Hybrid to Cloud-Only Identity: A Migration Playbook
Plenty of organizations still anchor identity to an on-premises Active Directory they no longer need, syncing it up to Entra ID out of habit and inertia. Going cloud-only removes a whole class of fragility, but the migration touches every user, so it has to be done as a reversible, low-drama operation rather than a flag day.
Inventory what actually depends on AD
Before moving anyone, find what truly still needs the on-prem directory: legacy apps using LDAP or Kerberos, file shares, print, anything bound to a domain. Most of these have a cloud-native answer now, but you can't plan around dependencies you haven't enumerated. This step is unglamorous and it's where the whole project succeeds or fails.
Migrate in waves, with a rollback for each
Convert users in small cohorts, not all at once. Each wave should have a clean rollback so a surprise affects a handful of people for an hour, never the whole company for a day. The goal is that any single wave is boring.
Watch the identifiers
The sharp edges in identity migrations are almost always mismatched identifiers — how a user is keyed in the directory versus in downstream systems like MFA, single sign-on, and device management. A username that's a bare account name in one system and a full UPN in another will silently create duplicates or lock people out. Map the identifier flow end to end before you cut anyone over.
Give the help desk a tool, not a runbook
A migration generates a predictable set of support issues. Rather than handing the help desk a long document, give them a tool that diagnoses the common failures and tells them the fix. It turns a stressful cutover into a routine one and keeps the project moving at the pace of the people doing the work.