How to Migrate On-Premises Active Directory to Microsoft Entra ID

Start by evaluating your existing Active Directory infrastructure and determining the optimal migration path. As of 2026, Microsoft recommends native Entra ID Join with Intune over Hybrid Join for long-term deployments.

Run this PowerShell command on your domain controller to check forest functional level:

Get-ADForest | Select-Object Name, ForestMode

Document your current authentication methods and applications. Critical: Basic Authentication for Exchange Online was retired on March 31, 2026, so ensure all applications use modern authentication.

Create an assessment spreadsheet with these columns:

• Application name
• Authentication method (Kerberos, NTLM, Basic Auth)
• Dependencies on on-premises AD
• Migration priority (Critical/High/Medium/Low)

Select your synchronization tool based on your environment complexity. For new deployments in 2026, Microsoft Entra Cloud Sync is recommended for its lightweight, agent-based approach.

For Microsoft Entra Connect (traditional approach):

Prepare your Windows Server 2016+ machine with these prerequisites:

# Check .NET version (requires 4.6.2+)
Get-ItemProperty "HKLM:SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\" -Name Release | ForEach-Object {$_.Release -ge 394802}

# Set PowerShell execution policy
Set-ExecutionPolicy RemoteSigned -Scope LocalMachine

# Enable TLS 1.2
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

For Microsoft Entra Cloud Sync (recommended):

Download the provisioning agent (build 1.1.1370.0 or later) from the Microsoft Entra admin center. Install .NET 4.7.1+ runtime first:

# Verify .NET 4.7.1+ is installed
Get-ItemProperty "HKLM:SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\" -Name Release | ForEach-Object {$_.Release -ge 461808}

# Set execution policy for Cloud Sync
Set-ExecutionPolicy RemoteSigned -Scope LocalMachine

Configure your chosen synchronization tool to establish the connection between on-premises AD and Microsoft Entra ID.

For Microsoft Entra Connect:

Run the installation wizard and select Express Settings for a basic configuration, or Custom for granular control:

# Launch the configuration wizard
Start-Process "C:\Program Files\Microsoft Azure Active Directory Connect\AzureADConnect.exe"

During configuration:

• Enter your Microsoft Entra ID Global Administrator credentials
• Provide Enterprise Administrator credentials for on-premises AD
• Select Password Hash Synchronization as the sign-in method (recommended for initial setup)
• Choose which OUs to synchronize (start with a pilot group)

For Microsoft Entra Cloud Sync:

Create a group Managed Service Account (gMSA) for enhanced security:

# Create gMSA account (run on domain controller)
New-ADServiceAccount -Name "AADCloudSyncGMSA" -DNSHostName "yourdomain.com" -PrincipalsAllowedToRetrieveManagedPassword "Domain Controllers"

Configure the provisioning agent through the Microsoft Entra admin center by selecting the OUs and groups to synchronize.

Configure mandatory security controls required for 2026 compliance. MFA enforcement for Azure portal access becomes mandatory on October 1, 2026.

Enable Security Defaults for new tenants (automatically enabled after June 30, 2026):

# Connect to Microsoft Graph PowerShell
Connect-MgGraph -Scopes "Policy.ReadWrite.ConditionalAccess"

# Check Security Defaults status
Get-MgPolicyIdentitySecurityDefaultEnforcementPolicy

Configure Conditional Access policies for enhanced security:

1. Navigate to Microsoft Entra admin center > Protection > Conditional Access
2. Create a new policy named "Block Legacy Authentication"
3. Set conditions: All users, All cloud apps
4. Set client apps: Exchange ActiveSync clients, Other clients
5. Grant: Block access

Enable Multi-Factor Authentication for all users:

# Enable MFA for all users using PowerShell
$users = Get-MgUser -All
foreach ($user in $users) {
    Update-MgUser -UserId $user.Id -AccountEnabled $true
    # Configure MFA requirements through Conditional Access
}

Configure Authentication Strength policies for phishing-resistant MFA:

• Go to Protection > Authentication methods > Authentication strengths
• Create custom strength requiring FIDO2 or certificate-based authentication
• Apply to sensitive applications and admin roles

Implement device management aligned with Microsoft's 2026 recommendation of native Entra ID Join with Intune rather than Hybrid Join.

For existing Hybrid Joined devices, plan the transition to native Entra ID Join:

# Check current device join status
dsregcmd /status

# Look for "AzureAdJoined : YES" and "DomainJoined : YES" (Hybrid)
# Target state: "AzureAdJoined : YES" and "DomainJoined : NO" (Native)

Configure Automatic Enrollment in Intune:

1. Navigate to Microsoft Entra admin center > Devices > Enroll devices
2. Select "Windows enrollment"
3. Configure MDM user scope to "All" or specific groups
4. Set MDM URLs to Microsoft Intune endpoints

Create device compliance policies in Microsoft Intune:

• Require device encryption
• Set minimum OS version (Windows 11 22H2 recommended)
• Require antivirus software
• Configure password complexity requirements

For new device deployments, use Windows Autopilot:

# Install Windows Autopilot PowerShell module
Install-Module -Name WindowsAutopilotIntune -Force

# Import device hardware hashes
Import-AutopilotDevice -csvFile "C:\devices.csv"

Transition users from on-premises authentication to cloud-based methods while maintaining security and user experience.

Configure Password Hash Synchronization (PHS) as the primary authentication method:

# Enable PHS using Microsoft Entra Connect PowerShell
Import-Module ADSync
Set-ADSyncScheduler -SyncCycleEnabled $true
Start-ADSyncSyncCycle -PolicyType Delta

For organizations requiring single sign-on, configure Seamless SSO:

# Enable Seamless SSO (run on Entra Connect server)
Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1"
New-AzureADSSOForest -OnPremCredentials (Get-Credential)

Migrate from Pass-through Authentication (PTA) to PHS for better resilience:

1. In Microsoft Entra Connect, change sign-in method to Password Hash Synchronization
2. Run a full synchronization cycle
3. Test user authentication with cloud credentials
4. Disable PTA agents after successful testing

Configure Self-Service Password Reset (SSPR):

• Navigate to Microsoft Entra admin center > Users > Password reset
• Enable SSPR for "All" users
• Require 2 methods: Mobile phone and Email
• Enable password writeback to on-premises AD

Systematically migrate applications from on-premises AD authentication to Microsoft Entra ID, prioritizing business-critical services.

Identify applications using legacy authentication:

# Query sign-in logs for legacy auth usage
Connect-MgGraph -Scopes "AuditLog.Read.All"
Get-MgAuditLogSignIn -Filter "clientAppUsed eq 'Exchange ActiveSync'" -Top 100

Configure Enterprise Applications in Microsoft Entra ID:

1. Navigate to Microsoft Entra admin center > Enterprise applications
2. Select "New application" and choose from gallery or create custom
3. Configure SAML SSO or OIDC depending on application support
4. Assign users and groups to the application

For custom line-of-business applications, implement modern authentication:

// Example: Update .NET application to use Microsoft Authentication Library (MSAL)
using Microsoft.Identity.Client;

public async Task AcquireTokenAsync()
{
    var app = PublicClientApplicationBuilder
        .Create("your-client-id")
        .WithAuthority("https://login.microsoftonline.com/your-tenant-id")
        .Build();
    
    var result = await app.AcquireTokenInteractive(scopes)
        .ExecuteAsync();
    return result;
}

Configure Application Proxy for applications that cannot be modernized:

• Install Application Proxy connector on on-premises server
• Publish application through Microsoft Entra admin center
• Configure pre-authentication with Microsoft Entra ID
• Test external access through myapps.microsoft.com

Update DNS records for federated domains:

# Convert federated domain to managed
Connect-MsolService
Convert-MsolDomainToStandard -DomainName "yourdomain.com" -PasswordFile "C:\password.txt"

Establish identity governance controls required for enterprise compliance and security in the cloud-first environment.

Configure Privileged Identity Management (PIM) for administrative roles:

# Connect to PIM PowerShell module
Install-Module -Name Microsoft.Graph.Identity.Governance
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"

# List current role assignments
Get-MgRoleManagementDirectoryRoleAssignment

Set up Access Reviews for regular permission auditing:

1. Navigate to Microsoft Entra admin center > Identity Governance > Access reviews
2. Create new access review for "Teams + Groups" or "Applications"
3. Set review frequency to quarterly
4. Assign reviewers (managers or group owners)
5. Configure auto-apply results for efficiency

Implement Entitlement Management for access packages:

• Go to Identity Governance > Entitlement management
• Create access packages combining groups, applications, and SharePoint sites
• Define approval workflows and access duration
• Enable self-service access requests

Configure Identity Protection policies:

# Enable Identity Protection risk policies
$riskPolicy = @{
    "displayName" = "High Risk User Policy"
    "state" = "enabled"
    "conditions" = @{
        "userRiskLevels" = @("high")
    }
    "grantControls" = @{
        "operator" = "OR"
        "builtInControls" = @("passwordChange")
    }
}

New-MgIdentityConditionalAccessPolicy -BodyParameter $riskPolicy

Set up lifecycle workflows for automated user provisioning and deprovisioning:

• Navigate to Identity Governance > Lifecycle workflows
• Create workflows for "Joiner", "Mover", and "Leaver" scenarios
• Configure automatic group assignments and application provisioning
• Set up approval processes for sensitive access

Roll out the migration in controlled phases, starting with pilot groups and gradually expanding to the entire organization.

Create pilot groups for phased rollout:

# Create pilot security groups
Connect-MgGraph -Scopes "Group.ReadWrite.All"

$pilotGroup = @{
    "displayName" = "Entra ID Migration Pilot"
    "groupTypes" = @()
    "mailEnabled" = $false
    "securityEnabled" = $true
    "description" = "Pilot group for Entra ID migration testing"
}

New-MgGroup -BodyParameter $pilotGroup

Configure staged rollout for managed authentication:

1. Navigate to Microsoft Entra admin center > Hybrid identity > Microsoft Entra Connect
2. Select "Staged rollout of cloud authentication"
3. Enable "Password hash synchronization" for pilot groups
4. Add your pilot security group to the rollout
5. Monitor authentication success rates

Test critical scenarios with pilot users:

• Office 365 application access (Outlook, Teams, SharePoint)
• VPN connectivity with modern authentication
• Mobile device enrollment and compliance
• Self-service password reset functionality
• Multi-factor authentication enrollment and usage

Monitor migration progress and health:

# Check synchronization health
Connect-MgGraph -Scopes "Directory.Read.All"
Get-MgDirectoryOnPremisesSynchronization | Select-Object -ExpandProperty Features

# Monitor authentication events
Get-MgAuditLogSignIn -Filter "createdDateTime ge 2026-03-26T00:00:00Z" -Top 50

Expand rollout in phases:

• Phase 1: IT department and early adopters (Week 1-2)
• Phase 2: Department by department (Week 3-8)
• Phase 3: Remaining users and service accounts (Week 9-12)
• Phase 4: Decommission on-premises infrastructure (Week 13+)

Safely decommission on-premises Active Directory infrastructure after confirming successful migration and stable operations.

Validate complete migration before decommissioning:

# Verify all users are synchronized and active in Entra ID
Connect-MgGraph -Scopes "User.Read.All"
$cloudUsers = Get-MgUser -All | Where-Object {$_.OnPremisesSyncEnabled -eq $true}
Write-Output "Synchronized users: $($cloudUsers.Count)"

# Check for any remaining on-premises dependencies
Get-MgApplication -All | Where-Object {$_.OnPremisesPublishing -ne $null}

Disable directory synchronization (final step):

# Connect to Microsoft Online Services
Connect-MsolService

# Disable directory synchronization (irreversible action)
Set-MsolDirSyncEnabled -EnableDirSync $false

# Confirm synchronization is disabled
Get-MsolCompanyInformation | Select-Object DirectorySynchronizationEnabled

Clean up on-premises infrastructure:

1. Uninstall Microsoft Entra Connect or Cloud Sync agents
2. Remove service accounts created for synchronization
3. Update DNS records to remove on-premises references
4. Archive Active Directory database for compliance retention
5. Decommission domain controllers (keep one for 90 days as backup)

Update documentation and runbooks:

• Update network diagrams to reflect cloud-only architecture
• Modify incident response procedures for cloud-based identity
• Train helpdesk staff on Microsoft Entra ID administration
• Update backup and disaster recovery procedures

Configure cloud-only administrative processes:

# Set up cloud-only user provisioning workflow
$workflow = @{
    "displayName" = "New User Onboarding"
    "description" = "Automated user provisioning for new employees"
    "isEnabled" = $true
    "category" = "joiner"
}

# Create lifecycle workflow (requires Entra ID Governance license)
New-MgIdentityGovernanceLifecycleWorkflow -BodyParameter $workflow