Stop using on-premises groups to assign access to new applications / resources
Implementation Effort: High – IT and identity teams must transition from on-premises group-based access control to cloud-native group management. This involves driving alignment accross the organization, coordination across application owners and redefine operational procedures.
User Impact: Low – End users experience minimal disruption as access assignments are managed by administrators.
Overview
Moving away from on-premises Active Directory (AD) groups as the source of truth for access assignments is essential to modernizing identity governance. For new applications and resources, access should be granted using Microsoft Entra ID cloud groups instead. On-premises groups introduce synchronization delays, make dynamic access control difficult, and lack native integration in cloud-native audit and access review tooling. Even when access is required on legacy or on-premises systems, Microsoft Entra ID can still serve as the authoritative source through Entra Cloud Sync’s group provisioning to AD feature. This allows cloud-managed groups to be provisioned back into AD, enabling cloud-based governance while preserving on-premises compatibility.
This activity supports the Zero Trust principle of "Use least privilege access" by making group-based access control dynamic, policy-driven, and responsive to changes in user attributes, or risk level. It also aligns with "Assume breach" by reducing dependency on legacy infrastructure and giving security teams clearer visibility into group memberships and access assignments. Continuing to rely on on-premises groups for new application access increases the risk of outdated entitlements, complicates enforcement of access lifecycle policies, and limits scalability in hybrid environments.