CASE 57 · SPIRE · 2023
On-prem Active Directory, gracefully retired.
A healthcare IT company had on-prem Active Directory serving 1,400 employees, with two domain controllers that had been "good enough" for a decade. The hardware refresh was due, the cost was rising, and the team had no appetite to renew. We migrated identity to IAM Identity Center + Microsoft Entra ID with a clean SCIM sync.
Healthcare IT
MIGRATION
2023
RESULTS
What changed, by the numbers.
DOMAIN CONTROLLERS
2 → 0
USERS MIGRATED
1,400
GROUP MAPPING ACCURACY
99.4%
OPERATIONAL HRS / MONTH
−80%
HOW IT WENT
AD had grown organically — nested groups, GPOs nobody could explain, service accounts with vague ownership. We started with an audit, retiring 38% of the groups and 14% of the users before migration began. The cleanest possible source data made the rest of the job tractable.
Entra ID became the source of truth. SCIM synced to Identity Center with permission set mappings built from the cleaned-up group structure. AD Connector handled the transitional period while legacy applications got migrated to SAML or OIDC. Conditional Access enforced MFA on AWS console access from day one.
The two domain controllers were powered off in week 14, kept in cold storage for 90 days "just in case," then formally decommissioned. The IT support team reports an 80% drop in identity-related tickets. The 23 users who lost passwords during cutover were a known cost; we’d budgeted for thirty.
RELATED · SAME DOMAIN
Other engagements in this space.
READY WHEN YOU ARE
Let's get your AWS bill (and architecture) in order.
The discovery call is free. You walk away with at least one concrete idea — even if we never work together.