Migrate SSO for employee federated applications

Implementation Effort: High – A program needs to be implemented to migrate applications engaging app owners and coordinating authentication updates.

User Impact: High – Users will need to be notified of authentication experience changes and may need to reauthenticate or adjust how they sign in.

Overview

Migrating single sign-on (SSO) for employee-facing applications from on-premises identity providers (such as AD FS) to Microsoft Entra ID modernizes authentication by centralizing identity in the cloud. This involves updating configurations to use Entra ID, and applying Conditional Access policies. Migrated apps benefit from security features including phishing-resistant authentication, real-time risk evaluation, and integration with identity governance controls.

This activity directly supports the Zero Trust principle of Verify explicitly by enabling authorization decisions based on a broad set of signals including device posture, location, and sign-in risk. It also strengthens Assume breach by reducing the attack surface of on-prem federation services and consolidating monitoring and control into Entra ID. By completing this migration, organizations lay the foundation for applying least privilege access through role-based access control, as all app access now flows through a modern identity control plane.

If SSO migration is not completed, critical applications may remain outside centralized control, continue relying on outdated protocols, and bypass Conditional Access enforcement—exposing the organization to elevated risk from threat actors exploiting federation endpoints or inconsistent authentication policies.

Reference

• Understand the stages of migrating application authentication from AD FS to Microsoft Entra ID
• Use the AD FS application migration to move AD FS apps to Microsoft Entra ID
• Plan application migration to Microsoft Entra ID
• Migrate from federation to cloud authentication in Microsoft Entra ID