Blog
5 min read
Lessons in Identity Management: Navigating Microsoft Azure Ad After Okta ID
In my last blog, I walked you through my integration journey between Microsoft 365 and Google Workspace, as well as the switch from Okta to Microsoft Azure AD/Entra ID as an identity provider. In this second blog, I will share lessons learned on this process so you can tackle similar projects successfully. Please note that Microsoft Azure AD, also referred to as Microsoft Active Directory, is now known as Entra ID.
Single Sign-On (SSO)
- Start with configuring linked-based Single Sign-On (SSO) for your applications in Azure AD/Entra ID. This will allow users to start accessing their apps through the My Apps Microsoft dashboard (while still using Okta SSO) and will ultimately make the transition to Azure AD/Entra ID easier.
- Initiate SSO collaboration and coordination at the earliest opportunity. Note that certain SSO apps can only be updated by the vendor, requiring extra follow-up and dedicated attention during the project.
- Certain SSO applications offer support for either a single Identity Provider (IdP) or multiple IdPs. Applications that support multiple IdPs provide greater flexibility during the cutover process, as they can be accessed via Azure AD/Entra ID for testing purposes while maintaining access through Okta. This allows for a smoother transition and enables thorough testing within the Azure AD/Entra ID environment without disrupting user access through Okta.
Life Cycle Management (LCM)
- Azure AD/Entra ID provides automated access management for enterprise applications based on users’ roles and responsibilities within the organization. This functionality is similar to Okta’s lifecycle management, but it offers deeper integration with Microsoft’s suite of services. For instance, when a new user is added to Azure AD/Entra ID by the IT department in an organization that uses Microsoft 365 (M365), the user automatically gains access to all the necessary apps based on their role. Achieving this level of integration with Okta may be more complex, especially if the organization primarily utilizes Microsoft products.
- However, it’s important to note that not all applications in the Application Gallery support both SSO and lifecycle management (LCM) out-of-the-box when using Azure AD/Entra ID. It i’s crucial to review each application’s documentation and potentially consult with the app’s vendor to understand any specific requirements or limitations that may exist.
- Utilize a matrix, similar to my provided example, to document and effectively track all SSO/LCM applications throughout the migration process.
- In cases where the environment is a hybrid with both on-premises AD and Azure AD/Entra ID, it is likely that cleanup will be necessary for on-premises accounts.
- It’s important to consider the mail flow behavior of M365. By default, M365 attempts to route mail flow internally for domains registered within the tenant. However, if mailboxes for a particular domain are hosted in a different environment, such as Google, mail flow from Azure AD/Entra ID to that Google domain will fail. To ensure proper mail flow, Conditional Based Routing (CBR) and/or mail users must be created in Azure AD/Entra ID to route mail flow externally.
- During the transition from Okta Multi-Factor Authentication (MFA) to Azure AD/Entra MFA, many companies still have legacy per-user MFA configurations in Azure AD/Entra ID. Capitalize on this migration opportunity to migrate Microsoft legacy MFA to Entra MFA and configure the new Authentication Controls. Additionally, consider the integration of Self-Service Password Reset (SSPR) with the Entra MFA enrollment process if it falls within the scope of the project.
Applications User Migrations
- During the migration from Okta to Azure AD/Entra ID, transferring user and group data becomes a critical task. As identities created in Okta are not automatically available in Azure AD/Entra ID, it is essential to establish a plan for replicating these identities to maintain uninterrupted access and operations.
- User Migration: Each user in Okta possesses a unique identity comprising personal details, credentials and application access rights. When transitioning to Azure AD/Entra ID, it is necessary to transfer these identities accurately, ensuring that user details and access rights are replicated faithfully.
- Group Migration: Groups play a crucial role in collectively managing multiple users, simplifying the assignment and revocation of application access rights. When migrating groups from Okta to Azure AD/Entra ID, precise replication of group structure and membership is essential. Additionally, replicating any group-based access rights to applications ensures the preservation of existing access control structures.
- Application Assignment Migration: Users and groups in Okta have application assignments that determine their access to specific applications. Replicating these application assignments for each user and group when moving to Azure AD/Entra ID is crucial. A recommended approach is to start by replicating application assignments for high-priority applications before addressing less critical ones.
- The process of copying users, groups, and application assignments from Okta to Azure AD/Entra ID should be executed strategically. This may involve conducting a pilot phase with a small group of users to validate the accuracy of transferred data and test application functionality with the new identities before proceeding with the migration across the entire organization.
- Regardless of the approach chosen, comprehensive planning, testing, and validation are essential to ensure a successful migration with minimal disruption to users and operations.
By following these steps, you can eliminate downtime, beef up security and provide a seamless user experience during the SSO migration process to Microsoft Azure AD/Entra ID. Also, don’t underestimate having a clear communication plan to inform all stakeholders of the upcoming changes and provide training if necessary. Having a solid grasp of both technical execution and communication is key for a successful implementation which will lead to significant cost savings for your organization from the Okta licenses themselves and enhanced user experience for your employees.