Entraneer - Microsoft Entra Engineering & Consulting
Contact Us
Migration

Application Authentication Migration

Transition from legacy authentication to modern OAuth 2.0 and OpenID Connect patterns with Microsoft Entra

Why Migrate to Modern Authentication

Legacy authentication protocols such as NTLM, basic authentication, and forms-based authentication lack the security controls required by modern enterprises. They do not support multi-factor authentication natively, cannot enforce Conditional Access policies, and provide limited logging and auditability.

Microsoft has deprecated basic authentication across Exchange Online and is progressively removing legacy protocol support across the Microsoft 365 ecosystem. Migrating now reduces your attack surface, improves user experience, and positions your organisation to adopt passwordless authentication methods such as FIDO2 security keys and Microsoft Authenticator.

Discuss Your Migration

Key Benefits

  • Enforce Conditional Access and MFA across all applications
  • Eliminate credential theft risk from legacy protocols
  • Enable single sign-on with token-based, short-lived credentials
  • Support Continuous Access Evaluation for real-time session control
  • Adopt passwordless authentication with FIDO2 and Authenticator
  • Gain full visibility via rich sign-in logs and audit trails
  • Align with Microsoft deprecation timelines before enforcement

Our Migration Approach

A structured, risk-managed methodology that ensures zero disruption to your business operations

1

Discovery

Analyse Entra ID sign-in logs to identify every application using legacy authentication, classify by migration complexity and business criticality, and build a prioritised migration backlog.

2

Assessment

Determine the target authentication pattern for each application, identify code or configuration changes required, and document rollback plans for every migration.

3

Migration

Execute migration in controlled waves with parallel authentication enabled during transition periods. Users experience no downtime as both legacy and modern paths remain active.

4

Validation

Verify Conditional Access policies apply correctly, review sign-in logs for anomalies, disable legacy protocol endpoints, and deliver weekly progress reporting on risk posture improvement.

Legacy Auth Patterns We Migrate From

Our team has deep experience migrating applications away from a wide range of legacy authentication patterns

NTLM & Kerberos-Only

Applications that cannot natively participate in cloud-based SSO, relying on integrated Windows authentication without modern protocol support.

Basic Authentication

Applications using basic auth over HTTP or SMTP, including legacy Exchange Online clients and custom SMTP relay configurations.

Legacy SAML & WS-Federation

SAML 1.1 implementations and WS-Federation relying parties tied to on-premises ADFS infrastructure.

Forms-Based Authentication

Custom login forms backed by on-premises directories with proprietary session management and cookie-based state.

Header-Based Auth

Applications depending on header-based authentication through legacy reverse proxies such as SiteMinder or Apache modules.

LDAP Simple Bind

Direct LDAP bind authentication against on-premises Active Directory, often used by network appliances and legacy middleware.

Modern Auth Patterns with Entra

The target state for each migrated application is a modern authentication flow backed by Microsoft Entra ID. For web applications, this means OpenID Connect for user sign-in and OAuth 2.0 for API authorisation. Service-to-service communication uses the client credentials flow with managed identities or workload identity federation, eliminating stored secrets entirely.

Single-page applications migrate to the authorisation code flow with PKCE. Native mobile applications use the device code or authorisation code flow as appropriate. Where applications cannot be modified directly, we deploy Entra Application Proxy or Secure Hybrid Access partner solutions to front-end the legacy application with modern authentication.

OAuth 2.0OpenID ConnectPKCEManaged IdentitiesApplication Proxy

Microsoft Entra Application Proxy & Passwordless Authentication

Microsoft Entra Certificate-Based Authentication (CBA), Passwordless Authentication, and Azure AD Application Proxy Migration

For legacy applications that cannot be modified to support modern protocols natively, Microsoft Entra Application Proxy (formerly Azure AD Application Proxy) provides secure remote access while enforcing Conditional Access and multi-factor authentication at the identity layer. We plan and deploy Application Proxy connectors, configure pre-authentication policies, and migrate applications from legacy reverse proxies to a fully cloud-managed access model.

Microsoft Entra Certificate-Based Authentication (CBA) enables organisations to authenticate users and workloads using X.509 certificates issued by their enterprise certificate authority, removing the dependency on federated infrastructure such as ADFS for certificate-based scenarios. We configure CBA policies, validate certificate trust chains, and integrate CBA with Conditional Access to enforce authentication strength requirements.

Microsoft Entra Passwordless Authentication eliminates passwords entirely through FIDO2 security keys, Windows Hello for Business, and Microsoft Authenticator passkey sign-in. Our migration methodology guides organisations through passwordless readiness assessment, authentication method registration campaigns, and phased rollout to achieve a fully passwordless environment with stronger security and improved user experience.

What We Deliver

Every engagement includes a comprehensive set of deliverables to ensure lasting outcomes

  • Full application portfolio discovery with legacy auth identification
  • Prioritised migration backlog by complexity and business criticality
  • Per-application target auth pattern design documentation
  • Rollback procedures prepared for every migrated application
  • Conditional Access policy configuration for migrated apps
  • Token lifetime and scope permission tuning per application
  • Service account migration to managed identities or certificate auth
  • Post-migration sign-in log validation and anomaly review
  • Weekly progress reports with risk posture improvement metrics
  • As-built documentation and knowledge transfer to your team

Frequently Asked Questions

How long does a typical application authentication migration take?

The timeline depends on the number and complexity of applications involved. A focused migration of 10 to 20 straightforward applications can be completed in 4 to 8 weeks. Larger estates with hundreds of applications, custom-built line-of-business systems, or complex hybrid environments typically require a phased program spanning 3 to 6 months. We always begin with a discovery phase to provide an accurate timeline before committing to a delivery schedule.

Will migrating to modern authentication cause downtime for our users?

Our migration methodology is designed to avoid user-facing disruption. We enable modern authentication in parallel with legacy protocols during the transition window, so users can authenticate using either method. Legacy endpoints are only disabled after we have confirmed that all users and workloads have successfully transitioned. Rollback plans are prepared for every application in case unexpected issues arise.

What happens to applications that cannot be modified to support OAuth or OIDC?

Not every application can be updated to support modern protocols natively, particularly commercial off-the-shelf products or legacy vendor systems. For these applications, we deploy Microsoft Entra Application Proxy or integrate with Secure Hybrid Access partner solutions that front-end the application with modern authentication. This allows you to enforce Conditional Access and multi-factor authentication even when the application itself only supports legacy protocols.

Do we need to upgrade our Entra ID licensing before migrating?

Basic application registration and SSO with Entra ID is available with all license tiers, including Entra ID Free. However, to enforce Conditional Access policies on migrated applications, you will need Entra ID P1 or P2 licensing. We assess your current licensing early in the engagement and provide clear guidance on what capabilities are available today versus what would require a licensing uplift.

How do you handle service accounts and non-interactive workloads during migration?

Service accounts and daemon processes are a critical part of the migration scope. We identify all non-interactive authentication flows during discovery, including service accounts using basic authentication, scripts relying on stored credentials, and scheduled tasks authenticating via NTLM. The target state for these workloads is typically the OAuth 2.0 client credentials flow using managed identities or certificate-based authentication, eliminating shared passwords and enabling credential rotation through Entra ID rather than manual processes.

Related Services

Ready to Get Started?

Book a free initial consultation to discuss how Entraneer can help your organisation with application authentication migration.

Book Free Consultation

We use cookies

We use cookies and similar technologies to help personalise content, measure the performance of our site, and provide a better experience. By clicking Accept, you consent to the use of all cookies.
Learn more.