Posted 19/09/2025
As organisations modernise their IT infrastructure, many find themselves juggling multiple Active Directory (AD) environments or preparing to move their on-premises infrastructure to the cloud. This often happens during mergers, acquisitions or divestitures – or in some cases, as a response to changing security priorities. It’s not just an IT challenge; it’s a business one too, often involving significant user disruption and potential downtime.
Migrating or consolidating an Active Directory environment or moving from one tenant to another can seem like a huge project at first glance. But with the right strategy – and a few practical tips – it can be more manageable than you might expect.
When approached correctly, these transitions can streamline operations, enhance security, reduce licensing, eliminate shadow IT, and improve the overall user collaboration and experience. But getting there without disrupting your business takes careful planning.
Whether you’re consolidating your devices to a single AD or transforming them into Entra Joined (cloud native) devices – or even migrating them to a brand-new greenfield AD – the process can be complex. In this blog, we’ll explore some key considerations you should keep in mind before and during your device transformation journey. There are plenty of moving parts, but if you have a good handle on the areas we highlight here, you’re already on the right track.
Directory synchronisation is typically the foundation and most critical aspect of transformation projects. This is also one of the first steps of any merger, acquisition, consolidation or divesture. This is so that your data migration teams can start to pre-stage your data with the correct permissions to users. If it’s not done right from the outset, the entire project risks failure.
A well-executed directory sync process ensures that any changes in your old environment are correctly and safely reflected in your new setup. It helps maintain consistency and prevents any data loss or misconfiguration that could impact user authentication and access controls.
Configurations you will need to consider, but not limited to:
• Scoping and Matching objects
• Attribute manipulation- are you changing email addresses and UPNs or reconfiguring how the objects appear?
• Password sync – will it be bidirectional?
• SIDHistory sync – do you need to preserve it?
• Groups and membership sync requirements
• Object conversion – do you need to perform object conversion to contacts, groups, or users?
• Connectivity can you communicate with all the directories directly, or will remote sync agents be required?
• Encryption protocols – is RC4 disabled? If so, you will need modern password sync capabilities
These considerations can significantly impact the success of your directory sync – and, by extension, the broader transformation. Get this part right, and the rest becomes much easier to manage.
A strong security posture starts with defining clear security baselines – approved configurations, allowed software, and minimum patch levels. These are often managed centrally using tools like Group Policy. If you’re in a Microsoft 365 environment, you’ll also spend a lot of time setting up Conditional Access and configuring Intune policies.
During a migration, your workstation will temporarily be in a transitory state – disjoining from one environment and joining another. That’s where grace periods come in. You may need to allow some flexibility while new configurations apply, so users remain productive while devices meet compliance.
Sometimes you’re moving your devices into an existing mature environment. Those devices will most likely inherit a new configuration from the new company. Adapting those settings to suit your needs – without disrupting the user experience – can be challenging, especially if users are used to certain features or behaviours. Sometimes you’ll be creating a completely new configuration, perhaps moving to a cloud-only (Entra Joined) and Intune setup. In that case, it’s critical to get your security posture right from the beginning.
Ensuring you’re delivering the correct set of policies and configuration to your workstations is key. When joining Active Directory, you need your machines to authenticate with AD so that new GPOs will be collected.
In many transformation projects, a period of coexistence between the different environments is essential. A “big bang” migration – where everything moves at once – is not always practical or possible.
When it comes to users’ computers, they often need to maintain access to applications in the source environment.
Accessing Legacy Applications Using SIDHistory
Even in well-planned migrations, some legacy applications may still validate security based on the original Active Directory Security Identifier (SID). To ensure a smooth user experience during coexistence or staged migrations, you can enable SIDHistory on migrated accounts. SIDHistory preserves the old SID values alongside the new ones, allowing migrated users to authenticate seamlessly to resources in the legacy forest – without needing to maintain separate credentials or revert security permissions.
This approach is especially valuable for mission-critical or revenue-generating applications that cannot be updated immediately to recognize new domain SIDs. By leveraging SIDHistory, you reduce disruption, minimize helpdesk calls, and buy time to modernize or retire legacy systems. However, SIDHistory should be managed carefully. Regular audits and eventual cleanup are essential to limit potential security exposure once all applications are fully transitioned.
Moving Users and Computers to Cloud Native
Moving workstations to cloud native is an easier choice since the workstation being part of or not part of a domain typically doesn’t stop applications from being used. However, users may still require access to on-premises resources such as file and print servers or legacy applications. To maintain seamless interoperability during the coexistence phase, Entra Connect Sync (formerly AAD Connect) is typically deployed to synchronize users, groups, and devices between your on-premises Active Directory and Entra ID.
Cloud Kerberos Trust
Entra Connect Sync provides critical features – such as password write-back and Cloud Kerberos Trust – to ensure both environments remain aligned. Cloud Kerberos Trust, in particular, issues a Kerberos token for the user’s cloud account, enabling authenticated access to on-premises resources even after accounts and computers have transitioned to a cloud-native state. One word of warning, a single Active Directory forest can only have a Cloud Kerberos Trust with one single Entra ID tenant.
Microsoft Entra Application Proxy
Alternatively, Microsoft Entra Application Proxy offers a secure reverse-proxy tunnel for on-premises web applications. Users authenticate via Microsoft Entra ID (or a federated identity provider) and access internal apps over HTTPS, eliminating the need for a VPN. Application Proxy applies modern security controls such as Conditional Access and MFA while maintaining access to critical line-of-business systems during migration.
As your cloud adoption matures, plan to gradually phase out on-premises dependencies – retiring or migrating legacy servers and applications once all required services and data have been moved or replaced – to simplify operations, enhance security, and reduce maintenance overhead.
What bucket do your applications fall into? One emerging industry standard is to use the categories: Tolerate, Invest, Migrate, Eliminate.
| Bucket | Description | Typical Actions During AD/Entra Migrations |
| Tolerate | Apps that aren’t ideal but are necessary for business continuity. They may be outdated, hard to modernize, or not strategic. | Keep them running as-is during the migration. Apply minimal effort – just enough to re-point authentication or adjust DNS. Plan to revisit later once critical apps are stabilized. |
| Invest | High-value or strategic apps that differentiate the business or have growth potential. | Allocate extra testing and support. Modernize authentication (e.g., modern protocols, MFA).Consider refactoring or integrating more deeply with Entra ID features like Conditional Access, PIM, or enterprise app catalog. |
| Migrate | Commodity or mid-tier apps that can be moved with minimal change. | Use standard migration tooling or federation changes to bring them onto the new AD/Entra tenant. Confirm dependencies (service accounts, group memberships, DNS records). Schedule cutover with minimal downtime. |
| Eliminate | Legacy, redundant, or low-value apps whose cost or risk outweighs their benefit. | Decommission before or shortly after migration. Archive data if required by compliance. Communicate with stakeholders so dependencies aren’t overlooked. |
1. Inventory: Gather a complete list of applications, their owners, authentication methods, and dependencies.
2. Assess & Classify: For each app, evaluate business value, technical debt, compliance, and migration complexity – then assign it to Tolerate, Invest, Migrate, or Eliminate.
3. Plan Cutovers: Build your migration wave plan around this classification – start with Migrate apps for quick wins, schedule Invest apps carefully, and leave Tolerate apps for later stabilization.
4. Communicate: Share the classification and reasoning with stakeholders to manage expectations and secure buy-in.
5. Revisit Post-Migration: Tolerate apps should be reassessed after the new directory is stable – they often become candidates for modernization or elimination.
Many applications depend on Active Directory for authentication and other services. Identify all these applications and check if they have any specific requirements or dependencies. It’s very important to ensure that your software deployment methods for any applications in the source, are now accommodated in the target.
Redeploying or reinstalling software might be an undesirable scenario, so detecting and absorbing might be the way to go.
In some cases, you might need to reconfigure applications to work with the new environment. It’s a good idea to document these dependencies early so that nothing is overlooked during the transition.
Some 3rd party application vendors, especially SaaS solutions, will allow you to provide a mapping of source GUID to target GUID so the users will logon with their target credentials and see no difference.
Rigorous testing is one of the biggest success factors in any transformation project.
Major changes – such as directory synchronization or workstation migrations – need more than careful planning. They demand a structured, repeatable testing strategy that validates every critical dependency.
Unlike routine IT initiatives, M&A transformations touch every layer of your organisation. Without comprehensive testing, you risk delays, data loss, access issues, and security gaps.
Testing isn’t optional – it’s your safety net for catching misconfigurations before they affect real users and your key to a smooth, controlled go-live.
Business change often triggers one clear goal: consolidating device join states into a single endpoint. Either Active Directory on Entra ID.
Fresh Start every device by wiping and resetting
Some organisations will opt to “Fresh-Start” their existing devices remotely that will require setting everything up from scratch again.
Physically swap out devices
Other organisations choose to send new devices to their users, which is very costly & has a large environmental impact.
How long will it take users to get back up and running and productive again after a Fresh Start or new device? How quickly can you redeploy all their software and restore their preferences? The hidden costs can escalate quickly. Take a look at our cost calculator to see how it all adds up.
Use PowerSyncPro Migration Agent to transition the devices between endpoints
Transition your devices in less than 15 minutes the smart way by avoiding time-consuming fresh starts. With a lightweight agent deployed to the Windows device running as a Windows service, the end-user’s device will migrate either when the end user requests it, or on the scheduled date and time. The migration agent will notify the end users of the migration being available, starting, in progress and complete in their own language.
PowerSyncPro was designed by engineers and consultants with over 50 years of combined experience delivering complex M&A and migration projects – people who knew there had to be a better way to achieve success.
This purpose-built software simplifies secure directory synchronisation and efficient workstation migration. With PowerSyncPro, you can automate much of the process, reduce downtime, and strengthen your security posture during a major business transition. It handles the heavy lifting so you can stay focused on the bigger picture – keeping your organisation operating smoothly and securely.
Whether it’s a small Active Directory consolidation or a large-scale tenant-to-tenant migration, PowerSyncPro adapts to the unique requirements of your project. Every migration is different, and success depends on careful planning, clear communication, and thorough testing.
When it’s time to synchronise directories and migrate devices, PowerSyncPro is the tool you want in your toolbox. – making the process as seamless and secure as possible. Migration projects can be daunting, but with the right strategy and the right tools, they’re also an opportunity to streamline your IT environment and boost overall efficiency.
Happy migrating!
Every M&A is different. Connect with one of our migration specialists to create a strategy that works for your environment and goals.
