Blog | 11-minute Read

Moving apps into the cloud: Planning your migration strategy

Marcus Idle profile headshot

Marcus Idle

Head of External Identity

Published: 07 February 2020

Done correctly, moving your apps into the cloud can deliver drastic improvements to productivity and security. Here’s our quick guide to help your migration go as smoothly as possible. 

NOTE: blog updated July 2023

Organisations all over the world are looking to migrate business applications into the Cloud to take advantage of the many benefits it provides.

After all, having all your apps in a cloud platform like Entra ID (formerly Azure AD) can be a game-changer for your organisation. Helping you achieve tighter security and greater productivity at a stroke.

As a result, IT teams are under constant pressure from the Board and department heads to move business applications into the Cloud as quickly as possible.

But it’s not uncommon for large organisations to have upwards of 150 applications that need to be moved. So how can your organisation start migrating all these apps – including Microsoft Office 365, 3rd party, and home-grown – across a mixture of cloud and on-premises?

And how can you go about removing old infrastructure (and cost), which gets in the way of your cloud identity vision?

Answer: You need a solid application migration strategy.

In this blog, we’ll talk you through the best ways to plan the migration of your apps to Entra ID and uncover some common challenges to consider.


Sign up for great content and exclusive invites

Join the Kocho mailing list for latest news, best practice, and educational resources.

Planning your application migration to Entra ID

Moving your users – Connecting your Active Directory to Entra ID

To start migrating over to Entra, your organisation must first ensure the current user population is added to the Entra ID environment.

Microsoft provides you with a handy synchronisation service called Entra ID Connect (EIDC) to help you do this.

This takes user objects from an on-premises Active Directory environment and synchronises them to the cloud-based Entra ID. It does this by reading the user objects from the directory and creating a matching identity in the Entra ID.

At the same time, it ensures that in the event of an Active Directory failure that requires a directory restore – or an Entra ID Connect failure – consistency metadata can be used to ensure that the user objects are kept in synchronisation.

Migration preparation

An important element to consider right at the start of your app migration project is the project team itself.

Remember, it’s a cross-organisation project, so even though IT will do the physical migration itself, you should involve operations and business users throughout the process.

It helps the IT team understand all the apps in their estate and it also improves buy-in and accountability.

When considering an app migration project, Microsoft advise that you break your plan up into 4 key stages, enabling you to prioritise migrations and achieve success with minimal business impact:

1. App migration planning – Discovery and scope

When considering a project to migrate your applications to Entra ID, the first and most important thing to understand is the detailed breakdown of your entire app ecosystem.

Once you have this visibility, the IT team is better equipped to make decisions on which apps to move first, and how complicated each app migration will be.

The first step is to draw up a list of the applications you have.

Microsoft’s “Cloud Discovery” is a useful tool for finding the applications currently in use, based on network traffic.

It will catalogue applications and give them a risk score – discovering not just IT-endorsed applications but also “shadow IT”.

Once you feel you’ve got visibility over all your apps you need to start a detailed analysis, asking key questions such as:

  • What is the current app authentication protocol?
  • Who is the app owner?
  • Who developed (and supports) the app?
  • Is your app dependent on other systems?
  • How many users does each app have?
  • What are the compliance requirements for this app?

As highlighted earlier, getting this clear view and understanding of the apps in your estate is critical, but it’s also the most difficult part of the project – relying on information and buy-in from stakeholders across the business to make it happen.

Kocho can help organisations at this stage by utilising our business transformation and project management experience.

We also have a few clever tools available to help discover and analyse the applications and their characteristics within your current estate. For example, if you’re currently using ADFS for application authentication, we have some handy fixed-price proposals to help you discover and move those apps (and their authentication process) into the Cloud.

2. App migration planning – Classification and prioritisation

Once you have a clear picture of the apps in your estate, and their technical requirements and dependencies, you can start the process of prioritising their migration order.

Opportunistic apps are the most likely candidates you’ll want to migrate first.

Moving these apps early will most likely help the business realise instant ROI benefits in terms of productivity gains, costs savings or security improvements.

If you’re looking for an early win to get the broader business on board, these opportunistic apps are the low-hanging fruit. Apps in this bracket have the following characteristics:

  • They are very expensive to run in their current state.
  • Moving these apps to the Cloud would realise some significant benefits without much work.

Next, address all those apps that (after your thorough discovery stage) appear to be the lowest risk. For example, these apps are likely not to be business-critical, with a tendency to have fewer (more focused) groups of users, rather than users across the entire enterprise.

Other characteristics may include:

  • Simple service-level agreements (SLAs).
  • The users effected are on-board and ready for the change.
  • There is complete knowledge and thorough documentation on these apps and their design.

All the major cloud providers advise organisations to go through a thorough scoping exercise to help you rank applications from lowest to highest risk. Low-risk applications should be migrated first, and higher-risk applications should come later.

Next, categorise app migration based on ‘ease to migrate’. A different lens than looking at it from a risk point of view.

When scoping the work, you should consider elements such as the complexity of migration approach (i.e. simple rehosting vs. complete rebuild), or “how stringent are the regulatory compliance factors for this app?”

Finally, addresses all those applications with a high complexity – these should always be considered for migration last!

These are those highly bespoke or custom-built apps that are potentially very ingrained in your organisation and are reliant on legacy infrastructure. These apps will each present unique migration challenges and are likely to take the longest.

3. Migrating and testing your apps

The next stage of the process covers how you will physically migrate these applications into the Cloud.

Again, the method you select may affect the order in which you want to migrate. Here’s a quick list of 5 various methods:

Ebony and green people collaboration icon on transparent background
1. Rehosting or replatforming

This tends to be the approach taken in a large legacy migration scenario where the organisation is looking to scale its migration quickly. Migration is fast and relatively inexpensive, but, because the app is not redesigned, an organisation may not realise the full cloud-native benefits.

Green and ebony tools on transparent background
2. Refactoring

Essentially this means redeveloping or rewriting code for an application so it can be ported to the Cloud or a different cloud platform. Entra ID supports SAML, OAuth and OpenID Connect, i.e. all of the mainstream protocols used in modern authentication (also known as ‘modern auth’ and ‘claims authentication’).

This means that a huge number of applications are supported with little or no modification. So, configuring a modern auth app to run in Entra ID should be relatively straightforward. As we said earlier, there are thousands of apps already in the Entra ID application gallery so you should check if your app is already supported before you start.

Ebony coins on transparent background
3. Repurchasing

Move to a different product.

Ebony and green trashcan icon on transparent background
4. Retiring

Getting rid of the app altogether.

Ebony house icon on transparent background
5. Retaining

Keeping the app in its current home.

4. Managing and monitoring your app migration process

The final phase, and one that many organisations fall down on, is monitoring your app migration project and managing the new technology adoption.

It’s essential that you monitor app usage and adoption once the service is migrated to the Cloud to detect potential errors with the application architecture or performance.

To do this, you should be keeping a close eye on usage stats and error alerts. You should also make time to sync back with a cross-section of users to understand if there are any usability / UX issues.

It can be time-consuming to monitor and keep track of your app migration project once it’s in full swing, so it’s best to agree on some KPIs and stick to them. Good ones to consider include:

  • Availability (% uptime, average load times, throughput)
  • Error rates (no. of timeouts, failed requests, latency)
  • Customer satisfaction scores (CSAT) (consider setting up a feedback loop)
  • User adoption (no. of average users)

In order to ease the project through all stakeholders, your IT team should also build in opportunities to highlight the success of the migration.

Reporting against the KPIs above and adding some context around the intangible benefits, such as satisfaction, engagement and productivity, will help keep the project on track, with continued support across the business.

Consider your approach to technology adoption and change management carefully as part of any app migration project. Well thought out internal communications, engaging user training and useful support tools can expedite the adoption of your new apps after their move to the Cloud.

Common migration challenges and pitfalls

By thoroughly working through the discovery and scoping processes outlined above, you will have mitigated the risk from a lot of the more common challenges organisations run into when migrating apps to the Cloud.

Before you start your migration project, Kocho recommend that you run through a few ‘what if’ scenarios and ask yourself some additional questions, such as:

  • Have you thoroughly investigated the security protection of the new cloud solution?
  • Do the apps you’re planning to move have highly sensitive security requirements, and can the planned cloud provider fulfil these?
  • Are your security team happy (and on-board with the level of protection on offer)?

It’s worth making yourself familiar with the statistics on why Entra ID is the most trusted cloud provider.

Important: As part of this, be aware that moving your application to the Cloud does not eliminate your security risks. It removes risks typically seen on legacy / on-premises systems, but it does open you up to other new attack vectors.

Also, make sure you’ve considered how much data you will need to migrate and manage in the Cloud inline with your project.

Hopefully, someone in your team will have taken the time to work out the ‘total cost of ownership’ (TCO) based on the new data storage requirements, users and network traffic. If you’re seeing costs increase for certain app migrations, consider if that is the best path for you.

One last thing before you start – be sure to check that all your existing bespoke, 3rd party or in-house applications are free from licencing or contract issues that could prevent you from moving to the Cloud.


Keep in mind that these are broad guidelines and your decision about moving applications to the Cloud should be based on your own situation.

However, if you apply all these questions to your application and IT landscape, you will be well-positioned to know what should and should not be migrated.

Making the switch to Entra ID for all your web applications is a priority activity for IT departments, with many already using Entra ID for Office 365 and Windows corporate sign in.

This strategic activity helps you to:

  • Reduce costs by removing legacy hardware and software
  • Simplify the sign-in process for your users and free up the IT help desk
  • Build a reliable and future-proof infrastructure
  • Facilitate onboarding and collaboration with external users via Microsoft Azure AD B2B or B2C

For more information, take a look at this resource from Microsoft. It’s packed with helpful information to help your app migration project.

As always, if you need any assistance or advice on planning your app migration strategy, come and talk to us. We have a range of fixed-price proposals dedicated to migrating applications to Entra ID that could be a great fit for you.

*Model based on “Choosing your cloud app migration order” article


Sign up for great content and exclusive invites

Subscribe to the Kocho mailing list if you want to receive:

  • The latest Microsoft tech insights
  • Demos and exclusive event invites

Key takeaways

  • MIM enables simplified identity and access management across business apps and your Active Directory.

  • It can be used to bring together your identities for easy synchronisation to the Cloud via Azure AD Connect.

  • MIM offers great flexibility and can be customised to meet your identity requirements.

  • MIM will continue to be support for a while yet, so if you think it can help you now, deploy it.

tag icon

Great emails start here

Sign up for free resources and exclusive invites

Subscribe to the Kocho mailing list if you want:

  • Demos of the latest Microsoft tech
  • Invites to exclusive events and webinars
  • Resources that make your job easier
Butterfly overlay image
Marcus Idle profile headshot


Marcus Idle

Head of External Identity

Marcus has built a busy External Identity practice working with Azure AD B2C, B2B, and Identity Governance features. He’s passionate about bringing cloud and external identity to life to solve our clients’ business problems.

Butterfly overlay image

Got a question? Need more information?

Our expert team is here to help.