Creating the foundations for moving from on-premises to cloud

The background

We were approached by a leading UK-based, global provider of digital and blended distance higher education to scope and plan a roadmap for modernizing their digital learning environment.

Their primary goal was to enhance student collaboration, communication, and access to resources and they had selected Microsoft 365 and Microsoft Entra as the platforms for this transformation.

One of their early priorities was to implement a cloud-based service management application to streamline request capture, monitoring, and fulfilment. Since we had been working with this organization since 2022 on all aspects of their identity implementation, we were engaged to handle provisioning to this application, laying the groundwork for all future transformations from on-premises to the cloud.

The challenge

In common with many education providers, details of staff and students are sourced from separate systems, and their on-premises user accounts are held in different Active Directory forests. User account provisioning to one Entra ID tenant had already been implemented using Entra Connect for all staff. A small number of students had also been provisioned to a separate tenant for a pilot project using Entra Connect Cloud Sync. Now they needed to merge both user groups into a single tenant to deploy the service management solution across the organization.

However, there were challenges:

  1. Staff and students were in separate Active Directory forests, which precluded broadening the scope of the existing instance of Entra Connect.
  2. A small but significant number of users had accounts in both forests, necessitating the identification and management of these merged identities.
  3. Different attribute flows were required based on whether a user was staff-only, student-only, or had a merged identity.
  4. Password writeback from Entra ID to Active Directory was required, irrespective of where on-premises accounts were hosted.
  5. Any solution had to be implemented so there was no change to the existing sign-in experience for any user.

The solution

After evaluating options (including changes to the organization’s MIM implementation), we recommended deploying a new instance of Entra Connect, as Entra Connect Cloud Sync can’t handle multiple source forests.

The first step was to deploy a new instance of Entra Connect in a development environment to develop custom rules and verify the approach for merging identities from both forests.

We also identified additional attributes needed for future on-premises to Entra transitions and configured them as schema extension attributes within Entra Connect creating additional flow rules.

After verifying successful identity merging and custom attribute flow, we deployed the new Entra Connect configuration to a test environment containing a more representative set of user accounts and the service management application. This testing was valuable as it revealed the fact that some extension attributes breached an Entra service limit on the number of extension values (not attributes) per resource. We resolved this by removing some redundant extension attributes.

The final Entra Connect configuration was then deployed to a new server in the production environment and left in staging mode pending approval to go live.

To gain additional confidence that the new Entra Connect server was correctly configured, we produced a pending export report to show the organization the changes in Entra ID. After reviewing the report and addressing minor data quality issues unrelated to Entra Connect, the new server went live.

The result

Our meticulous planning and thorough verification in development and test environments allowed the organization to replace its staff-only Entra Connect solution with minimal downtime. This transition onboarded over 70,000 students and several thousand groups achieving a seamless change.

Users can now be easily provisioned to the service management application, significantly enhancing the experience for both staff and students. This also allows the organization to easily and efficiently implement future cloud-based applications reducing reliance on on-premises servers.

Next Steps

The organization is now planning other aspects of its on-premises implementation which can be migrated to the cloud.

Want to know more?

  • Request a MIM Migration Design Workshop. We evaluate your current implementation and cloud-first objectives through a series of meetings and discussions, providing a tailored design specification report for your best migration path from MIM.
  • Explore our collection of insightful articles about migrating your MIM environment.
  • Watch our webinar ‘Transitioning from MIM to Microsoft Entra cloud-first IAM’.