problem: Entra ID supports nested groups but with performance penalties. Dynamic groups behave differently.
- AD Behavior: Nested groups inherit permissions instantly via SID expansion.
- Entra ID Behavior: Nested group membership evaluation happens asynchronously. Processing delays can range from a few minutes to potentially longer for large, complex group structures.
- Solution: Flatten group structures where possible. Use Entra ID dynamic groups with attribute-based membership rules.
3. Kerberos vs. Modern Auth
The Problem: Legacy apps expect Kerberos (Windows Integrated Auth). Entra ID uses OAuth 2.0/OIDC.
- Temporary Fix: Use Microsoft Entra Kerberos (cloud-based KDC) for hybrid-joined devices. Requires Windows Hello for Business.
- Long-Term Fix: Refactor apps to use modern auth (MSAL libraries, OAuth 2.0). This requires developer effort.
4. Device Trust Models
The Problem: On-prem AD uses domain join for device trust. Entra ID offers three models:
- Entra ID Joined (cloud-only): Best for new devices, no on-prem access.
- Hybrid Entra ID Joined: Devices trust both AD and Entra ID. Transitional model.
- Entra ID Registered: BYOD devices, limited trust.
- Solution: Hybrid join buys you time but adds complexity. Plan phased migration to pure Entra ID join.
5. Password Hash Sync vs. Pass-Through Auth vs. Federation
The Problem: Choosing the wrong auth method creates security gaps or user friction.
- Password Hash Sync (PHS): Simplest. Hashes synced to cloud. Risk: Cloud breach exposes hashes.
- Pass-Through Auth (PTA): On-prem validation. Risk: Requires on-prem agents, defeats cloud-only goal.
- Federation (ADFS): Most complex. Risk: ADFS is a breach vector (SolarWinds taught us this).
- Best Practice: Use PHS + Conditional Access + MFA. Retire ADFS.
Migration Roadmap
Phase 1: Discovery & Dependency Mapping (Weeks 1-4)
Audit all GPOs, identify NTLM dependencies, catalog legacy apps. Run Microsoft's Group Policy analytics tool. Export AD schema and custom attributes. Identify apps without service principals.
Phase 2: Pilot Migration (Weeks 5-12)
Create pilot OU in AD. Install Entra Cloud Sync agents. Configure hybrid join for pilot devices. Translate critical GPOs to Intune policies. Test NTLM → OAuth migrations for 2-3 apps.
Phase 3: Wave Migrations (Weeks 13-40)
Migrate users/devices in waves (typically 10-20% per wave). Use OU-based scoping. Register all app service principals. Refactor legacy auth for critical apps. Decommission Azure AD Connect, switch to Cloud Sync.
Phase 4: Decommission On-Prem AD (Weeks 41-52)
Retire Domain Controllers. Move all devices to pure Entra ID join (not hybrid). Sunset ADFS/PTA, migrate to PHS + Conditional Access. Celebrate escaping the "domain controller tax."
Total Cost of Ownership (TCO)
The migration isn’t free, but the ongoing cost reduction is significant.
| Cost Category | On-Prem AD (Current) | Entra ID (Future) | Migration Cost |
|---|---|---|---|
| Licensing | Windows Server licensing + CALs | Entra ID P2 ($9/user/month) | — |
| Infrastructure | 4x Domain Controllers + SQL ($180K/year capex) | $0 (cloud-managed) | Decommission savings |
| Admin Overhead | 2-3 FTEs managing AD ($300K/year) | 0.5 FTE (policies only) | — |
| Security | ADFS breach risk, on-prem patching | Conditional Access, continuous auth | Partner fees ($150K-$800K) |
Break-even: Typically 18-24 months, driven by elimination of on-prem infrastructure and admin reduction.
Architecture: The Translation Layer
Before (Active Directory)
- Identity: On-prem Domain Controllers (Windows Server 2016+)
- Auth: NTLM, Kerberos, ADFS (federation)
- Device Trust: Domain Join
- Policy: Group Policy Objects (500+ GPOs common)
After (Microsoft Entra ID)
- Identity: Cloud-managed Entra ID (no on-prem DCs)
- Auth: OAuth 2.0, OIDC, SAML (modern auth)
- Device Trust: Entra ID Join (cloud-native)
- Policy: Microsoft Intune (Settings Catalog, OMA-URI profiles)
How to Choose a Migration Partner
If you need a pure Microsoft specialist: Avanade or Ferrara IT. These firms are 100% Microsoft-focused, with thousands of Entra ID migrations under their belt.
If you are a Fortune 500: Accenture or Deloitte. You need a partner who can handle organizational change management, compliance (HIPAA, SOC 2), and the scale of 50,000+ users.
If you need licensing optimization: SoftwareOne. If your goal is to escape E3 → E5 upsell traps while migrating identity, they’ll model the TCO and find cost savings.
Red flags when evaluating vendors:
- “We’ll just move everything to Intune in 2 weeks.” (Lie. GPO translation alone takes months for complex environments.)
- No mention of NTLM dependencies. (They haven’t done discovery. Apps will break post-migration.)
- Weak service principal audit. (If they don’t ask about your custom apps and APIs, they don’t understand the March 2026 deadline.)
How We Select Vendors
We analyzed 50+ identity migration firms based on:
- Microsoft Competency: Identity & Access Management and Modernize Endpoints competencies.
- Case Studies: Proven track record of hybrid → cloud identity transitions with GPO translation.
- NTLM Modernization Expertise: Ability to refactor legacy apps to modern auth, not just document the gap.
Vetting Process:
- Analyze partner case studies for specific “AD to Entra ID” examples with GPO→Intune details.
- Verify Microsoft partnership tier and certifications.
- Evaluate their approach to NTLM sunset and service principal deadlines.
- Exclude firms that rely on “lift and shift” without modernization strategy.
FAQ
How long does an Active Directory to Entra ID migration take?
For a mid-sized enterprise (1,000-5,000 users, 50 GPOs), expect 6-9 months. Large enterprises with complex AD forests, custom apps, and regulatory requirements often take 12-18 months. The timeline is dictated by GPO translation complexity and NTLM app modernization.
Is Entra ID cheaper than on-premises Active Directory?
Yes, for ongoing costs. On-prem AD costs $180K/year (domain controllers, SQL licensing, admin overhead). Entra ID P2 costs $9/user/month ($108K/year for 1,000 users). However, migration costs ($150K-$800K) create a break-even point at 18-24 months.
Can Group Policy Objects (GPOs) be directly migrated to Intune?
No. Microsoft’s Group Policy analytics tool shows which GPO settings have Intune equivalents, but many Group Policy Preferences (drive mappings, scheduled tasks) and user registry settings require OMA-URI custom profiles or PowerShell scripting. Expect 30-50% of GPOs to need manual translation.
What happens to legacy apps using NTLM authentication?
They will break when NTLM is retired (WAF V1 end-of-life 2026). Legacy apps must be refactored to modern auth (OAuth 2.0, SAML) or use Entra ID Domain Services (a managed AD in the cloud) as a temporary bridge. Long-term, app modernization is mandatory.
What is the March 2026 service principal deadline?
Entra ID will no longer support service principal-less authentication. All applications, scripts, and APIs must have properly registered service principals with certificates or secrets. Apps without this will fail authentication. Audit your environment NOW.
Should I use hybrid join or pure Entra ID join?
Hybrid join (devices trust both AD and Entra ID) is a transitional strategy for organizations with legacy apps requiring on-prem access. Pure Entra ID join is the end goal for cloud-native identity. Most orgs use hybrid for 12-24 months, then migrate to pure cloud join.