Keep ADFS or Migrate to Entra ID?
ADFS was the original way to extend Active Directory identities to cloud apps. Today it's usually an operational burden and an internet-facing attack surface. Here's how keeping it compares to migrating to Entra ID authentication.
Migrate to Entra ID auth
Retire the farm, move to cloud authentication.
Best for almost everyone — the modern, recommended path.
Strengths
- Removes an internet-facing attack surface and patching burden
- More resilient — no on-prem farm to keep highly available
- Unlocks Conditional Access, Identity Protection, and passwordless
- Lower long-term operational cost
Trade-offs
- Requires migrating each relying-party app to Entra ID
- Edge cases (custom claims rules) need re-mapping
Keep ADFS
Maintain the existing federation farm.
Best only when a specific requirement truly can't move yet.
Strengths
- No immediate migration project
- Supports a few niche authentication scenarios
Trade-offs
- Ongoing security exposure and maintenance overhead
- Single point of failure for all federated sign-ins
- Misses modern cloud security capabilities
The verdict
Unless you have a specific, documented requirement that genuinely can't move, migrating apps off ADFS to Entra ID authentication is one of the highest-value identity projects available. It reduces attack surface, improves resilience, and unlocks modern security features. The work is well understood and can be staged app-by-app with no big-bang cutover.
Common questions
It depends on the number and complexity of relying-party applications. Most are straightforward and migrate quickly; a small number with custom claims rules need careful re-mapping. The work is staged app-by-app, so there's no single risky cutover.
Ready to secure your identity foundation?
Book a free 30-minute discovery call. We'll talk through your environment and where the biggest wins are — no obligation.