Transitioning from Hybrid AD to Entra-only, looking for real-world experiences and advice
Posted by Initial_Western7906@reddit | sysadmin | View on Reddit | 64 comments
We're currently in the early discovery phase of a project to move from a hybrid AD environment to an Entra-only model, and I’m interested in hearing from anyone who has done this and any advice they might have.
We’re currently running a hybrid setup using Microsoft Entra ID Connect, with on-prem AD still acting as the source of truth for most users.
- Most users are created and managed in AD on-prem, then synced to Microsoft Entra ID
- We also have a significant number of cloud-only groups (M365 groups, security groups, distribution lists), and a smaller number of cloud-only users
- Windows devices are mostly hybrid joined, with a small number already Entra joined
- macOS devices are bound to AD and managed via Jamf
- Intune is in use for Windows, but not for Macs
Some info on user authentication/access:
- Device logins (Windows and Mac) authenticate against AD on-prem
- WiFi uses RADIUS via Cisco ISE with AD security groups
- VPN access is controlled via AD groups with Cisco ISE
- Microsoft 365 services authenticate via cloud auth
- Conditional Access + MFA is in place
This is where most of the complexity seems to be:
- A small number of systems still rely on LDAP
- On-prem NAS (Dell Isilon) uses SMB with NTFS permissions backed by AD groups
- Group Policy is still in use (though reduced), and would need to be transitioned to Intune
- RADIUS (via ISE) relies on AD groups
- VPN access tied to AD groups
- Some air-gapped / isolated systems
The goal is to move toward:
- Entra ID as the sole identity source
- Windows devices fully Entra joined and managed via Intune (no hybrid join)
- Reduced or eliminated dependency on on-prem AD
We’re assuming a phased approach makes the most sense, but open to being challenged on that.
Any advice or tips on this, or any resources others have used, would be really appreciated :)
EducationAlert5209@reddit
How do you managed DNS in Entra world? I mean removing On-premise AD DNS...
Initial_Western7906@reddit (OP)
You can still keep an on prek DNS. We also use Route 53 DNS for public DNS
heartmocog@reddit
One thing nobody's mentioned yet is what you're going to do about privileged access once you cut over. We had persistent Domain Admin accounts that became a real headache during our hybrid to Entra transition because the old access model just doesn't map cleanly. We evaluated CyberArk and BeyondTrust but ended up going with Netwrix Privilege Secure mainly because it handled the JIT access side natively across both AD and Entra, ID without needing a ton of infrastructure, and it got us to zero standing privilege pretty fast, like days to deploy not weeks which mattered for us.
nlangrs@reddit
I've executed on about 10 companies with 5000+ users going from hybrid to Entra joined. Every time using powersyncpro migration agent. Will repermissions the workstation, multilingual prompts, can be user initiated if you want or forced, users keep the same user profile, handles bit locker via disabling the protectors, can reset all the office apps but that's not needed it your circumstance. Resilient. Only gotcha is that it needs constant internet access, as it needs to disjoin the computer, then join to Entra over the internet, so sometimes company specific gpo and certificates don't help. Regarding intune, it will try to enrol the device after user logon every hour til successful. Great if others need to go t2t.
LumpyNefariousness2@reddit
MDM join to Intune via GPO. Create autopilot config. Once PC is MDM joined, it will auto grab the PC hash and import it into your tenant. Wipe the user PC and let autopilot take over. Hope everyone is on OneDrive. Don’t even bother trying to break away from AD while keeping user profile. It’s too much of a headache. If users are accessing on prem file servers, they will need to use AD only account. You’d need to move their account in AD to a non syncing OU so Entra is the true source going forward. Any plan to migrate servers to the cloud? If not, it’s not worth going Entra joined.
Frisnfruitig@reddit
Accessing on prem servers from Entra joined devices is perfectly feasible, not sure what you mean with that last point.
smile69@reddit
Just accomplished this in reverse via AADDS, cloud-only needing a way to manage NAS file permissions until we can move everything to onedrive. It was very easy to set up and also gave us more SSO flexibility.
frzen@reddit
Hi could you tell me a bit more about what's involved there because when I mentioned this people told me it wasn't possible and when I googled it, it did seem like it wasn't common. Thanks and no worries if you don't have time to reply
man__i__love__frogs@reddit
Entra Domain Services is a SaaS version of AD that syncs backwards from Entra to AD. It's hosted by Microsoft and limited in scope, but you can do GPO and domain join computers or servers in a single forest.
frzen@reddit
thanks and what about a recipe for muffins in relation to this query?
LumpyNefariousness2@reddit
Please elaborate. How does a Entra only account access on prem servers? You’d need some sort of Kerberos auth . User would need an onprem account to auth against unless you’re talking about ADFS. No reason to set all this up if you’re moving to the cloud and abandoning onprem
Frisnfruitig@reddit
Enterprises usually already have on prem resources and won't necessarily migrate everything to the cloud. What you often get is hybrid user identities and Entra Joined devices.
simple1689@reddit
How so? I thought you needed onprem AD still for Kerberos tickets?
triptyx@reddit
I really miss the local network shares. Sharepoint with Teams on top is a pita.
Frisnfruitig@reddit
You can use network shares on Entra joined devices.
K4LIPX0@reddit
What do you mean? You don't need a local AD for a windows file server anymore? Thats the only thing really holding us back from removing it at the moment.
Frisnfruitig@reddit
What I mostly see in enterprises is a combination of hybrid user identities and Entra Joined devices. Using Kerberos cloud trust you can authenticate to on prem resources without any issues. A common mistake is that people think they need their devices to be hybrid joined as well, but this is not the case.
triptyx@reddit
Management retired the entire server room at the same time and we're fully Azure based with no on-prem servers. If there's an alternative in that situation I'll have to take a look.
Frothyleet@reddit
Sure, Azure Files. You can actually connect directly over the internet with SMB3, from anywhere, in theory - except in practice most consumer ISPs block outbound port 445 traffic, so to make it seamless you have to set up AOVPN or a SASE.
triptyx@reddit
I recall looking at that but we didn’t choose it for some reason. I’ll review again. Thank you!
Initial_Western7906@reddit (OP)
Yeah, and with Cloud Kerberos Trust they don't need tobmanually enter credentials I believe.
Frisnfruitig@reddit
In combination with WHFB, SCEP for cert authentication, it's a pretty amazing user experience. Nearly passwordless
stepavskin@reddit
We ran into a similar mess during our hybrid-to-Entra transition where we had no real visibility into which, AD configurations had no equivalent control in Entra, basically flying blind on where our actual risk gaps were. We evaluated a few options including Semperis and ended up going with Netwrix ISPM because it ran assessments against both AD and Entra ID simultaneously and, surfaced the inconsistencies with actual severity scores mapped to MITRE ATT&CK, so we could prioritize what to fix before cutting over rather than discovering problems after.
Legionof1@reddit
When Microsoft actually releases a whitepaper that details how they expect there ecosystem to function outside of a company that is nearly 100% web based and has very limited document storage needs… then you can talk about leaving hybrid.
As it stands Microsoft doesn’t have a plan for a majority of companies and that lack of a plan is infuriating.
Initial_Western7906@reddit (OP)
Yeah I get you. I found a few resources online but nothing too helpful.
I guess our main goal is to have Entra as the "primary" directory (I believe Microsoft calls this the source of authority). Right now AD on-prem is the primary and it syncs to Entra. This means all users are created in AD on-prem and then sync'd to Entra. We also want to decomission our Exchange2016 server, which doesn't really serve a purpose for us anymore (as we use Exchange Online) other than the attributes it adds to users.
We're completely fine with keeping AD on prem for those systems/processes that require it, but ideally we want Entra ID to be the source of authority, and for user and device onboarding/offboarding to be completely native to Entra and not rely on AD on prem at all, but I'm not sure how feasible this is.
Frothyleet@reddit
If you are going to be maintaining actual on prem AD infrastructure, it's really best to keep using AD as your source of truth. Very recently, MS added some functionality for switching over to Entra ID being the master for hybrid/AD-synced environments, with some limited writeback capabilities, but I wouldn't build around it unless I had a really strong use case.
If you are trying to ditch on-prem infra entirely, and you are forklifting LDAP/Kerberos applications to Azure IaaS or something similar, the product explicitly for that purpose is Entra ID Domain Services, which is essentially AD-as-a-service that syncs off of your Entra ID tenant and is exposed in your Azure vnets.
Aside from your Kerberos-based apps, the other two dependencies you mention that could be a problem are your RADIUS setup. I don't know Cisco ISE very well, so it's a question of what configuration options they present; if it will let you set up SAML, great, connect to Entra ID directly. If it requires you to maintain a NPS/RADIUS server there are ways to basically relay to cloud services like Entra but I wouldn't lean on that unless I had to.
SAN with SMB/NTFS - if that's staying in your environment, that's another item I'd call a hard blocker. There's no good replacement unless you forklift into a cloud file server and use Entra ID DS as above, and that gets real expensive for the privilege of not having the SAN on prem.
Setting aside everything else, this is now fully supported. You can maintain your schema and use powershell to manage Exchange attributes while decom'ing your exchange server, MS has a walkthrough.
In summary: all else being equal, even if you move to fully using Intune for endpoint management, I would keep your AD and hybrid setup if you are really just talking about making an IDP change and you aren't re-architecting your whole on prem environment.
What exact problem are you trying to solve?
NotActuallyAdam@reddit
you can do this via AADDS (now entra domain services) but it does have a bunch of limitations - not sure if it can easily work with ISE (there were some gotchas with radius from memory) but that's about as close as you'll get to Entra being the primary directory. But all this is doing is spinning up locked down domain controllers hosted/managed by microsoft. I wouldn't recommend it based on prev experiences but it may be better or suitable for your purposes - you'd need to lab it out
Legionof1@reddit
As far as I know, hybrid only works in me way, I could be wrong and they changed that but I haven’t seen it yet.
Sunsparc@reddit
Currently making a push into Azure and it is indeed infuriating trying to piece together all of the little bits and pieces of Microsoft documentation on how to accomplish it.
man__i__love__frogs@reddit
Azure Files supports Entra ID groups for NTFS now.
You can also do Entra-Only AVD session hosts, and back ends like Azure SQL with Entra or SQL auth for those crappy ERP or finance apps like Quickbooks. Your session hosts don't require AD and can shutdown outside of business hours, or you can purchase compute reservations.
Container Apps are also becoming more and more common, these just scale from a docker image, and with Azure Container Apps you can do configurations via environment variables, or attach storage like a database back end or storage containing configuration files. For example we run Keeper (password manager) Automator that automate login approvals from known IPs and SSO on an Azure Container app.
Test-NetConnection@reddit
Do you maintain any servers? How do you plan to handle certificates for ISE? Id keep hybrid. Too much is still dependent on AD.
Initial_Western7906@reddit (OP)
we're happy to not FULLY transition to Entra if there's too much still depending on AD, but we'd like to at least make Entra the source of truth. we do maintain some servers.
Ideally we'd shift user onboarding/offboarding and device joining to be purely Entra, and do away with AD on-prem being the primary directory that syncs to Entra. if we need to keep AD on-prem for some systems/processes I think that'd be OK. i was hoping to use something like Entra DS for this, but don't know too much about it.
raip@reddit
The golden goose right now is cloud only devices + hybrid user identity. Cloud Kerberos Trust makes this pretty flawless - but it's also what requires hybrid user identity.
Going cloud only user identity is pretty limiting for an enterprise environment (which is definitely looks like you're in). Until they support user writeback from Entra to AD - I wouldn't bother.
id0lmindapproved@reddit
They are trialing SOA for Users from Entra to AD. Its pure Graph so its really early to do this.
https://learn.microsoft.com/en-us/entra/identity/hybrid/how-to-user-source-of-authority-configure
raip@reddit
Yeah - I've been part of the private preview for it for about 7 months now. A very important thing to know about this though is that there is no user write back; if you transition the SOA of a user to Entra and then make changes to some properties within Entra for that user, they're not written back to AD. I definitely recommend watching John's video on the topic before implementing.
User writeback is "soon" (tm).
id0lmindapproved@reddit
Ah, that is a fair distinction. So it just severs the connection basically, and you would manage the AD user and the cloud user as two different entities at that point.
Initial_Western7906@reddit (OP)
Yeah this makes a lot of sense. This really clears things up a lot, so thank you.
I guess right now there's no real clear way to be "Entra-first" in an enterprise environment. Before I started looking into all of this, I assumed transitioning all users, devices and groups to being Entra-first could be done, and then for any systems that relied on AD on-prem (e.g. ISE) that they'd more than likely be able to integrate directly with Entra ID using SAML.
Taking ISE as an example - right now it's using security groups in AD on-prem to determine what VLAN to drop a user into when they connect to our corporate SSID. I just assumed it could integrate with Entra so that when the user connects to the SSID they would be redirected to Entra authentication, and Entra would issue a SAML assertion for this.
But I'm probably wrong, was just an assumption...
Test-NetConnection@reddit
Honestly, it seems like a lot of work migrating your on-premise domian to aadds. Recreating group policy objects and migrating all servers from one domain to another just sounds like way more trouble than it is worth. More platforms sync from AD than use scim, so maintaining AD as your source of truth still seems like best practice to me. I also don't like the idea of being 100% dependent on azure. If azure goes down at least my users can still sign in. If Microsoft jacks up the price of cloud compute it is trivial to move to another provider, but not so much if you are stuck with an obfuscation of AD instead of actual domain controllers. Just my two cents.
man__i__love__frogs@reddit
Intune Cloud PKI or something like SCEPman which can run on a lightweight container app. There are also Cloud RADIUS options like RADIUSaaS, Portnox, Foxpass, etc...
nycola@reddit
If they switched to using the Intune certificate connector and deployed AD Root & User PKCS certs to the devices, wifi profile, etc - configure it with eap-tls. As long as ISE has the root cert avaiable in its trusted store it can validate the clients via their cert. ISE doesn't care about how the certs tets on the device just that it can validate the chain and that the CRL is reachable is reachable from ISE for revocation checks. But if sounds like your ISE is already on domain so it shouldn't be an issue.
HDClown@reddit
Generally speaking, in this situation, I would always start with moving devices to Entra Joined while keeping AD as source of truth. Deploy Kerberos Cloud Trust and authentication on Entra Joined devices to AD joined resources is a non-issue. Essentially, move to modern device management approach without changing your identity source of truth.
In your specific situation when it comes to eliminating AD, what's the real reason behind it? You state reduced or eliminated dependency but why? Is it because you run DC's on-prem on your own hardware and want to eliminate dealing with the on-prem hardware aspect? If so, you can put your DC's in the cloud as VM's (Azure or otherwise)
If you really just want to get rid of AD, then you need to get rid of NTLM/Kerberos auth, but I'll put an asterisk on Kerberos. Entra Kerberos has cloud only identity in preview but support in general is limited to Azure Files, AVD, and Windows auth to Azure SQL Managed Instances, so that may not cover all your Kerberos auth needs.
Getting rid of AD and using Entra DS could be viable. This relies on Entra as source of truth but still gives you NTLM/Kerberos auth, but with more limitations compared to running your own AD. The details matter here in terms of if those limitations will matter. Also, you want to look at the cost aspect. You can run a pair of DC's for almost the same money as the lowest cost instance of Entra DS.
spazzo246@reddit
hello! I do this on the regular for many customers
The one thing I see that might not work or you will have to rework is your wifi/VPN configuration. Becuase there are no AD Objects there will be no way to map the connnection requests to AD. You will need to change everything that relies on AD objects to user based or a different system that doesnt rely on AD
Might have to change this to user based instead.
Everything else you mentioned works fine on an entra joined device
Winstonwolf1345@reddit
You can have a nice intune policy for the wifi using a ad group? You can always transition to a aad group?
spazzo246@reddit
They mentioned AD not aad. Their cisco ise system must hook into active directory to look for ad objects. Wouldn't work for entra join unless cisco ise can look to entra join instead. I'm not sure I haven't used cisco ise
man__i__love__frogs@reddit
No it doesn't, it just needs to connect to a RADIUS server, there are plenty of cloud options.
TaiGlobal@reddit
Having Cisco ise needing to go to the internet to verify if a device and/or user should be on your on prem network sounds like a nightmare waiting to happen. I’d imagine you’d have to go a completely different direction. Maybe Palo Alto firewall + global protect. Or some kind of ztna solution like zscaler.
man__i__love__frogs@reddit
Not at all. Intune does Cloud PKI, the missing piece is RADIUS, but there are several cloud based options for that, like Foxpass or Portnox.
SenikaiSlay@reddit
Palo is correct. We use it to verify users for GP by group
Hofax@reddit
Using certificates, i think this is possible for ISE via AAD-ID
mat-ferland@reddit
I’d keep hybrid longer than you want. WiFi, VPN, NAS, LDAP and GPO are exactly where these projects turn into cleanup work.
ZAFJB@reddit
As long as you have on prem services (VPN, file servers, NAS, LDAP, web and application servers, industrial machines, etc.) keep your users and PCs hybrid joined.
Hybrid join makes managing on authentication and permissioning of on-prem stuff much easier to do.
Initial_Western7906@reddit (OP)
Yeah this is what we're going to do. Thanks mate!
Fine_Cancel9719@reddit
Transitioning from a hybrid AD to Entra-only can indeed be complex, especially with the dependencies you've outlined. One practical tip is to gradually shift your on-premises policies to Intune, ensuring your group policies are properly defined in the cloud environment. Also, consider using tools that help with definition modelling for your user roles and permissions, which can streamline the transition. If you’re managing multiple agents, maintaining shared context ops is vital, this is where something like puppyone can assist in managing the permissions and auditability across your setup.
CommOnMyFace@reddit
Bloodhound is an incredible tool to understand your new environment.
Initial_Western7906@reddit (OP)
Thanks mate, will look into it!
Brave_Form_9463@reddit
When I did this we just moved to AD to small azure cloud server to maintain some of the essential functionality (like authentication to apps that required on perm AD). And just slowly decommissioned on prem servers. Used as much Entra out of the box functionality as we could but kept users hybrid but moved user services to Intune Joined only.
Initial_Western7906@reddit (OP)
Yeah where the users are created is probably the key part. I was hoping to have user onbaording and offboarding purely in Entra, so that users didn't need to be created in AD on-prem. But it's looking like right now, with user writeback from Entra to AD not being supported, that this probably isn't doable.
I think we'll likely move as much as we can from AD on-prem to AD (e.g. devices all entra joined rather than hybrid, all groups (as these can be written back as far as I know), and any GPOs that can be replicated in Intune).
tango_one_six@reddit
A lot of great input already here.
I'll only add this - if you guys have Unified or some sort of support agreement with an MSP, take advantage of it. Don't try to plan and execute this alone. And there's no real need to be AAD-only if there's no real business need. You can probably push off most of what you listed to cloud auth and Intune/Azure Arc, but if it ain't broke, there's also no need to fix it.
Initial_Western7906@reddit (OP)
For sure, completely agree.
We actually aren't against having a lighter-weight AD on-prem for this systems/processes that need it, but I guess our main goal is to at least make Entra ID the "primary" directory, rather than AD on-prem being the primary that sync's to Entra. Right now user onboarding/offboarding has to all be done in AD on-prem and using Exchange2016. We're hoping to retire Exchange2016 as right now it doesn't serve a purpose other than user creation and the attributes that come with it.
We want to be able to have our user onboarding and offboarding workflows configured natively in Entra, rather than creating them on prem and syncing. Same goes for devices. We'd prefer to have all the Windows devices "Entra joined" as there's no use case for them existing in AD on-prem anymore.
Master-IT-All@reddit
I think I would diagram the authentication flows and determine how each system would be accessed, where it would change and what might be gained or lost. And is it even possible.
So Janice in Accounting on Laptop200 needs to access Dynamics CRM, how does it look now? How does it look after? What about if Janice needs to access a data share on the NAS, what does the authentication flow look like for that before and after?
literalsupport@reddit
Moved all workloads to the cloud (files, applications, etc) until it was just users. Learned how to make entra AD authentication the authority (Google/chatgpt makes this easy) then started moving users. Was surprised how easy it was. No going back.
Short-Legs-Long-Neck@reddit
Just about done this. You need a roadmap. You're potentially years away depending how fast you can make changes. So methodical long term outlook needed.
ISE to SCEP is an easy one. Then Entra Joined is easy but very slow. This means you will have moved to intune and solved GPO (also very easy). Dell Isilon supports SSO i believe. This will give the time you need to solve your VPN. But, depending on the need, i would focus on not having on prem storage. The extra cost of cloud storage, without needing VPN might be cheaper overall?
Tiny-Cardiologist87@reddit
seeing similar in the space i work, pick your workloads and where they make sense.
end user devices entra join/intune mdm is a solid play but's a failure for windows servers.
Jamf can do "jamf connect" auth to entraID to get you auth to cloud.
Not all group policy easily transaltes to intune, multiuser windows 11 skus for example negate alot of controls, requiring a great deal of effort to reproduce them in arguable worse ways (burning config into gold masters or remediation scripts).
the group-based controls could shift up to cloud only groups, or already be there as hybrid groups.
EntraID shouldnt be considered the identity "source" in my view, just your primary identity provider, you should have upstream sources that are authoritative for that like a HR system.
whitoreo@reddit
We did exactly as you plan. There are boat loads I could write about our transition.... but it's late and you caught me at a bad time. In the end, I'd say it's not horrible and lends itself very well to a mobile workforce (ie. Working from home vs. Rhe Office vs. The beach under an umbrella... are all pretty much the same thing) and +1 for not needing much on the hardware side.