Migrating from Okta to Microsoft Entra: pipe dream or attainable goal?

Cloud Identity Realities

Cloud identity providers have had a good run – the benefits over traditional Identity Management Systems (IMDs) are very clear: straight-forward integration of Active Directory, easy federation with SaaS applications, simple access audits, and implementation projects that last weeks, not months or even years – like with traditional identity management systems. Enthusiasm for continuing with just one IAM has waned recently considering significant data security problems which have raised a very important issue: Cloud IAM customers do not have control over their data.

The Agency Problem

If you have moved to a Cloud IAM, you have probably done your due diligence in checking the vendors’ security practices, pulling their SOC 2 and ISO certifications, and running your vendor risk management processes. But the moment there is a Cloud IAM service disruption, you have lost your ability to operate, and you are without recourse.

What happens then? Can you spin up your own Okta instance? Do you have a backup of your Ping data? Where are you going to restore to even if you do have the backup data?

The current imperative is to maintain your ability to operate your IAM independent of any vendor, while still taking advantage of cloud IAM features.

Ideal Cloud Identity State

1. Backup and Restore: Cloud IAM customers should be able to perform full or partial backups of all identity objects including user entitlements, attributes, associations, workflows, approvals, and secrets.
2. Retention and Migration: Identity data should be accessible and usable outside of any IAM platform. Identity data should be portable across Cloud IAM providers.

Applicability in Okta-to-Entra Migrations

Okta offers API access to tenant data; however, writing a simple script to pull down all your tenant information on your own will quickly reveal some key limitations:

1. Speed: It takes a long time to enumerate every tenant object and relationship, even if you only have a few thousand users.
2. Completeness: Not all data in Okta can be retrieved via API like user passwords and other sensitive authentication data. Other objects are available only in the GUI and are not accessible via API at all.
3. Writability: Not all objects can be written back into Okta. Many data fields are unique identifiers generated by Okta and are used in referencing other objects. This prevents simple restores without logic to remap data relationshipsaround newly generated identifiers.

To overcome these limitations, Tevora uses MightyID – an identity resilience platform – to backup Okta data offline and prepare a staging environment for testing. This allows for a programmatic means of retaining data for safekeeping and restoring some or all objects for disaster recovery and testing purposes.

Once your data is retained and normalized into MightID, migrations to other identity platforms is possible. The most compelling use case for MightyID’s migration capabilities is porting tenants from Okta to Microsoft Entra. Given the proliferation of Office 365 and Azure usage, companies are consolidating IT and security expenditures into Entra for identity and access management, multi-factor authentication, endpoint protection and secrets management.

MightyID for Migrations

Without the use of MightyID for these migrations, administrators must resort to homebrew scripts and “stare-and-compare” sessions between source and target environments. This can be daunting for even the most competent IT and security personnel. At Tevora we use MightID to remove the risk of a protracted, manual, and error-prone migration. While there are manual tasks to perform, a repeatable, programmatic method for the bulk of the migration simplifies all parts of the overall migration project from planning, staging, testing, user acceptance, and cutover. We simply don’t advise that customers perform IAM migrations manually anymore.

Migration: No Longer a Pipe Dream

By reducing the time consuming and error-prone process traditionally involved in a migration exercise, Tevora is able to offer organizations a viable path to migrate IAM data. With the path to migration now cleared, companies are increasingly evaluating their options and making decisions not based on necessity, but on business-driven factors: vendor consolidation, security, and long-term growth

We Can Help

If you have any questions or would like to engage in our services, email us at sales@tevora.com.