Simplify hybrid complexity and strengthen your security posture by managing users and groups natively in the cloud.
Back in August, I shared how Group Source of Authority (SOA) conversion helps organizations govern legacy groups in the cloud, simplifying on-premises cleanup and extending governance to apps that still rely on Active Directory (AD). Today, I’m excited to announce two major updates to assist in securing hybrid identities:
- Group SOA conversion is now generally available.
- User SOA conversion is in public preview.
Why this matters
Managing identities across AD and the cloud has long been a balancing act. These new capabilities remove that friction:
- User Source of Authority (SOA) conversion lets you convert synced users from AD into cloud-editable objects, reducing operational overhead and unlocking advanced identity features like governing users in the cloud, Conditional Access, MFA, and passwordless authentication.
- Group Source of Authority (SOA) conversion allows you to shift control of AD-synced security groups to Entra ID, making them fully manageable in the cloud while preserving compatibility for on-premises apps through optional writeback. This feature also lets you convert mail-enabled security groups and distribution lists into equivalent groups managed through Exchange in the cloud and helps remove unnecessary groups from AD.
Together, these features pave the way for your organization to minimize AD investments, simplify lifecycle management, and strengthen your Zero Trust security posture.
Scenario - Securing hybrid identities with User & Group SOA
An organization is moving toward a cloud-first identity model but still relies on critical on-premises applications. Instead of waiting for a full migration, the identity team starts by converting a subset of high-risk users to cloud-editable identities using User SOA. At the same time, they transition the AD security groups tied to those apps with Group SOA, making them fully manageable in Microsoft Entra ID enabling improved security and governance capabilities.
This combined approach unlocks immediate benefits. IT administrators can now manage identities, groups, and access policies centrally through the Microsoft Entra admin center or Microsoft Graph APIs—simplifying operations and reducing complexity. Governance is automated with Entitlement Management, Access Reviews, and Lifecycle Workflows, replacing manual processes and strengthening compliance for critical apps.
Security improves dramatically. Employees sign in with Microsoft Entra ID credentials—including passwordless options—for both cloud and on-premises applications. Risk-based Conditional Access policies apply seamlessly, reducing password fatigue and credential sprawl while reinforcing Zero Trust principles.
Migration remains flexible. By starting with a subset of users and groups, the organization avoids disruption and maintains existing sync flows. Over time, they can expand conversion at their own pace using Microsoft Graph APIs or the Microsoft Entra admin center.
The result: customers gain centralized control, automated governance, and stronger security—without breaking legacy apps or waiting for a full migration.
To see these capabilities in action and understand the underlying mechanics, watch the detailed walkthrough in the Mechanics video below.
These new features are available at no additional cost with the Microsoft Entra Free license—so start exploring them today! Try them out in your environment and experience the benefits firsthand.
- Learn More: https://aka.ms/usersoadocs | https://aka.ms/groupsoadocs
- Watch the Explainer Video: Source of Authority | Get to cloud-first model with Group Source of Authority: Deep Dive
- Guidance for IT Architects: https://aka.ms/SOAITArchitectsGuidance
And don’t miss the chance to learn more and connect with experts at Microsoft Ignite either in person or online for deep dives, demos, and discussions on everything Microsoft Entra.
Joe Dadzie – VP Product Management
Learn more about Microsoft Entra
Prevent identity attacks, ensure least privilege access, unify access controls, and improve the experience for users with comprehensive identity and network access solutions across on-premises and clouds.
Microsoft