Every Entra migration starts the same way: a stakeholder sees the Microsoft documentation, decides it looks straightforward, and books a two-week project window. By week three we're still untangling legacy authentication protocols and nobody's happy.
This isn't a criticism of Entra — it's a genuinely capable identity platform. But the migration path from on-premises Active Directory is rarely as linear as the documentation suggests.
The licensing conversation you need first
Before touching a single identity, get clear on licensing. Conditional Access requires Entra ID P1 at minimum. Identity Protection and Privileged Identity Management (PIM) require P2. In environments with mixed user types, the per-user licensing cost is consistently higher than initial estimates.
The trap: Microsoft 365 E3 and E5 bundles include Entra P1 and P2 — but only for users licensed for those SKUs. Service accounts, shared mailboxes, and on-premises-only users fall into a grey zone that needs careful scoping before you commit to an architecture.
Legacy authentication — the thing that breaks everything
Legacy authentication protocols (NTLM, Basic Auth, older SMTP AUTH) don't work with Entra's modern authentication flows. In a typical large environment, there are applications using them that nobody documented.
- Old line-of-business applications authenticating against Exchange with Basic Auth
- Printers, MFDs, and IoT devices using SMTP relay with Basic Auth
- Third-party monitoring tools using NTLM against internal services
- Scripts and scheduled tasks using credential-based authentication
The discovery phase for this is non-negotiable and takes longer than expected. Entra's Sign-in Logs with the "Legacy authentication" filter is your starting point — but it only shows what has authenticated recently, not what's dormant and will break on cutover.
The best time to audit your legacy authentication dependencies is six months before the migration. The second best time is right now.
Hybrid identity design decisions that stick
Password Hash Synchronisation vs Pass-Through Authentication: PHS is simpler operationally and enables leaked credential detection. PTA keeps authentication on-premises — required in some regulatory environments. Federated identity (ADFS) is increasingly hard to justify given its operational overhead.
UPN suffix alignment: Your on-premises UPN suffix (user@contoso.local) almost certainly doesn't match your verified Entra domain (user@contoso.com). Fix this before sync starts.
Scoped synchronisation: Start with a pilot OU, not the entire directory. The first sync always surfaces objects with unexpected attributes, duplicates, or errors.
Conditional Access — start permissive, tighten gradually
Use Report-Only mode for the first two to four weeks. The volume of legitimate authentication flows that would have been blocked is consistently higher than anyone expects. A staged approach works best: Report-Only → Block legacy auth only → Require MFA for admins → Require MFA for all users → Require compliant device.
Working on an Entra migration? Get in touch.