Exploring the Extensibility of ADMS Portal Customizations
A Comprehensive Overview The ADMS Portal is more than just a migration interface—it's a customizable, intelligent platform designed to streamline and enhance the migration experience for both users and IT administrators. ADMS, ADSS, and ADGMS are all cloud-based services that come within the ADxS services portfolio offered by Microsoft and designed to facilitate efficient and cost-effective migrations. For additional information around migration use cases, refer to this blog: Exploring the Use Cases of ADxS Services | Microsoft Community Hub ADMS or Active Directory Migration Service – is a service designed to facilitate the migration of users and workstations across domains and forests by offering diverse number of migration methods such as Self-Service Migration which is unique to the ADMS service and it comes with two types, Self-Service for corporate connect users, and Self-Service for remote or VPN users, Admin automated Migrations, user only migration and Migration for workstations shared by more than one user. Prerequisites for a User Migration Users must be in scope for the ADMS sync engine, meet all identity logic, and be in the migration database prior to coming to the ADMS Portal. One of the first items we perform is pre-provision or join source identities to target identities also working with your team to determine attributes to flow as part of the sync engine. ADMS Portal will submit each user to a set of preflight checks prior to allowing user migration. Before any migration begins, the ADMS Portal runs a standardized set of preflight validations designed to catch common issues that could disrupt the process. These checks are essential safeguards that ensure a smooth and secure migration from the source to the target environment. Refer to this blog for more details: Ensuring Smooth Migrations with ADMS Portal’s Preflight Checks | Microsoft Community Hub User Migration journey Assuming the user meets the preflight checks for migration, the user is submitted to the activation phase. This phase includes the user object being enabled if necessary as well as being submitted to the ADMS AR Pipeline. The default delivery includes the objectSID of the source user being copied to the target user SIDHistory at user migration run-time in the ADMS AR pipeline. We also submit the user for any additional application/service remediation agreed upon during workshops. Refer to this blog for more details: Exploring the Use Cases of ADMS User Migration | Microsoft Community Hub Here’s a look at what the ADMS Portal can customize for a user migration: Preflight checks: ADMS team enables a standardized set of preflight validations designed to catch common issues that could disrupt the process. These checks are not just technical formalities—they are essential safeguards that ensure each migration proceeds smoothly and securely from old source environment to new target environment. Portal Landing Page: The ADMS Portal landing page can be configured to let the user choose from one or more connection options. This includes but not limited to at a remote location over VPN. Multi-language support: The ADMS Portal can be configured to allow the user's local language to be displayed in their browser providing a richer user experience for the various use cases brought to the migration portal. Customer Support Contact: ADMS team will configure the ADMS Portal to display the customer support contact information to help the user experience a better escalation path if any issues do occur during their migration journey. Identity Enablement: ADMS team has the ability to enable target user identities during the staging queue process during user migration. Identity Sync Engine: Conventional tools synchronize Active Directory objects as-is to the target domain and refresh them as changes are made in the source. ADMS implements a rich and robust identity management system so that just the right identities, groups, group memberships and workstations are synchronized and provisioned and will continuously run until the migration has been completed to accommodate changes in the source. ADMS AR Pipeline: The ADMS delivery team can handle at run-time remediation in the ADMS AR pipeline. This is done per user at user migration run-time to allow coexistence, maintaining access for those pending migration, and updating access for those that have performed migration through the ADMS Portal. Refer to this blog for more details: Exploring the Use Cases of ADMS Application Pipeline | Microsoft Community Hub Feature Enablement: ADMS delivery includes the ability to enable SIDHistory feature at user migration run-time. ADMS delivery can include the ability to enable our password sync feature one way from source to target. Post User Migration: ADMS team has the ability to disable the source user identities post user migration after an agreed upon grace period. Custom Preflight Check: ADMS team has the ability to add custom preflight checks for some migration use cases. Device Migration journey Conventional tools require mapping of users to workstations so that the migration sequence can be structured and run by the migration team. ADMS offers a simple to use portal service so that self-service migrations can be offered with users now able to migrate when it's convenient for them. Refer to this blog for more details: Exploring the Extensibility of Active Directory Migration Service (ADMS) Device Migration | Microsoft Community Hub Here’s a look at what the ADMS Portal can customize for a device migration: Preflight checks: ADMS WMT service is a requirement for a device to be eligible for migration. This is enabled by default. Identity Sync Engine: Conventional tools synchronize Active Directory objects as-is to the target domain and refresh them as changes are made in the source. ADMS implements a rich and robust identity management system so that just the right identities, groups, group memberships and workstations are synchronized and provisioned and will continuously run until the migration has been completed to accommodate changes in the source. WMT Service: ADMS WMT service is used for conducting workstation migration operations. ADMS WMT service performs at device migration runtime when invoked by ADMS Portal or our auto migration app to perform our default migration operations as well as any additional features we agreed upon during our design discussions for your ADMS delivery. WMT Service Custom External Scripts: ADMS WMT service has the option to run custom PowerShell external scripts. ADMS WMT service allows the extensibility to run custom external scripts at various execution points during the device migration sub-steps, which has been a game changer for our ADMS customers. There will be more on this in a future blog post. Approved to Migrate Computer Check: This is an optional check that can be enabled to look for a registry key on the device. Remote/VPN IP Range Check: ADMS Portal has the ability to use an IP range provided by the customer to determine if a client is attempting migration from a corporate network or remote connection. AutoMigApp - Device Only: ADMS team has the ability to generate a package of auto migration app designed to perform a device only migration. Custom Preflight Check: ADMS team has the ability to add custom preflight checks for some migration use cases. ADMS Portal Benefits The ADMS Portal offers a robust and flexible platform that enhances the migration experience for both users and administrators. Here are the key benefits: Streamlined User Experience: With customizable landing pages, multilingual support, and integrated customer support contact information, the portal ensures a smooth and intuitive experience for end users. Comprehensive Preflight Checks: Built-in and customizable preflight validations help identify and resolve potential issues before migration begins, reducing downtime and ensuring a higher success rate. Flexible Identity Management: The Identity Sync Engine and Identity Enablement features allow for precise control over which users, groups, and devices are migrated, ensuring alignment with organizational policies. Real-Time Remediation: The ADMS AR Pipeline supports runtime remediation, enabling coexistence and seamless access transitions during the migration process. Advanced Device Migration Support: The WMT service and AutoMigApp provide powerful tools for device-only migrations, including support for custom scripts and remote/VPN IP range checks. Post-Migration Controls: The service supports post-migration actions such as disabling source identities after a grace period, helping maintain security and compliance. Extensibility and Customization: From custom preflight checks to external script execution, the portal is designed to adapt to unique migration scenarios and enterprise needs. Conclusion ADMS is a service designed to facilitate the migration of users and workstations across domains and forests by offering diverse number of migration methods. ADxS services not only simplifies the migration process but also ensures that organizations can achieve their migration goals more efficiently and cost-effectively. Learn more about IMS and explore its powerful migration capabilities today! Read our latest insights on the IMS blog Learn more about IMS and start hassle-free migrations and its capabilities today! On our YouTube Channel Want to speak with an expert? Reach out to us at [email protected] to connect with a sales representative. Let’s power the future of digital collaboration — together.Ensuring Smooth Migrations with ADMS Portal’s Preflight Checks
A Comprehensive Overview In any enterprise migration, preparation is key. At the heart of a successful transition lies the ability to anticipate and eliminate potential roadblocks before they occur. That’s where the ADMS Portal’s preflight checks come into play. ADMS, ADSS, and ADGMS are all cloud-based services that come within the ADxS services portfolio offered by Microsoft and are designed to facilitate efficient and cost-effective migrations. For additional information around migration use cases, refer to this blog: https://techcommunity.microsoft.com/blog/microsoft-security-blog/exploring-the-use-cases-of-adxs-services/4373299?previewMessage=true. ADxS Benefits ADMS or Active Directory Migration Service – is a service designed to facilitate the migration of users and workstations across domains and forests by offering diverse number of migration methods such as Self-Service Migration which is unique to the ADMS service and it comes with two types, Self-Service for corporate connect users, and Self-Service for Remote users, Admin automated Migrations, user only migration and Migration for workstations shared by more than one user. ADxS services not only simplifies the migration process but also ensures that organizations can achieve their migration goals more efficiently and cost-effectively. Prerequisites for a User Migration Users must be in scope for the ADMS sync engine, meet all identity logic, and be in the migration database prior to coming to the ADMS Portal. One of the first items we perform is pre-provision or join source identities to target identities also working with your team to determine attributes to flow as part of the sync engine. ADMS Portal will submit each user to a set of preflight checks prior to allowing user migration. This will include, but is not limited to, ensuring connectivity to the target domain, use of a supported web browser, being in the approved to migrate security group, and so on to make sure the user is flight-ready. Migration journey Before any migration begins, the ADMS Portal runs a standardized set of preflight validations designed to catch common issues that could disrupt the process. These checks are not just technical formalities—they are essential safeguards that ensure each migration proceeds smoothly and securely from old source environment to new target environment. Here’s a look at what the ADMS Portal verifies before allowing a migration to proceed: Connectivity: Connectivity to a domain controller in the target environment. Supported Browser: Use of a supported browser. Approved to Migrate Security Group Check: Security group validation to confirm the user is approved for migration. Bulk Migrator Security Group Check: Authorization of the user as a bulk migrator, if applicable. WMT Service: Checks installation of the WMT service on the device. WMT Service Status: Verification that WMT is not currently running on the device. OS Version Check: Confirmation that the device is running an approved version of Windows OS. Approved to Migrate Computer Check: Approval of the computer for migration. This is an optional check that can be enabled to look for a registry key on the device. PowerShell Check: Availability of PowerShell on the device. Roaming Profile Check: Verification the user account does not use a roaming profile. Target Computer Object Check: Confirmation that a target computer object exists. Target Computer Ownership Check: Confirmation that the target computer object ownership is set correctly. Custom Preflight Check: ADMS team has the ability to add custom preflight checks for some migration use cases. Conclusion Migration is more than just moving data—it’s about maintaining continuity, security, and user trust. With the ADMS Portal’s built-in preflight checks, organizations can approach migrations with confidence, knowing that the groundwork has been thoroughly vetted. Whether you're managing a small batch of users or orchestrating a large-scale migration, these preflight checks are your first line of defense against avoidable delays and complications. Preflight checks are designed to be comprehensive yet efficient, ensuring that both individual and bulk migrations are executed with minimal friction. By automating these validations, the ADMS Portal reduces the risk of human error and accelerates the overall migration timeline. Learn more about IMS and explore its powerful migration capabilities today! Read our latest insights on the IMS blog Learn more about IMS and start hassle-free migrations and its capabilities today! On our YouTube Channel Want to speak with an expert? Reach out to us at [email protected] to connect with a sales representative. Let’s power the future of digital collaboration — together.Step by Step: 2-Tier PKI Lab
Purpose of this blog Public Key Infrastructure (PKI) is the backbone of secure digital identity management, enabling encryption, digital signatures, and certificate-based authentication. However, neither setting up a PKI nor management of certificates is something most IT pros do on a regular basis and given the complexity and vastness of the subject it only makes sense to revisit the topic from time to time. What I have found works best for me is to just set up a lab and get my hands dirty with the topic that I want to revisit. One such topic that I keep coming back to is PKI - be it for creating certificate templates, enrolling clients, or flat out creating a new PKI itself. But every time I start deploying a lab or start planning a PKI setup, I end up spending too much time sifting through the documentations and trying to figure out why my issuing certificate authority won't come online! To make my life easier I decided to create a cheatsheet to deploy a simple but secure 2-tier PKI lab based on industry best practices that I thought would be beneficial for others like me, so I decided to polish it and make it into a blog. This blog walks through deploying a two-tier PKI hierarchy using Active Directory Certificate Services (AD CS) on Windows Server: an offline Root Certification Authority (Root CA) and an online Issuing Certification Authority (Issuing CA). We’ll cover step-by-step deployment and best practices for securing the root CA, conducting key ceremonies, and maintaining Certificate Revocation Lists (CRLs). Overview: Two-Tier PKI Architecture and Components In a two-tier PKI, the Root CA sits at the top of the trust hierarchy and issues a certificate only to the subordinate Issuing CA. The Root CA is kept offline (disconnected from networks) to protect its private key and is typically a standalone CA (not domain-joined). The Issuing CA (sometimes called a subordinate or intermediate CA) is kept online to issue certificates to end-entities (users, computers, services) and is usually an enterprise CA integrated with Active Directory for automation and certificate template support. Key components: Offline Root CA: A standalone CA, often on a workgroup server, powered on only when necessary (initial setup, subordinate CA certificate signing, or periodic CRL publishing). By staying offline, it is insulated from network threats. Its self-signed certificate serves as the trust anchor for the entire PKI. The Root CA’s private key must be rigorously protected (ideally by a Hardware Security Module) because if the root is compromised, all certificates in the hierarchy are compromised. Online Issuing CA: An enterprise subordinate CA (domain-joined) that handles day-to-day certificate issuance for the organization. It trusts the Root CA (via the root’s certificate) and is the one actually responding to certificate requests. Being online, it must also be secured, but its key is kept online for operations. Typically, the Issuing CA publishes certificates and CRLs to Active Directory and/or HTTP locations for clients to download. The following diagram shows the simplified view of this implementations: The table below summarizes the roles and differences: Aspect Offline Root CA Online Issuing CA Role Standalone Root CA (workgroup) Enterprise Subordinate CA (domain member) Network Connectivity Kept offline (powered off or disconnected when not issuing) Online (running continuously to serve requests) Usage Signs only one certificate (the subordinate CA’s cert) and CRLs Issues end-entity certificates (users, computers, services) Active Directory Not a member of AD domain; doesn’t use templates or auto-enrollment Integrated with AD DS; uses certificate templates for streamlined issuance Security Extremely high: physically secured, limited access, often protected by HSM Very High: server hardened, but accessible on network; HSM recommended for private key CRL Publication Manual. Admin must periodically connect, generate, and distribute CRL. Delta CRLs usually disabled. Automatic. Publishes CRLs to configured CDP locations (AD DS, HTTP) at scheduled intervals. Validity Period Longer (e.g. 5-10+ years for the CA certificate) to reduce frequency of renewal. Shorter (e.g. 2 years) to align with organizational policy; renewed under the root when needed. In this lab setup, we will create a Contoso Root CA (offline) and a Contoso Issuing CA (online) as an example. This mirrors real-world best practices which is to "deploy a standalone offline root CA and an online enterprise subordinate CA”. Deploying the Offline Root CA Setting up the offline Root CA involves preparing a dedicated server, installing AD CS, configuring it as a root CA, and then securing it. We’ll also configure certificate CDP/AIA (CRL Distribution Point and Authority Information Access) locations so that issued certificates will point clients to the correct locations to fetch the CA’s certificate and revocation list. Step 1: Prepare the Root CA Server (Offline) Provision an isolated server: Install a Windows Server OS (e.g., Windows Server 2022) on the machine designated to be the Root CA. Preferably on a portable enterprise grade physical server that can be stored in a safe. Do not join this server to any domain – it should function in a Workgroup to remain independent of your AD forest. System configuration: Give the server a descriptive name (e.g., ROOTCA) and assign a static IP (even though it will be offline, a static IP helps when connecting it temporarily for management). Install the latest updates and security patches while it’s still able to go online. Lock down network access: Once setup is complete, disable or unplug network connections. If the server must remain powered on for any reason, ensure all unnecessary services/ports are disabled to minimize exposure. In practice, you will keep this server shut down or physically disconnected except when performing CA maintenance. Step 2: Install the AD CS Role on the Root CA Add the Certification Authority role: On the Root CA server, open Server Manager and add the Active Directory Certificate Services role. During the wizard, select the Certification Authority role service (no need for web enrollment or others on the root). Proceed through the wizard and complete the installation. You can also install the CA role and management tools via PowerShell: Install-WindowsFeature AD-Certificate -IncludeManagementToolsThis Role Services: Choose Certification Authority. Setup Type: Select Standalone CA (since this root CA is not domain-joined). CA Type: Select Root CA. Private Key: Choose “Create a new private key.” Cryptography: If using an HSM, select the HSM’s Cryptographic Service Provider (CSP) here; otherwise use default. Choose a strong key length (e.g., 2048 or 4096 bits) and a secure hash algorithm (SHA-256 or higher). CA Name: Provide a common name for the CA (e.g., “Contoso Root CA”). This name will appear in issued certificates as the Issuer. Avoid using a machine DNS name here for security – pick a name without revealing the server’s actual hostname. Validity Period: Set a long validity (e.g., 10 years) for the root CA’s self-signed certificate. A decade is common for enterprise roots, reducing how often you must touch the offline CA for renewal. Database: Specify locations for the CA database and logs (the defaults are fine for a lab). Review settings and complete the configuration. This process will generate the root CA’s key pair and self-signed certificate, establishing the Root CA.Post-install configuration: After the binary installation, click Configure Active Directory Certificate Services (a notification in Server Manager). In the configuration wizard: You can also perform this configuration via PowerShell in one line: Install-AdcsCertificationAuthority ` -CAType StandaloneRootCA ` -CryptoProviderName "YourHSMProvider" ` -HashAlgorithmName SHA256 -KeyLength 2048 ` -CACommonName "Contoso Root CA" ` -ValidityPeriod Years -ValidityPeriodUnits 10 This would set up a standalone Root CA named "Contoso Root CA" with a 2048-bit key on an HSM provider, valid for 10 years. Step 3: Integrate an HSM (Optional but Recommended) If your lab has a Hardware Security Module, use it to secure the Root CA’s keys. Using an HSM provides a dedicated, tamper-resistant storage for CA private keys and can further protect against key compromise. To integrate: Install the HSM vendor’s software and drivers on the Root CA server. Initialize the HSM and create a security world or partition as per the vendor instructions. Before or during the CA configuration (Step 2 above), ensure the HSM is ready to generate/store the key. When running the AD CS configuration, select the HSM’s CSP/KSP for the cryptographic provider so that the CA’s private key is generated on the HSM. Secure any HSM admin tokens or smartcards. For a root CA, you might employ M of N key splits – requiring multiple key custodians to collaborate to activate the HSM or key – as part of the key ceremony (discussed later). (If an HSM is not available, the root key will be stored on the server’s disk. At minimum, protect it with a strong admin passphrase when prompted, and consider enabling the option to require administrator interaction (e.g., a password) whenever the key is accessed.) Step 4: Configure CA Extensions (CDP/AIA) It’s critical to configure how the Root CA publishes its certificate and revocation list, since the root is offline and cannot use Active Directory auto-publishing. Open the Certification Authority management console (certsrv.msc), right-click the CA name > Properties, and go to the Extensions tab. We will set the CRL Distribution Points (CDP) and Authority Information Access (AIA) URLs: CRL Distribution Point (CDP): This is where certificates will tell clients to fetch the CRL for the Root CA. By default, a standalone CA might have a file:// path or no HTTP URL. Click Add and specify an HTTP URL that will be accessible to all network clients, such as: http://<IssuingCA_Server>/CertEnroll/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl For example, if your issuing CA’s server name is ISSUINGCA.contoso.local, the URL might be http://issuingca.contoso.local/CertEnroll/Contoso%20Root%20CA.crl This assumes the Issuing CA (or another web server) will host the Root CA’s CRL in the CertEnroll directory. Check the boxes for “Include in the CDP extension of issued certificates” and “Include in all CRLs. Clients use this to find Delta CRLs” (you can uncheck the delta CRL publication on the root, as we won’t use delta CRLs on an offline root). Since the root CA won’t often revoke its single issued cert (the subordinate CA), delta CRLs aren’t necessary. Note: If your Active Directory is in use and you want to publish the Root CA’s CRL to AD, you can also add an ldap:///CN=... path and check “Publish in Active Directory”. However, publishing to AD from an offline CA must be done manually using the following command when the root is temporarily connected. certutil -dspublish Many setups skip LDAP for offline roots and rely on HTTP distribution. Authority Information Access (AIA): This is where the Root CA’s certificate will be published for clients to download (to build certificate chains). Add an HTTP URL similarly, for example: http://<IssuingCA_Server>/CertEnroll/<ServerDNSName>_<CaName><CertificateName>.crt This would point to a copy of the Root CA’s certificate that will be hosted on the issuing CA web server. Check “Include in the AIA extension of issued certificates”. This way, any certificate signed by the Root CA (like your subordinate CA’s cert) contains a URL where clients can fetch the Root CA’s cert if they don’t already have it. After adding these, remove any default entries that are not applicable (e.g., LDAP if the root isn’t going to publish to AD, or file paths that won’t be used by clients). These settings ensure that certificates issued by the Root CA (in practice, just the subordinate CA’s certificate) will carry the correct URLs for chain building and revocation checking. Step 5: Back Up the Root CA and Issue the Subordinate Certificate With the Root CA configured, we need to issue a certificate for the Issuing CA (subordinate). We’ll perform that in the next section from the Issuing CA’s side via a request file. Before taking the root offline, ensure you: Back up the CA’s private key and certificate: In the Certification Authority console, or via the CA Backup wizard, export the Root CA’s key pair and CA certificate. Protect this backup (store it offline in a secure location, e.g., on encrypted removable media in a safe). This backup is crucial for disaster recovery or if the Root CA needs to be migrated or restored. Save the Root CA Certificate: You will need the Root CA’s public certificate (*.crt) to distribute to other systems. Have it exported (Base-64 or DER format) for use on the Issuing CA and for clients. Initial CRL publication: Manually publish the first CRL so that it can be distributed. Open an elevated Command Prompt on the Root CA and run: certutil -crl This generates a new CRL file (in the CA’s configured CRL folder, typically %windir%\system32\CertSrv\CertEnroll). Take that CRL file and copy it to the designated distribution point (for example, to the CertEnroll directory on the Issuing CA’s web server, as per the HTTP URL configured). If using Active Directory for CRL distribution, you would also publish it to AD now (e.g., certutil -dspublish -f RootCA.crl on a domain-connected machine). In most lab setups, copying to an HTTP share is sufficient. With these tasks done, the Root CA is ready. At this point, disconnect or power off the Root CA and store it securely – it should remain offline except when it’s absolutely needed (like publishing a new CRL or renewing the subordinate CA’s certificate in the far future). Keeping the root CA offline maximizes its security by minimizing exposure to compromise. Best Practices for Securing the Root CA: The Root CA is the trust anchor, so apply stringent security practices: Physical security: Store the Root CA machine in a locked, secure location. If it’s a virtual machine, consider storing it on a disconnected hypervisor or a USB drive locked in a safe. Only authorized PKI team members should have access. An offline CA should be treated like crown jewels – offline CAs should be stored in secure locations. Minimal exposure: Keep the Root CA powered off and disconnected when not in use. It should not be left running or connected to any network. Routine operations (like issuing end-entity certs) should never involve the root. Admin access control: Limit administrative access on the Root CA server. Use dedicated accounts for PKI administration. Enable auditing on the CA for any changes or issuance events. No additional roles or software: Do not use the Root CA server for any other function (no web browsing, no email, etc.). Fewer installed components means fewer potential vulnerabilities. Protect the private key: Use an HSM if possible; if not, ensure the key is at least protected by a strong password and consider splitting knowledge of that password among multiple people (so no single person can activate the CA). Many organizations opt for an offline root key ceremony (see below) to generate and handle the root key with multiple witnesses and strict procedures. Keep system time and settings consistent: If the Root CA is powered off for long periods, ensure its clock is accurate whenever it is started (to avoid issuing a CRL or certificate with a wrong date). Don’t change the server name or CA name after installation (doing so invalidates issued certs). Periodic health checks: Even though offline, plan to turn on the Root CA at a secure interval (e.g., semi-annually or annually) to perform tasks like CRL publishing and system updates. Make sure to apply OS security updates during these maintenance windows, as offline does not mean immune to vulnerabilities (especially if it ever connects to a network for CRL publication or uses removable media). Deploying the Online Issuing CA Next, set up the Issuing CA server which will actually issue certificates to end entities in the lab. This server will be domain-joined (if using AD integration) and will obtain its CA certificate from the Root CA we just configured. Step 1: Prepare the Issuing CA Server Provision the server: Install Windows Server on a new machine (or VM) that will be the Issuing CA. Join this server to the Active Directory domain (e.g., Contoso.local). Being an enterprise CA, it needs domain membership to publish templates and integrate with AD security groups. Rename the server to something descriptive like ISSUINGCA for clarity. Assign a static IP and ensure it can communicate on the network. IIS for web enrollment (optional): If you plan to use the Web Enrollment or Certificate Enrollment Web Services, ensure IIS is installed. (The AD CS installation wizard can add it if you include those role services.) For this guide, we will include the Web Enrollment role so that the CertEnroll directory is set up for hosting certificate and CRL files. Step 2: Install AD CS Role on Issuing CA On the Issuing CA server, add the Active Directory Certificate Services role via Server Manager or PowerShell. This time, select both Certification Authority and Certification Authority Web Enrollment role services (Web Enrollment will set up the HTTP endpoints for certificate requests if needed). For example, using PowerShell: Install-WindowsFeature AD-Certificate, ADCS-Web-Enrollment -IncludeManagementTools After installation, launch the AD CS configuration wizard: Role Services: Choose Certification Authority (and Web Enrollment if prompted). Setup Type: Select Enterprise CA (since this CA will integrate with AD DS). CA Type: Select Subordinate CA (this indicates it will get its cert from an existing root CA). Private Key: Choose “Create a new private key” (we’ll generate a new key pair for this CA). Cryptography: If using an HSM here as well, select the HSM’s CSP/KSP for the issuing CA’s key. Otherwise, choose a strong key length (2048+ bits, SHA256 or better for hash). CA Name: Provide a name (e.g., “Contoso Issuing CA”). This name will appear as the Issuer on certificates it issues. Certificate Request: The wizard will ask how you want to get the subordinate CA’s certificate. Choose “Save a certificate request to file”. Specify a path, e.g., C:\CertRequest\issuingCA.req. The wizard will generate a request file that we need to take to the Root CA for signing. (Since our Root CA is offline, this file transfer might be via secure USB or a network share when the root is temporarily online.) CA Database: Choose locations or accept defaults for the certificate DB and logs. Finish the configuration wizard, which will complete pending because the CA doesn’t have a certificate yet. The AD CS service on this server won’t start until we import the issued cert from the root. Step 3: Integrate HSM on Issuing CA (Optional) If available, repeat the HSM setup on the Issuing CA: install HSM drivers, initialize it, and generate/secure the key for the subordinate CA on the HSM. Ensure you chose the HSM provider during the above configuration so that the issuing CA’s private key is stored in the HSM. Even though this CA is online, an HSM still greatly enhances security by protecting the private key from extraction. The issuing CA’s HSM may not require multiple custodians to activate (as it needs to run continuously), but should still be physically secured. Step 4: Obtain the Issuing CA’s Certificate from the Root CA Now we have a pending request (issuingCA.req) for the subordinate CA. To get its certificate: Transport the request to the Root CA: Copy the request file to the offline Root CA (via secure means – e.g., formatted new USB stick). Start up the Root CA (in a secure, offline setting) and open the Certification Authority console. Submit the request on Root CA: Right-click the Root CA in the CA console -> All Tasks -> Submit new request, and select the .req file. The request will appear in the Pending Requests on the root. Issue the subordinate CA certificate: Find the pending request (it will list the Issuing CA’s name). Right-click and choose All Tasks > Issue. The subordinate CA’s certificate is now issued by the Root CA. Export the issued certificate: Still on the Root CA, go to Issued Certificates, find the newly issued subordinate CA cert (you can identify it by the Request ID or by the name). Right-click it and choose Open or All Tasks > Export to get the certificate in a file form. If using the console’s built-in “Export” it might only allow binary; alternatively use the certutil command: certutil -dup <RequestID> .\ContosoIssuingCA.cer or simply open and copy to file. Save the certificate as issuingCA.cer. Also make sure you have a copy of the Root CA’s certificate (if not already done). Publish Root CA cert and CRL as needed: Before leaving the Root CA, you may also want to ensure the Root’s own certificate and latest CRL are available to the issuing CA and clients. If not already done in Step 5 of root deployment, export the Root CA cert (DER format) and copy the CRL file. You might use certutil -crl again if some time has passed since initial CRL. Now take the issuingCA.cer file (and root cert/CRL files) and move them back to the Issuing CA server. Step 5: Install the Issuing CA’s Certificate and Complete Configuration On the Issuing CA server (which is still waiting for its CA cert): Install the subordinate CA certificate: In Server Manager or the Certification Authority console on the Issuing CA, there should be an option to “Install CA Certificate” (if the AD CS configuration wizard is still open, it will prompt for the file; or otherwise, in the CA console right-click the CA name > All Tasks > Install CA Certificate). Provide the issuingCA.cer file obtained from the root. This will install the CA’s own certificate and start the CA service. The Issuing CA is now operational as a subordinate CA. Alternatively, use PowerShell: certutil -installcert C:\CertRequest\issuingCA.cer This installs the cert and associates it with the pending key. Trust the Root CA certificate: Because the Issuing CA is domain-joined, when you install the subordinate cert, it might automatically place the Root CA’s certificate in the Trusted Root Certification Authorities store on that server (and possibly publish it to AD). If not, you should manually install the Root CA’s certificate into the Trusted Root CA store on the Issuing CA machine (using the Certificates MMC or certutil -addstore -f Root rootCA.cer). This step prevents any “chain not trusted” warnings on the Issuing CA and ensures it trusts its parent. In an enterprise environment, you would also distribute the root certificate to all client machines (e.g., via Group Policy) so that they trust the whole chain. Import Root CRL: Copy the Root CA’s CRL (*.crl file) to the Issuing CA’s CRL distribution point location (e.g., C:\Windows\System32\CertSrv\CertEnroll\ if that’s the directory served by the web server). This matches the HTTP URL we configured on the root. Place the CRL file there and ensure it is accessible (the Issuing CA’s IIS might need to serve static .crl files; often, if Web Enrollment is installed, the CertEnroll folder is under C:\Inetpub\wwwroot\CertEnroll). At this point, the subordinate CA and any client hitting the HTTP URL can retrieve the root’s CRL. The subordinate CA is now fully established. It holds a certificate issued by the Root CA (forming a complete chain of trust), and it’s ready to issue end-entity certificates. Step 6: Configure Issuing CA Settings and Start Services Start the Certificate Services: If the CA service (CertSvc) isn’t started automatically, start or restart it. On PowerShell: Restart-Service certsvc The CA should show as running in the CA console with the name “Contoso Issuing CA” (or your chosen name). Configure Certificate Templates: Because this is an Enterprise CA, it can utilize certificate templates stored in Active Directory to simplify issuing common cert types (user auth, computer auth, web server SSL, etc.). By default, some templates (e.g., User, Computer) are available but not issued. In the Certification Authority console under Certificate Templates, you can choose which templates to issue (e.g., right-click > New > Certificate Template to Issue, then select templates like “User” or “Computer”). This lab guide doesn’t require specific templates but know that only Enterprise CAs can use templates. Templates define the policies and settings (cryptography, enrollment permissions, etc.) for issued certificates. Ensure you enable only the templates needed and configure their permissions appropriately (e.g., allow the appropriate groups to enroll). Set CRL publishing schedule: The Issuing CA will automatically publish its own CRL (for certificates it issues) at intervals. You can adjust the CRL and Delta CRL publication interval in the CA’s Properties > CRL Period. A common practice is a small base CRL period (e.g., 1 week or 2 weeks) for issuing CAs, because they may revoke user certs more frequently; and enable Delta CRLs (published daily) for timely revocation information. Make sure the CDP/AIA for the Issuing CA itself are properly configured too (the wizard usually sets LDAP and HTTP locations, but verify in the Extensions tab). In a lab, the default settings are fine. Web Enrollment (if installed): You can verify the web enrollment by browsing to http://<IssuingCA>/certsrv. This web UI allows browser-based certificate requests. It’s a legacy interface mostly, but for testing it can be used if your clients aren’t domain-joined or if you want a manual request method. In modern use, the Certificate Enrollment Web Service/Policy roles or auto-enrollment via Group Policy are preferred for remote and automated enrollment. At this stage, your PKI is operational: the Issuing CA trusts the offline Root CA and can issue certificates. The Root CA can be kept offline with confidence that the subordinate will handle all regular work. Validation and Testing of the PKI It’s important to verify that the PKI is configured correctly: Check CA status: On the Issuing CA, open the Certification Authority console and ensure no errors. Verify that the Issuing CA’s certificate shows OK (no red X). On the Root CA (offline most of the time), you can use the Pkiview.msc snap-in (Microsoft PKI Health Tool) on a domain-connected machine to check the health of the PKI. This tool will show if the CDPs/AIA are reachable and if certificates are properly published. Trust chain on clients: On a domain-joined client PC, the Root CA certificate should be present in the Trusted Root Certification Authorities store (if the Issuing CA was installed as Enterprise CA, it likely published the root cert to AD automatically; you can also distribute it via Group Policy or manually). The Issuing CA’s certificate should appear in the Intermediate Certification Authorities store. This establishes the chain of trust. If not, import the root cert into the domain’s Group Policy for Trusted Roots. A quick test: on a client, run certutil -config "ISSUINGCA\\Contoso Issuing CA" -ping to see if it can contact the CA (or use the Certification Authority MMC targeting the issuing CA). Enroll a test certificate: Try to enroll for a certificate from the Issuing CA. For instance, from a domain-joined client, use the Certificates MMC (in Current User or Computer context) and initiate a certificate request for a User or Computer certificate (depending on templates issued). If auto-enrollment is configured via Group Policy for a template, you can simply log on a client and see if it automatically receives a certificate. Alternatively, use the web enrollment page or certreq command to submit a request. The request should be approved and a certificate issued by "Contoso Issuing CA". After enrollment, inspect the issued certificate: it should chain up to "Contoso Root CA" without errors. Ensure that the certificate’s CDP points to the URL we set (and try to browse that URL to see the CRL file), and that the AIA points to the root cert location. Revocation test (optional): To test CRL behavior, you could revoke a test certificate on the Issuing CA (using the CA console) and publish a new CRL. On the client, after updating the CRL, the revoked certificate should show as revoked. For the Root CA, since it shouldn’t issue end-entity certs, you wouldn’t normally revoke anything except potentially the subordinate CA’s certificate (which would be a drastic action in case of compromise). By issuing a test certificate and validating the chain and revocation, you confirm that your two-tier PKI lab is functioning correctly. Maintaining the PKI: CRLs, Key Ceremonies, and Security Procedures Deploying the PKI is only the beginning. Proper maintenance and operational procedures are crucial to ensure the PKI remains secure and reliable over time. Periodic CRL Updates for the Offline Root: The Root CA’s CRL has a defined validity period (set during configuration, often 6 or 12 months for offline roots). Before the CRL expires, the Root CA must be brought online (in a secure environment) to issue a new CRL. It’s recommended to schedule CRL updates periodically (e.g., semi-annually) to prevent the CRL from expiring. An expired CRL can cause certificate chain validation to fail, potentially disrupting services. Typically, organizations set the offline root CRL validity so that publishing 1-2 times a year is sufficient. When the time comes: Start the Root CA (ensuring the system clock is correct). Run certutil -crl to issue a fresh CRL. Distribute the new CRL: copy it to the HTTP CDP location (overwrite the old file) and, if applicable, use certutil -dspublish -f RootCA.crl to update it in Active Directory. Verify that the new CRL’s next update date is extended appropriately (e.g., another 6 months out). Clients and the Issuing CA will automatically pick up the new CRL when checking for revocation. (The Issuing CA, if configured, might cache the root CRL and need a restart or certutil -setreg ca\CRLFlags +CRLF_REVCHECK_IGNORE_OFFLINE tweak if the root CRL expires unexpectedly. Keeping the schedule prevents such issues.) Issuing CA CRL and OCSP: The Issuing CA’s CRLs are published automatically as it is online. Ensure the IIS or file share hosting the CRL is accessible. Optionally, consider setting up an Online Responder (OCSP) for real-time status checking, especially if CRLs are large or you need faster revocation information. OCSP is another AD CS role service that can be configured on the issuing CA or another server to answer certificate status queries. This might be beyond a simple lab, but it’s worth mentioning for completeness. Key Ceremonies and Documentation: For production environments (and good practice even in labs), formalize the process of handling CA keys in a Key Ceremony. A key ceremony is a carefully controlled process for activities like generating the Root CA’s key pair, installing the CA, and signing subordinate certificates. It often involves multiple people to ensure no single person has unilateral control (principle of dual control) and to witness the process. Best practices for a Root CA key ceremony include: Advance Planning: Create a step-by-step script of the ceremony tasks. Include who will do what, what materials are needed (HSMs, installation media, backup devices, etc.), and the order of operations. Multiple trusted individuals present: Roles might include a Ceremony Administrator (leads the process), a Security Officer (responsible for HSM or key material handling), an Auditor (to observe and record), etc. This prevents any one person from manipulating the process and increases trust. Secure environment: Conduct the ceremony in a secure location (e.g., a locked room) free of recording devices or unauthorized personnel. Ensure the Root CA machine is isolated (no network), and ideally that BIOS/USB access controls are in place to prevent any malware. Generate keys with proper controls: If using an HSM, initialize and generate the key with the required number of key custodians each providing part of the activation material (e.g., smartcards or passphrases). Immediately back up the HSM partition or key to secure media (requiring the same custodians to restore). Sign subordinate CA certificate: As part of the ceremony, once the root key is ready, sign the subordinate’s request. This might also be a witnessed step. Document every action: Write down each command run, each key generated, serial numbers of devices used, and have all participants sign an acknowledgment of the outcomes. Also record the fingerprints of the generated Root CA certificate and any subordinate certificate to ensure they are exactly as expected. Secure storage: After the ceremony, store the Root CA machine (if it’s a laptop or VM) and HSM tokens in a tamper-evident bag or safe. The idea is to make it evident if someone tries to access the root outside of an authorized ceremony. While a full key ceremony might be overkill for a small lab, understanding these practices is important. Even in a lab, you can simulate some aspects (for learning), like documenting the procedure of taking the root online to sign the request and then locking it away. These practices greatly increase the trust in a production PKI by ensuring transparency and accountability for critical operations. Backup and Recovery Plans: Both CAs’ data should be regularly backed up: For the Root CA: since it’s rarely online, backup after any change. Typically, you’d back up the CA’s private key and certificate once (right after setup or any renewal). Store this securely offline (separate from the server itself). Also back up the CA database if it ever issues more than one cert (for root it might not issue many). For the Issuing CA: schedule automated backups of the CA database and private key. You can use the built-in certutil -backup or Windows Server Backup (which is aware of the AD CS database). Keep backups secure and test restoration procedures. Having a documented recovery procedure for the CA is crucial for continuity. Also consider backup of templates and any scripts. Maintain spare hardware or VMs in case you need to restore the CA on new hardware (especially for the root, having a procedure to restore on a new machine if the original is destroyed). Security maintenance: Apply OS updates to the CAs carefully. For the offline root, patch it offline if possible (offline servicing or connecting it briefly to a management network). For the issuing CA, treat it as a critical infrastructure server: limit its exposure (firewall it so only required services are reachable), monitor its event logs (enable auditing for Certificate Services events, which can log each issuance and revocation), and employ anti-malware tools with caution (whitelisting the CA processes to avoid interference). Also, periodically review the CA’s configuration and certificate templates to ensure they meet current security standards (for example, deprecate any weak cryptography or adjust validity periods if needed). By following these maintenance steps and best practices, your two-tier PKI will remain secure and trustworthy over time. Remember that PKI is not “set and forget” – it requires operational diligence, but the payoff is a robust trust infrastructure for your organization’s security. Additional AD CS Features and References Active Directory Certificate Services provides more capabilities than covered in this basic lab. Depending on your needs, you might explore: Certificate Templates: We touched on templates; they are a powerful feature on Enterprise CAs to enforce standardized certificate settings. Administrators can create custom templates for various use cases (SSL, S/MIME email, code signing) and control enrollment permissions. Understanding template versions and permissions is key for enterprise deployments. (Refer to Microsoft’s documentation on Certificate template concepts in Windows Server for details on how templates work and can be customized.) Web Services for Enrollment: In scenarios with remote or non-domain clients, AD CS offers the Certificate Enrollment Web Service (CES) and Certificate Enrollment Policy Web Service (CEP) role services. These allow clients to fetch enrollment policy information and request certificates over HTTP or HTTPS, even when not connected directly to the domain. They work with the certificate templates to enable similar auto-enrollment experiences over the web. See Microsoft’s guides on the Certificate Enrollment Web Service overview and Certificate Enrollment Policy Web Service overview for when to use these. Network Device Enrollment Service (NDES): This AD CS role service implements the Simple Certificate Enrollment Protocol (SCEP) to allow devices like routers, switches, and mobile devices to obtain certificates from the CA without domain credentials. NDES acts as a proxy (Registration Authority) between devices and the CA, using one-time passwords for authentication. If you need to issue certificates to network equipment or MDM-managed mobile devices, NDES is the solution. Microsoft Docs provide a Network Device Enrollment Service(NDES) overview and even details on using a policy module with NDES for advanced scenarios (like customizing how requests are processed or integrating with custom policies). Online Responders (OCSP): As mentioned, an Online Responder can be configured to answer revocation status queries more efficiently than CRLs, especially useful if your CRLs grow large or you have high-volume certificate validation (VPNs, etc.). AD CS’s Online Responder role service can be installed on a member server and configured with the OCSP Response Signing certificate from your Issuing CA. Monitoring and Auditing: Windows Servers have options to audit CA events. Enabling auditing can log events such as certificate issuance, revocation, or changes to the CA configuration. These logs are important in enterprise PKI to track who did what (for compliance and security forensics). Also, tools like the PKI Health Tool (pkiview.msc) and PowerShell cmdlets (like Get-CertificationAuthority, Get-CertificationAuthorityCertificate) can help monitor the health and configuration of your CAs. Conclusion By following this guide, you have set up a secure two-tier PKI environment consisting of an offline Root CA and an online Issuing CA. This design, which uses an offline root, is considered a security best practice for enterprise PKI deployments because it reduces the risk of your root key being compromised. With the offline Root CA acting as a hardened trust anchor and the enterprise Issuing CA handling day-to-day certificate issuance, your lab PKI can issue certificates for various purposes (HTTPS, code signing, user authentication, etc.) in a way that models real-world deployments. As you expand this lab or move to production, always remember that PKI security is as much about process as technology. Applying strict controls to protect CA keys, keeping software up to date, and monitoring your PKI’s health are all part of the journey. For further reading and official guidance, refer to these Microsoft documentation resources: 📖 AD CS PKI Design Considerations: PKI design considerations using Active Directory Certificate Services in Windows Server helps in planning a PKI deployment (number of CAs, hierarchy depth, naming, key lengths, validity periods, etc.). This is useful to read when adapting this lab design to a production environment. It also covers configuring CDP/AIA and why offline roots usually don’t need delta CRLs. 📖 AD CS Step-by-Step Guides: Microsoft’s Test Lab Guide Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy walk through a similar scenario.Exploring the Use Cases of ADMS User Migration
A Comprehensive Overview: An Insight into Active Directory Migration Services User Migration. Introduction ADMS, ADSS, and ADGMS are all cloud-based services that come within the ADxS services portfolio offered by Microsoft and designed to facilitate efficient and cost-effective migrations. For additional information around migration use cases, refer to this blog: https://techcommunity.microsoft.com/blog/microsoft-security-blog/exploring-the-use-cases-of-adxs-services/4373299?previewMessage=true . ADMS or Active Directory Migration Service – is a service designed to facilitate the migration of users and workstations across domains and forests by offering diverse number of migration methods such as Self-Service Migration which is unique to the ADMS service and it comes with two types, Self-Service for corporate connect users, and Self-Service for Remote of VPN users, Admin automated Migrations, user only migration and Migration for workstations shared by more than one user. Prerequisites for a User Migration Users must be in scope for the ADMS sync engine, meet all identity logic, and be in the migration database prior to coming to the ADMS Portal. One of the first items we perform is pre-provision or join source identities to target identities also working with your team to determine attributes to flow as part of the sync engine. ADMS Portal will submit each user to a set of preflight checks prior to allowing user migration. This will include but not limited to ensuring connectivity to the target domain, use of a supported web browser, being in the approved to migrate security group, and so on to make sure the user is flight ready. User Migration journey This blog will focus on the user migration, for more about device migration please review the following blogs: https://techcommunity.microsoft.com/blog/microsoft-security-blog/exploring-the-extensibility-of-active-directory-migration-service-adms-device-mi/4397075; https://techcommunity.microsoft.com/blog/microsoft-security-blog/seamless-transitions-unlocking-workstation-migration-with-identity-migration-ser/4404842 . Assuming the user and device meet the preflight checks, and approved for migration, the user is submitted to the activation phase. This phase includes the user object being enabled if necessary as well as being submitted to the ADMS AR Pipeline. You can read more about the ADMS AR Pipeline in this blog: https://techcommunity.microsoft.com/blog/microsoft-security-blog/exploring-the-use-cases-of-adms-application-pipeline/4404097 The default delivery includes the objectSID of the source user being copied to the target user SIDHistory at user migration run-time in the ADMS AR pipeline. We also submit the user for any additional application/service remediatation agreed upon during workshops. Another configuration item that can be performed is post user migration, after a grace period, the source user identity can be disabled as part of our post processing procedure. Key features of ADMS Diverse Migration Methods: ADMS offers several migration methods, including Self-Service Migration for corporate connect users and remote or VPN users, Admin automated migrations, user-only migration, and migration for workstations shared by multiple users. User-Centric Approach: ADMS focuses on minimizing disruptions and ensuring a smooth migration process. Its user-centric approach, agility in deployment, and focus on minimizing disruptions make it a superior choice compared to conventional migration tools. Identity Sync Engine: Conventional tools synchronize Active Directory objects as-is to the target domain and refresh them as changes are made in the source. ADMS implements a rich and robust identity management system so that just the right identities, groups, group memberships and workstations are synchronized and provisioned and will continuously run until the migration has been completed to accommodate changes in the source. ADMS Migration Benefits The ADMS user migration is accomplished by several backend processes in addition to the ADMS Portal, which provides a self-service user interface, performs pre-validation checks, and ensures that the user is approved to migrate. The ADMS solution is scalable to support many concurrent user migrations submitted using the Self-service Portal and the bulk account submission tool. The ADMS Portal landing page can be configured to let the user choose from one or more connection options. This includes but not limited to at a remote location over VPN. The ADMS Portal can be configured to allow the user's local language to be displayed in their browser providing a richer user experience for the various use cases brought to the migration portal. Conclusion ADMS is a service designed to facilitate the migration of users and workstations across domains and forests by offering diverse number of migration methods. ADxS services not only simplifies the migration process but also ensures that organizations can achieve their migration goals more efficiently and cost-effectively. Learn more about IMS and explore its powerful migration capabilities today! Read our latest insights on the IMS blog Learn more about IMS and start hassle-free migrations and its capabilities today! On our YouTube Channel Want to speak with an expert? Reach out to us at [email protected] to connect with a sales representative. Let’s power the future of digital collaboration — together.Exploring the Extensibility of Active Directory Migration Service (ADMS)
Active Directory Migration Service (ADMS), Active Directory Synchronization Service (ADSS), and Active Directory Group Modernization Service (ADGMS) are cloud-based services within the ADxS services portfolio offered by Microsoft. These services are designed to facilitate efficient and cost-effective migrations. In this article, we will examine the various extensibility options of ADMS, highlighting its key features and advantages.Navigating Mergers and Acquisitions: IT Consolidation Best Practices and Approach
In today’s business environment, mergers, divestitures, and acquisitions (M&A) are becoming increasingly common. However, with these business transformations come the challenges of consolidating multiple IT services and applications. Effective consolidation streamlines operations, enhances accessibility, provides a single pane of glass for management, security, and scalability, most importantly, reduces costs. At Microsoft, my team specializes in helping customers tackle these challenges by delivering top-notch solutions. In this article, I’ll Walk you through some key activities to consider when faced with IT consolidation during M&A. Step 1: Define the Scope of Consolidation The first critical step in any consolidation project is identifying the scope. Where is the consolidation happening, and what are the source and target environments? Once these are defined, the next step is to determine how to consolidate the apps, identities, and infrastructure across the two entities. Step 2: Data is Key When it comes to IT, everything revolves around data. In a consolidation scenario, the most valuable data typically comes from Configuration Items (CI’s), customer asset management systems, and server management teams. If the organization maintains robust documentation of these CIs, it can greatly simplify the process. However, what if documentation is sparse? In such cases, we rely on interviews with various teams, including application, server, and infrastructure teams, as well as vendors who support the current infrastructure and applications. These interviews help us gather the essential information needed for a smooth consolidation and migration. Step 3: Leverage Tools for Data Collection Even with comprehensive interviews, there may still be gaps in the available information. This is where tools like the MAP Toolkit, Connection Loggers, and Network traces come into play. The list of tools could be longer, but I have mentioned a few here just for reference. These tools help identify the applications running within the environment and provide details about them. Our team at Microsoft is well-versed in using these tools and can assist customers in creating an accurate inventory of applications hosted in their environment, which will ultimately help in defining the application scope for migrations. Step 4: Prioritize and Plan Migration Once we have a comprehensive list of the applications, servers, and identities involved, the next step is to prioritize and plan the migration. A thorough discussion with stakeholders will determine which elements should be migrated from one domain to another. For Active Directory (AD) users, groups and computer migrations, we leverage the expertise of our Microsoft IMS (Identity Migration Service.) team. For server / application migrations, the approach will depend on the methodologies we plan to follow. Approach to Consider for Users/Groups and Computer Migration: Prepare source and target domain readiness. Define the migration approach and tool selection. Migrate the users, groups, and computers to the target. Test the resources that have been migrated and confirm that users can log in to the target domain. Step 5: Server / Application Migration Scenarios In some cases, servers may already be tied or tagged to a specific domain. However, if users are available in the new domain and the required groups and other settings are configured (using Identity Migration Services team to migrate resources to the target domain), we can switch the server’s domain and reapply the necessary user and group-specific permissions. This is the easiest option when the application hosted on the server is simple and does not require any code changes or reprogramming. In more complex scenarios, switching the domain isn’t possible. In these cases, we may choose to clone the server and create a mirrored environment in the target Active Directory domain, or we may need to set up a parallel environment for the applications. From there, we can reconfigure the applications, endpoints, and any other settings necessary for the app to function properly. Some Common Approaches to Consider: Assessment of the current environment. Setting up migration goals. Creating a migration plan. Testing the migration plan in a lower environment. Migrate server and databases (If applicable). Consider taking sign-off from respective teams. Step 6: Good Rollback Plan You should always create a solid rollback plan for any migration activity. This is a key requirement for a successful migration, and it helps you prepare in case something goes wrong. A good rollback plan will act as a lifesaver, minimizing the impact and helping you recover quickly in case of failure. Step 7: Post-Migration Cleanup Cleanup is the most essential and important step in any migration or consolidation activity. We will need to clean up any resources left behind in the source domain. This includes the cleanup and removal of any Active Directory resources, such as Users, Groups, Group Policies, DNS entries, or trust relationships between the domains. Proven Success in IT Consolidation We have successfully guided numerous customers through consolidation projects, helping them achieve their goals efficiently and securely. If you're currently facing an M&A scenario and need assistance with your IT consolidation efforts, don’t hesitate to reach out to Microsoft. Our team is ready to help. Security First: Protecting Your Environment At Microsoft, security is always a top priority. As we help you consolidate and manage your IT infrastructure, we ensure that security remains at the forefront. We not only help with the technical aspects of consolidation but also with safeguarding your environment throughout the process.Microsoft Security in Action: Deploying and Maximizing Advanced Identity Protection
As cyber threats grow in sophistication, identity remains the first line of defense. With credentials being a primary target for attackers, organizations must implement advanced identity protection to prevent unauthorized access, reduce the risk of breaches, and maintain regulatory compliance. This blog outlines a phased deployment approach to implement Microsoft’s identity solutions, helping ensure a strong Zero Trust foundation by enhancing security without compromising user experience. Phase 1: Deploy advanced identity protection Step 1: Build your hybrid identity foundation with synchronized identity Establishing a synchronized identity is foundational for seamless user experiences across on-premises and cloud environments. Microsoft Entra Connect synchronizes Active Directory identities with Microsoft Entra ID, enabling unified governance while enabling users to securely access resources across hybrid environments. To deploy, install Microsoft Entra Connect, configure synchronization settings to sync only necessary accounts, and monitor health through built-in tools to detect and resolve sync issues. A well-implemented hybrid identity enables consistent authentication, centralized management, and a frictionless user experience across all environments. Step 2: Enforce strong authentication with MFA and Conditional Access Multi-Factor Authentication (MFA) is the foundation of identity security. By requiring an additional verification step, MFA significantly reduces the risk of account compromise—even if credentials are stolen. Start by enforcing MFA for all users, prioritizing high-risk accounts such as administrators, finance teams, and executives. Microsoft recommends deploying passwordless authentication methods, such as Windows Hello, FIDO2 security keys, and Microsoft Authenticator, to further reduce phishing risks. Next, to balance security with usability, use Conditional Access policies to apply adaptive authentication requirements based on conditions such as user behavior, device health, and risk levels. For example, block sign-ins from non-compliant or unmanaged devices while allowing access from corporate-managed endpoints. Step 3: Automate threat detection with Identity Protection Implementing AI-driven risk detection is crucial to identifying compromised accounts before attackers can exploit them. Start by enabling Identity Protection to analyze user behavior and detect anomalies such as impossible travel logins, leaked credentials, and atypical access patterns. To reduce security risk, evolve your Conditional Access policies with risk signals that trigger automatic remediation actions. For low-risk sign-ins, require additional authentication (such as MFA), while high-risk sign-ins should be blocked entirely. By integrating Identity Protection with Conditional Access, security teams can enforce real-time access decisions based on risk intelligence, strengthening identity security across the enterprise. Step 4: Secure privileged accounts with Privileged Identity Management (PIM) Privileged accounts are prime targets for attackers, making Privileged Identity Management (PIM) essential for securing administrative access. PIM allows organizations to apply the principle of least privilege by granting Just-in-Time (JIT) access, meaning users only receive elevated permissions when needed—and only for a limited time. Start by identifying all privileged roles and moving them to PIM-managed access policies. Configure approval workflows for high-risk roles like Global Admin or Security Admin, requiring justification and multi-factor authentication before privilege escalation. Next, to maintain control, enable privileged access auditing, which logs all administrative activities and generates alerts for unusual role assignments or excessive privilege usage. Regular access reviews further enable only authorized users to retain elevated permissions. Step 5: Implement self-service and identity governance tools Start by deploying Self-Service Password Reset (SSPR). SSPR enables users to recover their accounts securely without help desk intervention. Also integrate SSPR with MFA, so that only authorized users regain access. Next, organizations should implement automated Access Reviews on all users, not just privileged accounts, to periodically validate role assignments and remove unnecessary permissions. This helps mitigate privilege creep, where users accumulate excessive permissions over time. Phase 2: Optimize identity security and automate response With core identity protection mechanisms deployed, the next step is to enhance security operations with automation, continuous monitoring, and policy refinement. Step1: Enhance visibility with centralized monitoring Start by Integrating Microsoft Entra logs with Microsoft Sentinel to gain real-time visibility into identity-based threats. By analyzing failed login attempts, suspicious sign-ins, and privilege escalations, security teams can detect and mitigate identity-based attacks before they escalate. Step 2: Apply advanced Conditional Access scenarios To further tighten access control, implement session-based Conditional Access policies. For example, allow read-only access to SharePoint Online from unmanaged devices and block data downloads entirely. By refining policies based on user roles, locations, and device health, organizations can strengthen security while ensuring seamless collaboration. Phase 3: Enable secure collaboration across teams Identity security is not just about protection—it also enables secure collaboration across employees, partners, and customers. Step 1: Secure external collaboration Collaboration with partners, vendors, and contractors requires secure, managed access without the complexity of managing external accounts. Microsoft Entra External Identities allows organizations to provide seamless authentication for external users while enforcing security policies like MFA and Conditional Access. By enabling lifecycle management policies, organizations can automate external user access reviews and expirations, ensuring least-privilege access at all times. Step 2: Automate identity governance with entitlement management To streamline access requests and approvals, Microsoft Entra Entitlement Management lets organizations create pre-configured access packages for both internal and external users. External guests can request access to pre-approved tools and resources without IT intervention. Automated access reviews and expiration policies enable users retain access only as long as needed. This reduces administrative overheads while enhancing security and compliance. Strengthening identity security for the future Deploying advanced identity protection in a structured, phased approach allows organizations to proactively defend against identity-based threats while maintaining secure, seamless access. Ready to take the next step? Explore these Microsoft identity security deployment resources: Microsoft Entra Identity Protection Documentation Conditional Access Deployment Guide Privileged Identity Management Configuration Guide The Microsoft Security in Action blog series is an evolving collection of posts that explores practical deployment strategies, real-world implementations, and best practices to help organizations secure their digital estate with Microsoft Security solutions. Stay tuned for our next blog on deploying and maximizing your investments in Microsoft Threat Protection solutions.
