Five tips to improve the migration process to Azure Active Directory
Published Apr 17 2019 09:18 AM 23.4K Views


This is Sue Bohn, director of program management for Identity and Access Management. I’m thrilled to announce the first post in our Voice of the Partner blog series. Today we’ve invited Joe Stocker of Patriot Consulting to share five tips that can dramatically improve the customer’s migration process from Active Directory Federation Services (ADFS) to Azure Active Directory (Azure AD). This story is a great reminder that some challenges aren’t nearly as difficult as they first seem. 


Patriot Consulting, a member of our partner network, focuses on helping customers deploy Microsoft cloud solutions securely. The company has a unique view into current business drivers and customer strategy when it comes to the cloud. For example, Joe Stocker and his colleagues have recently noted an acceleration in the number of customers migrating off ADFS and third-party identity and access solutions to Azure AD. I’m pleased that he agreed to share a couple customer stories that illustrate the following insights: 


  • Conditional access and costs are driving migration to Azure AD 
  • The ADFS tool streamlines the experience of migrating to Azure AD.  
  • Users love single sign-on (SSO) through Azure AD. 


Conditional access and cost reduction drive migration to Azure AD

I am one of the founders at Patriot Consulting Technology Group, which means I spend my days helping Microsoft’s customers deploy and secure Microsoft 365 solutions. This work gives me a broad view of trends developing in the industry. One thing we’ve observed is that our clients have begun to reassess their identity and access management solutions. Some are concerned about an on-premises outage disrupting authentication for all their users. Many discover that they have multiple identity and access management solutions and see an opportunity to cut costs.  

Our client at West Coast University are a great example of this trend. They previously used ADFS to authenticate users and supported about 30 software as a service (SaaS) and security assertion markup language (SAML) apps. Users were able to access cloud apps and the network using a single sign-on, however, IT wanted to better protect the organization from compromised user accounts. The security capabilities of Azure AD, especially conditional access, was very attractive to them. Conditional access could allow them to detect session-based conditions and apply automated security policies depending on the risk-level associated with the session. For example, if access to one of those 30 apps was attempted from a personal device, Azure AD could work with Microsoft Cloud App Security and Microsoft Intune to apply security controls. Depending on the circumstances and policies, Azure AD could allow access, force multi-factor authentication or block access. If access was allowed, Azure AD could work with Microsoft Cloud App Security to limit the actions users could take, such as encrypting or blocking downloads.  


Save time migrating apps to Azure AD 

Our client West Coast University was convinced of the security advantages of Azure AD, but they were worried about a cumbersome migration process. They weren’t certain if Azure AD would support all their apps. The truth is, I don’t blame them. I remember when it could take six to twelve months to migrate that many apps from ADFS to Azure AD, however, Microsoft recently launched the ADFS to Azure AD app migration tool, which has simplified the process. We advised the following tips to West Coast University: 


  1. Use the ADFS to Azure AD app migration tool to analyze your current apps. This tool will quickly identify which apps can be migrated seamlessly and which require remediation (see figure one). 
  2. Acquire deployment guides for the relevant apps. Many are published on the Microsoft app gallery, but if not, you can open a ticket through the third-party vendor who developed the app. 
  3. Allocate appropriate time and resources to the high-touch apps. 
  4. Migrate the apps that are ready to go for quick wins. 
  5. Identify a test environment or plan a maintenance window to avoid moving large servicing app at peak usage.   

Figure one: Generic sample analysis from the ADFS to Azure AD app migration toolFigure one: Generic sample analysis from the ADFS to Azure AD app migration tool

Before we even got started, a program manager at Microsoft did a demo of the migration tool for West Coast University, and our clients were blown away.  

“The tool is amazing. I can’t even articulate how much time it saved us with this project. Don’t start your migration without it.” 

The demo quickly put their minds at ease, and we got started. The ADFS to Azure AD app migration tool identified twenty apps that would migrate with no problem, and ten that would need additional troubleshooting. We segmented the challenging apps into two categories: one group of apps required SAML request signing. The second group required token encryption. We called the vendors for the first set of apps to understand if SAML request signing was a hard requirement and learned it was not, which cleared those apps. Microsoft recently launched token encryption in public preview, which allowed us to migrate the second group of apps. This tool dramatically simplified the process, allowing us to address problems early in the process.  


The project was a huge win for our clients at West Coast University. We were able to complete the migration in about six to eight weeks, and they now have the session-based security controls to better protect the organization.  


Users love single sign-on through Azure AD

Economics and security benefits drive organizations to adopt Azure AD, but full adoption and compliance is more likely if users benefit too. We recently implemented a similar project for Southland Industries, and their employees were thrilled.   


“User experience is front and center of everything we focus on. Our employees can now access our 3rd party helpdesk application in the same Office 365 App Launcher that they use to access their Office 365 productivity applications. The mobile experience is also fantastic, with single sign-on from Intune-managed mobile devices.” - Josh Pickett, IT Manager, Networking and Security at Southland Industries. “With Patriot’s help, we were able to implement strong conditional access rules to limit access to our 3rd party SAML applications. This is one of the primary reasons why we switched from a competitor to Azure AD.” 


Learn more 

I hope you find Joe’s story as valuable as I did. Now check out the Voice of the Customer series for more real-world experiences with Microsoft 365 Identity and Access solutions. 


Find out how Azure AD can help you enhance your security and simplify access. 

Leverage our partners for help with an implementation.  

Version history
Last update:
‎Jul 24 2020 01:39 AM
Updated by: