Saying Goodbye to ADFS: Migrating to Microsoft Entra ID for a Zero Trust, Cloud-First Future

The Challenge

Federal agencies face unique identity management challenges due to strict regulatory requirements and the need to protect sensitive data. For a large federal agency with nearly 500,000 employees, managing identities across more than 400 applications had become increasingly difficult. Their reliance on Active Directory Federation Services (ADFS) for authentication resulted in multiple logins, inconsistent user experiences, and limited single sign-on capabilities.

ADFS, once sufficient, had become a liability. Its highly targeted attack surface made it vulnerable to cyberattacks, and it lacked key security features like certificate-based authentication and advanced conditional access. As the agency shifted more operations to the cloud, it needed a solution that could support modern security practices and reduce its growing vulnerabilities.

Migrating from ADFS to Microsoft Entra ID is a key phase of the agency’s multi-year effort to transform into a 100% cloud enterprise. Currently a hybrid organization, the goal of the migration is to reduce authentication complexity, increase their security posture, and reduce the footprint of their on-premises systems. 

The Solution

Recognizing the complexity and scale of the migration, Microsoft brought in Oxford Computer Group (OCG) to aid the migration from ADFS to Microsoft Entra ID. OCG’s expertise in identity management ensured the agency’s move to a cloud-native platform was executed smoothly and securely.

Microsoft Entra ID’s enhanced capabilities were critical in addressing the agency’s security needs, in particular their authentication challenges and scalability requirements. The platform’s ability to support multiple authentication protocols, such as OAuth, SAML, and OpenID Connect, enabled true single sign-on and strong authentication across 480 applications. The migration coincided with the deployment of advanced conditional access policies, allowing the agency to enforce granular security measures, further reducing vulnerabilities.

Enabling conditional access policies was a key component to the project. Microsoft Entra Conditional Access brings identity signals together to make decisions and enforce organizational policies. Before the migration, the agency’s employees relied on PIV cards to login and access resources. With conditional access, the agency can increase security by adding qualifiers to logging in based on the signals like group membership, IP location, and device information. Now, the agency can create a policy that restricts logging in from an unqualified machine.  

Challenges

Preparing the agency’s internal IT staff for the new solution required thoughtful communication and a considerate change management plan. Initially, some application owners worried that the process of moving to a new platform would result in downtime and negatively affect the end-user experience. OCG and Microsoft worked closely with application owners to ensure a seamless process, building in testing and development environments.

OCG also utilized Microsoft’s ADFS Migration Tool for a smooth and efficient migration. This tool is specifically designed to automate several aspects of the migration process, reducing both the complexity and the time required to transition. The tool assists in identifying the ADFS applications to migrate, automates the migration of Relying Party Trusts, and helps configure claim rules in Microsoft Entra ID. By leveraging this tool, organizations can focus on strategic deployment rather than the intricacies of manual migration. 

Prior to full migration, OCG conducted extensive testing to validate that all features and integrations worked as expected. Once planning and testing concluded, an application migration took as little as one hour to complete.  

The Results

During the first 14-month phase of the project, 480 applications were transitioned – a velocity made possible by capitalizing on best practices and streamlined migration methodology. OCG was able to leverage their experience to automate much of the migration process, reducing complexity and accelerating the transition. This allowed the agency to focus on ensuring business continuity, with minimal disruption to daily operations.

The migration from ADFS to Microsoft Entra ID delivered the following outcomes:

  • Improved Security: The agency benefited from Microsoft Entra ID’s certificate-based authentication and conditional access policies. This helped to reduce security risks and better control access across their systems.
  • Simplified Identity Management: With single sign-on capabilities, the agency streamlined the user experience, reducing the complexity of managing multiple authentication methods.
  • Cost and Resource Optimization: The shift to a cloud-based platform reduced the need for maintaining on-premises infrastructure, lowering overall maintenance and hardware costs.
  • Improved Accessibility and Reliability: The agency’s application owners complained of outages and downtime with ADFS, but Microsoft Entra ID has automatic failover capabilities and robust disaster recovery protocols, unlike the more localized setup of AD FS. 
  • Flexibility for Future Integrations: The agency is now better positioned to integrate additional applications into their system, whether from Microsoft or third-party providers, as part of their ongoing cloud strategy.

Where do we go from here?

This project represents a key step in the agency’s broader shift to the cloud. Currently operating in a hybrid environment, their long-term aim is to transition as much as possible to a fully cloud-based model. Doing so will continue to enhance security, modernize their operations, and move closer to a Zero Trust architecture. As part of this journey, they plan to consolidate their identity management onto a single platform—Microsoft Entra ID—allowing for more streamlined processes, cost efficiencies, and strengthened security.


Is your organization facing similar challenges? If you want to learn more about migrating away from ADFS, contact us. We’d be delighted to help.

If you’d like the latest updates on new resources and events from OCG, follow us on LinkedIn.