Where is your business in its cloud transformation journey?

Cloud transformation is still often spoken about as a destination. Set a date, complete a migration, tick the box and move on. In reality, that is rarely how it works.

Most organisations we work with are somewhere in between. A mix of on‑premises and cloud. Some modern processes, some legacy dependencies. Progress is being made, but not always in a straight line. This is particularly true when it comes to identity, device management and access.

The important thing to remember is that cloud transformation is a journey, not a race. Organisations do not become fully cloud overnight. They evolve through stages, gradually moving from an Active Directory‑centric model towards cloud‑native identity, device management and app access. Each stage brings clear benefits around security, cost and agility, as well as introducing new operating models and skills.

The biggest mistake we often see is trying to jump ahead without understanding the current state. When teams can confidently say “this is where we are today,” planning becomes grounded and achievable, rather than aspirational. With platforms like Microsoft Entra continuing to evolve rapidly, even small, well‑planned steps towards cloud‑first identity can unlock value faster than expected.

Below, we outline the main stages of cloud transformation.

Stage 1: Cloud Attached

This is where many organisations start, often by necessity rather than design. You have a Microsoft Entra tenant because you needed Microsoft 365. Users collaborate and access cloud services, but identity, device and application management still largely live on‑premises. At this stage, IT teams are effectively running two environments and keeping them in sync.

Typical indicators of a cloud‑attached environment include:

Devices joined to Active Directory and managed using Group Policy or on‑premises tooling.

Users are managed in Active Directory and synchronised to Microsoft Entra ID using Microsoft Entra Connect.

Apps are authenticated to Active Directory and to federation servers like Active Directory Federation Services (AD FS) through a web access management (WAM) tool, Microsoft 365, or other tools such as SiteMinder and Oracle Access Manager.

The trade‑off is operational overhead. Processes are duplicated, tooling overlaps and teams need skills across both worlds.

Stage 2: Hybrid

Hybrid is where cloud adoption becomes more intentional. On‑premises environments still exist, but cloud capabilities are actively used to improve security, simplify access and reduce risk. When done well, hybrid reduces complexity rather than adding to it. This stage is often where organisations build confidence in Microsoft Entra ID as their identity and access control plane.

Common characteristics include:

Windows devices that are Microsoft Entra hybrid joined.

Non-Microsoft SaaS applications integrated with Entra ID.

Legacy apps are authenticating to Microsoft Entra ID via Application Proxy or partner solutions that offer secure hybrid access.

Self‑service password reset and improved password protection enabled.

Early adoption of identity governance features like access packages and Privileged Identity Management (PIM).

Hybrid is often the most natural modernisation path because it delivers value without forcing disruptive change.

Stage 3: Cloud First

Cloud first is where momentum builds, and where many organisations spend the most time. You know the cloud works. New services are designed with cloud in mind, and identity starts shifting from inherited dependencies to modern controls. This is also where hidden technical dependencies tend to surface.

Signs you are cloud first include:

New Windows devices joined directly to Microsoft Entra ID and managed through Intune.

User and group provisioning handled through modern connectors rather than legacy scripts.

Applications previously using AD FS updated to authenticate directly with Entra ID.

Planning underway to migrate or modernise file and print services.

Microsoft Entra ID provides a business-to-business (B2B) collaboration capability.

New groups created and managed in the cloud.

Network services that rely on Active Directory are relocated.

This stage requires careful planning as legacy authentication methods and older applications often shape timelines far more than expected.

Stage 4: Minimising On‑Premises Active Directory

At this point, Microsoft Entra ID carries most of the workload. On‑premises Active Directory remains, but primarily to support “edge cases.” In larger environments, this is where technical debt becomes most visible because it is rarely a single blocker, but many small ones.

Typical patterns include:

New users are created directly in Microsoft Entra ID, often triggered by HR systems.

Active programmes underway to migrate or replace AD‑dependent applications.

Remaining on‑premises workloads have been replaced with cloud alternatives such as Azure Virtual Desktop, Azure Files, Universal Print.

Stage 5: Fully Cloud

Fully cloud is the long‑term aspiration for many organisations. Identity, devices and access are designed around cloud services rather than inherited from the data centre. This does not eliminate complexity, but it significantly reduces reliance on on‑premises infrastructure for day‑to‑day operations.

In a fully cloud environment, you typically see:

No on‑premises identity and access management footprint required.

All devices managed using Microsoft Entra ID and cloud solutions like Intune.

The full user identity lifecycle managed in Entra ID.

All users and groups cloud native.

What To Do Now

The next steps in your cloud transformation journey will largely depend on which stage of cloud you are currently in. Figuring out exactly where is often one of the biggest challenges.

To help you work out where you are in your cloud journey, we’ve developed a simplified self-assessment so you can identify your key blockers and next steps. Download our cloud transformation checklist to get started.