Microsoft Entra ID: The Hybrid Identity Revolution with Source of Authority (SOA) Conversion
Identity management in hybrid environments, spanning both on-premises Active Directory (AD) and the cloud, has been one of the biggest challenges for IT teams. The complexity of synchronizing users and groups, maintaining consistency, and ensuring security in both worlds generates significant operational overhead. In November 2025, Microsoft took a giant leap forward in simplifying this scenario with crucial announcements for Microsoft Entra ID.
Source of Authority (SOA) conversion for users and groups is being introduced to allow organizations to move the management center of their identity to the cloud, even if they still rely on on-premises applications.
The Announcements: User SOA in Public Preview and Group SOA in GA
Microsoft has announced two game-changing updates:
- Group SOA Conversion: Now in Generally Available (GA), this feature allows security groups synchronized from AD to be managed directly in Entra ID. It is possible to maintain compatibility with on-premises applications through an optional writeback, allowing for a smooth transition.
- User SOA Conversion: In Public Preview, this new feature allows converting users synchronized from AD into fully editable and cloud-managed objects.
The most surprising part? These features are available at no additional cost, included in the Microsoft Entra Free license.
Why is SOA Conversion a Game-Changer?
By converting a user or group to be managed in the cloud, organizations immediately unlock a range of modern security and governance features that were not available for synchronized objects:
- Advanced Security: Application of risk-based Conditional Access policies, Multi-Factor Authentication (MFA), and passwordless authentication.
- Automated Governance: Use of Entitlement Management, Access Reviews, and Lifecycle Workflows to automate the access lifecycle, from onboarding to offboarding.
- Centralized Management: Administration of identities, groups, and access policies in a single location – the Microsoft Entra portal or via Microsoft Graph APIs.
| Capability | Status | Key Benefit |
|---|---|---|
| Group SOA Conversion | Generally Available | Manage AD groups in the cloud while maintaining on-premises compatibility |
| User SOA Conversion | Public Preview | Transform AD users into cloud-native identities |
A Practical Scenario: Flexible and Secure Migration
Imagine an organization that wants to adopt a cloud-first identity model but still has critical on-premises applications. Instead of waiting for a complete and disruptive migration, the IT team can now:
- Start with High-Risk Users: Convert a subset of users (e.g., executives, IT administrators) to be managed in the cloud with User SOA.
- Transition Associated Groups: Use Group SOA to move the management of security groups that grant access to these applications to Entra ID.
The benefits are immediate. Security is drastically improved, with Zero Trust principles being applied consistently. Governance becomes automated, and operational complexity is reduced, freeing up the IT team to focus on more strategic initiatives.
Key Benefits
- Minimize AD Investments: Reduce dependency on on-premises infrastructure
- Simplify Lifecycle Management: Automated workflows for onboarding and offboarding
- Strengthen Zero Trust: Risk-based access controls and passwordless authentication
- Flexible Migration: Start with a subset and expand at your own pace
- No Additional Cost: Included with Microsoft Entra Free license
Conclusion: The Future is Cloud-First
Source of Authority conversion is not just a new feature; it is a paradigm shift. It offers a clear and flexible path for organizations to modernize their identity infrastructure, minimize their dependence on on-premises Active Directory, and strengthen their security posture in line with Zero Trust principles. By making these capabilities available to everyone, Microsoft is empowering organizations of all sizes to make the leap to truly cloud-first identity management, without leaving their legacy applications behind.
References
[1] Driving cloud-first identity: User SOA is now Public Preview and Group SOA is Generally Available