Migrating from AD to Cloud - Where should my Accounts Lie?

Posted by Moisttwoillete@reddit | sysadmin | View on Reddit | 11 comments

Hey Everyone, I'm in the early stages of Coordinating my Migration from on-Prem AD Servers to Cloud Entra. I don't have any on-prem Apps or other systems that I need to worry about, the majority of my products are cloud-native already. I'm having a bit of a dilemma deciding who should be my "Source of Truth" for my Accounts. We run Okta (100+ Apps) for Auth & We also have Entra for a few applications + all the 365 stack (Intune / Exchange / Etc.). Currently we have our AD Server concurrently syncing to Okta & Entra, but the two aren't connected in any meaningful way (Besides the 2FA Auth). I keep having discussions with Okta / MS About how I should architect my migration, and they both obviously say whichever one they own... I'm leaning towards making Okta my Source as I'm a better fan of the intergrations & Management from it on that side, and that way I can just leave Entra/365 for exclusively MS Products. Has anyone done full cloud migrations with these two and how did you go about choosing?

11 Comments

[-]

WestOpening1350@reddit

Sticking with Okta as the hub is great for flexibility, but watch out for the rest of legacy junk that doesn't play nice with either. You’ll always find a handful of apps that don't support SCIM or SAML. I’d maybe look into a universal access layer to wrap those non SSO logins, otherwise, you're just trading one manual password mess for another

pantherghast@reddit

Save yourself some money and move off Okta.

WiskeyUniformTango@reddit

Id get rid of Okta to save the costs. Use Entra as your IDP. I setup and run a fully cloud based org using Entra as my IDP. It works.

Garix@reddit

I agree with this take. As long as you don’t have on premise with requirements for legacy LDAP apps. Cloud only is awesome for web app and SaaS only companies.

TerrorToadx@reddit

If you’re already using MS services, why would you not use Entra ID..??

ChelseaAudemars@reddit

Out of those 100+ apps identify which are critical and which would not have integrations with Entra. Generally, companies will stay with Okta as their IdP simply due to the sheer number of integrations. Those who are phasing out of Okta are doing so because they already own Entra licensing through M365 E3/E5 and want to reduce costs, making Okta redundant. Based on your business requirements will determine if you start phasing Okta out and lean into Entra or have a critical requirement that Entra cannot meet.

Previous-Low4715@reddit

Go all Entra. Good luck though, there isn’t really a proper migration path for this yet.

Affectionate-Cat-975@reddit

I worked at an org that Mastered in Okta. The annoying this was dealing with nesting groups. That and policies being deployed. I think the GPO ability and on prem resources to auth are what's sustaining Windurs AD. I've seen other posts about saving $$ and skipping okta. It has it's place, especially if you have people using their personal creds to access and leveraging the app launchers. Add the integrations that okta pursued to build their moat and if you're willing to pay extra, then it's worth it.

Frothyleet@reddit

There are not a lot of situations where Okta really gives you something that Entra doesn't already have and that you aren't likely paying for in Entra. It's a very robust product, MS just mostly caught up. In my experience, most of Okta's customer base is there because of inertia. If you are going to keep Okta, I'd lean on it being your IDP source of truth. But otherwise I'd ditch Okta, keeping in mind you have to rebuild your IAM procedures around Entra.

Hatethyself69@reddit

Like the other people said get rid of okra and go full entra

EngineerInTitle@reddit

We've been moving clients away from Okta, away from on prem AD, and going strictly all Entra. Okta is still a decent product, but Entra has caught up. No point in paying for a duplicate product.

Reply to Post

11 Comments