I am currently doing an internship, and at the moment, I am working on figuring out how the company where I am interning can transition from a hybrid Active Directory to a cloud-only setup. This is because our server is quite unstable, and there is a desire to move towards a cloud-only option.
Currently, we have our own server that manages the Active Directory (AD) and everything related to it. We also use Azure AD to synchronize our AD users and groups. Our on-premises AD regularly updates this data to the Azure AD environment.
The challenge I am facing is that I am relatively new to this field, and I am having some difficulty understanding the possible steps to achieve this transition. Therefore, my question is: What is the best way to move from a hybrid AD to a cloud-only AD, including the authentication processes? Alternatively, if someone has good and comprehensive documentation, that would be welcome as well.
I have tried to find information directly from Microsoft, searched on Google, and watched YouTube videos. However, the issue is that I simply do not know precisely what I can and cannot use.
When transitioning to Azure AD, it is advisable to migrate applications utilizing modern authentication protocols such as SAML and OpenID Connect. For more guidance on this process, you can consult the Transition to the cloud documentation.
To move application authentication to Azure Active Directory, you can follow the steps outlined in the official Microsoft documentation. Additionally, if you are using Azure AD Multi-Factor Authentication Server, consider migrating to Azure AD Multi-Factor Authentication by referring to the steps provided here. Another useful resource is available for migrating from federation to cloud authentication, which you can find here.
For organizations using Azure AD Application Proxy for remote access to internal applications, it is recommended to migrate as outlined in the roadmap to the cloud. It is crucial to verify the relocation of any other features you might be using before decommissioning Active Directory Federation Services.
Once the migration is complete, the only option left is to disable dirsync for the entire tenant using the command:
Set-MsolDirSyncEnabled -EnableDirsync $False
A note of caution: If you use Azure AD Connect and uncheck a group under Domain and OU filtering, it will result in the deletion of the group from Azure AD.
For additional information and community insights, you may refer to the following resources: