📄️ Design Conditional Access posture
Implementation Effort: Medium – Requires policy planning and technical setup.
📄️ Stop buying or building Active Directory dependent apps
Implementation Effort: High – Transitioning away from Active Directory (AD) dependencies requires comprehensive changes in procurement policies, development practices, and IT governance processes. 
📄️ Discover and triage modern apps
Implementation Effort: Medium – Requires coordination across IT, security, and application teams to inventory and assess applications, but can be streamlined with available tools.
📄️ Discover and triage legacy apps
Overview
📄️ Rollout CA with MFA controls
Overview
📄️ Rollout Conditional Access with device state and application compliance controls
Implementation Effort: High – Requires policy setup and integration with Intune.
📄️ Deploy Conditional Access policies with risk control
Implementation Effort: Medium – Requires configuration of risk-based policies and integration with Identity Protection.
📄️ Roll out Conditional Access for guest accounts
Implementation Effort: Medium – Requires policy configuration and cross-tenant settings.
📄️ Migrate VPN auth to Entra
Overview
📄️ Enable on-prem remote access for web apps without VPN
Overview
📄️ Rollout governance for app assignments
Overview
📄️ Define application infrastructure server management strategy
Implementation Effort: High – Establishing a comprehensive server management strategy requires significant planning, coordination across IT and security teams, and potential restructuring of existing infrastructure and policies.
📄️ Deploy Entra Domain Services
Implementation Effort: Medium – Deploying Microsoft Entra Domain Services (MEDS) involves configuring virtual networks, which requires cross-team planning and operational execution.
📄️ Remove app infra servers from AD
Overview
📄️ Define and rollout VDI strategy
Implementation Effort: High – Developing and deploying a Virtual Desktop Infrastructure (VDI) strategy involves significant planning, resource allocation, and coordination across IT and security teams, including infrastructure setup, policy configuration, and ongoing management.
📄️ Migrate Cloud print servers to cloud
Implementation Effort: High – Transitioning from on-premises print servers to a cloud-based solution like Universal Print requires coordinated efforts from IT and security teams to assess current infrastructure, configure cloud services, and manage the migration process.
📄️ Migrate SSO for employee federated applications
Implementation Effort: High – A program needs to be implemented to migrate applications engaging app owners and coordinating authentication updates.
📄️ Migrate SSO for employee Web Access Management based applications
Implementation Effort: High - Customer IT teams need to execute migration projects involving multiple application owners and technical stakeholders.
📄️ Decommission WAM servers
Implementation Effort: Medium – IT teams must manage targeted tasks to safely retire servers, ensuring no residual dependencies remain post-migration.
📄️ Migrate SSO for External Identities federated apps
Implementation Effort: High – Requires reconfiguration of authentication flows and coordination with external partners to transition federated trust.
📄️ Migrate SSO for guest WAM applications
Implementation Effort: High – Migrating Web Access Management (WAM) applications for guest users involves rearchitecting authentication flows, replacing legacy header-based access controls, and coordinating with external partners.
📄️ Stop issuing on-prem accounts for new external users
Overview
📄️ Start provisioning cloud apps via Entra app provisioning
Overview
📄️ Migrate on-prem external ids & workflows to Entra External ID
Overview
📄️ Decommission on-prem external user systems
Overview
📄️ Rollout governance for External IDs
Overview
📄️ Migrate existing SaaS app provisioning to Entra
Overview
📄️ Migrate HR provisioning flow to Entra
Overview
📄️ Migrate joiner/mover/leaver workflows to Entra
Overview
📄️ Migrate existing on-prem app provisioning to Entra
Overview
📄️ Rollout Authenticator App
Implementation Effort: High – IT and security teams must configure tenant settings, educate users, and manage registration campaigns.
📄️ Migrate on-prem MFA systems
Implementation Effort: High – Transitioning from on-prem MFA to Entra ID native methods involves infrastructure decommissioning, policy updates, and user re-registration workflows.
📄️ Migrate self-service password reset
Implementation Effort: High – Transitioning from on-premises SSPR to Microsoft Entra ID SSPR requires configuration of authentication methods, policy updates, and potential integration with on-premises directories via password writeback.
📄️ Develop credential (incl. Passwordless) strategy
Implementation Effort: Medium – Developing a comprehensive credential strategy requires coordinated efforts across IT and security teams, involving policy definition, infrastructure updates, and user onboarding processes.
📄️ Deploy Entra Password Protection
Implementation Effort: High – Deploying Microsoft Entra Password Protection requires installing and configuring agents on domain controllers and proxies, along with integration and validation in hybrid environments.
📄️ Turn on Password Hash Sync
Implementation Effort: Medium – Enabling Password Hash Synchronization (PHS) requires configuring Microsoft Entra Connect and ensuring appropriate permissions and connectivity between on-premises Active Directory and Microsoft Entra ID.
📄️ Migrate to Password Hash Sync authentication
Implementation Effort: Medium – After PHS already enabled, the remaining effort focuses on reconfiguring Entra ID as the primary authentication authority and decommissioning federation infrastructure.
📄️ Decommission on-prem federation servers
Implementation Effort: Medium – Federation infrastructure can be decommissioned after dependent applications and services are migrated, requiring targeted actions from infrastructure and identity teams.
📄️ Rollout Windows Hello for Business
Implementation Effort: High – Setting up Windows Hello for Business requires careful planning, configuration, and coordination across IT and security teams.
📄️ Roll out FIDO2 Security Keys
Implementation Effort: High – Deploying FIDO2 security keys requires configuring Microsoft Entra ID policies, distributing hardware tokens, and coordinating user onboarding and support.
📄️ Rollout Authenticator Passwordless methods
Implementation Effort: Low – Since the Authenticator app is already deployed for MFA and SSPR, only minimal configuration and enablement steps are needed to allow passwordless sign-in.
📄️ Drive passwordless authentication method usage
Implementation Effort: Medium – IT teams need to enable passwordless methods in Microsoft Entra ID, configure Conditional Access to require their use, monitor registration and sign-in activity, and take action to drive adoption across the organization.
📄️ Migrate to modern collaboration tools for collaboration (OneDrive, Teams, SharePoint)
Implementation Effort: High – Migrating to Microsoft 365 collaboration tools requires data migration, user training, license provisioning, and configuration of security and compliance settings.
📄️ Migrate distribution lists to Microsoft 365 Teams & Groups
Implementation Effort: High – IT teams must identify eligible distribution lists, upgrade them via the Exchange Admin Center or PowerShell, and configure Microsoft 365 Group settings as needed.
📄️ Use cloud groups for new cloud app authorization
Overview
📄️ Enable group writeback
Overview
📄️ Rollout governance for groups
Overview
📄️ Migrate group management workflows
Overview
📄️ Enable user writeback
Overview
📄️ Change provisioning flow of existing users to AAD
Overview
📄️ Decommission on-prem IDM system
Overview
📄️ Remove password as credential
Overview
📄️ Change provisioning flow of existing groups to Entra
Overview
📄️ Deploy Entra hybrid join
Overview
📄️ Define Entra join strategy
Overview
📄️ Rollout Entra join for new workstations
Overview
📄️ Rollout AutoPilot
Overview