User Source of Authority Change to Entra ID #entraid

Key Concepts

• Active Directory (AD): Traditional on-premises identity and access management system.
• Entra ID (formerly Azure AD): Microsoft's cloud-based identity and access management service.
• Source of Authority: The primary system where user identities and their attributes are managed.
• Cloud Kerberos Trust: A mechanism to maintain Kerberos authentication capabilities when migrating from AD to Entra ID.
• User Writeback: The process of synchronizing changes made in Entra ID back to Active Directory.
• Group Source of Authority: The primary system for managing group memberships and attributes.

Moving User Source of Authority from Active Directory to Entra ID

This short video explains the process and implications of shifting the user source of authority from on-premises Active Directory (AD) to Microsoft Entra ID (formerly Azure AD). This migration is driven by the increasing adoption of cloud services, leading organizations to consider Entra ID as their core identity solution.

Benefits of Migrating to Entra ID

Migrating the user source of authority to Entra ID unlocks several advantages:

• Enhanced Governance: Improved control and management of user identities and access.
• Lifecycle Management: Streamlined processes for user onboarding, offboarding, and attribute updates.
• Insight Capabilities: Access to richer analytics and reporting on user activity and security posture.
• Cloud Service Integration: Seamless integration with a wide range of cloud applications and services.

Maintaining Kerberos Capabilities

Even after transitioning the source of authority to Entra ID, organizations can still leverage Kerberos-type capabilities. This is achieved by establishing a cloud Kerberos trust between the existing AD and Entra ID. This trust ensures that applications or services still relying on Kerberos authentication can continue to function during and after the migration.

The Migration Process: A Simple Change with Significant Implications

The core technical change to move the user source of authority is straightforward: changing a setting from cloud managed: false to cloud managed: true. However, this seemingly simple alteration has critical consequences.

Crucial Point: No User Writeback

A significant implication of this change is the absence of user writeback. This means that once the user source of authority is moved to Entra ID, any changes made to user accounts within Entra ID will not be reflected back in the original Active Directory. AD will no longer be the authoritative source for these user attributes.

Recommendations and Considerations

Given the implications, particularly the lack of user writeback, it is strongly advised to:

• Thoroughly Understand Documentation: Before proceeding, it is essential to consult Microsoft's official documentation to grasp all potential ramifications of this change.
• Prioritize Group Source of Authority: It is recommended to migrate the group source of authority before moving the user source of authority. This ensures that group memberships and their associated permissions are correctly managed in the new cloud-based system before user identities are fully transitioned.
• Plan for Existing Users: The process allows for taking existing users and shifting their management to Entra ID. This means that HR systems and other management tools can then communicate directly with Entra ID for user management.

Conclusion

The migration of the user source of authority from Active Directory to Entra ID is a pivotal step for organizations embracing cloud identity. While the technical change is minimal, the strategic implications, especially regarding the loss of user writeback and the need to manage groups first, require careful planning and a deep understanding of the documentation. This shift enables organizations to harness the advanced governance, lifecycle management, and insight capabilities of Entra ID, aligning their identity infrastructure with their cloud-first strategy.