With the steady rise of cloud-first transformation, yet another pair of legacy identity management solutions is being phased out. SAP Identity Management (SAP IDM) and Microsoft Identity Manager (MiM), both widely used, especially in large enterprise environments, are heading toward end-of-life.
SAP Identity Management mainstream maintenance ends on December 31, 2027, with extended maintenance available until 2030. This date might seem far off, but anyone who’s been through a major identity system migration knows how quickly time flies when you’re dealing with complex integrations, data migrations, and user training.
Microsoft Identity Manager support was extended to January 9, 2029. However, Microsoft stopped actively developing MiM in 2021, focusing instead on Entra ID (formerly Azure AD). The message is clear: their priority is no longer on-premise identity solutions.
For many organizations, this marks the end of an era – and the beginning of a significant challenge: What’s next?
In the following sections, we will explore practical strategies for legacy identity system migration and outline key options available to ensure a smooth, secure, and future-proof transition.
When the Obvious Choice Isn’t Always the Right One
When legacy systems reach end-of-life, the natural path often leads to vendor-recommended successors. SAP and Microsoft have developed clear migration guidance toward their cloud-based alternatives: SAP Cloud Identity Services and SAP Cloud Identity Access Governance for identity and access management into SAP products and Microsoft Entra ID.
These solutions offer compelling advantages – modern cloud architecture, reduced infrastructure overhead, and tight integration within existing vendor ecosystems. For organizations heavily invested in Microsoft or SAP technologies, this path provides obvious benefits.
However, neither Entra ID nor SAP Cloud Identity Services represents a direct replacement for their on-premise predecessors. They differ in architecture, features, and how they operate, which means they might not fit every organization’s needs.
Before jumping on the bandwagon, ask yourself:
- Is Microsoft or SAP at the core of your tech stack and are you planning to stay within a single-vendor architecture? Or are you operating in a more complex, multi-vendor ecosystem?
- Will your architecture remain on-premise, migrate to the cloud, or maintain hybrid operations?
- How complex are your identity governance and administration needs beyond basic user lifecycle management?
- What are your future scalability, security, and compliance needs?
Hybrid architecture adds complexity
Most large organizations run hybrid environments with a mix of on-premise and cloud systems. Microsoft talks about Entra ID as a hybrid solution, and in many ways it is. But the reality of making it work smoothly across all your systems can be more challenging than initial assessments suggest.
Organizations commonly run into:
- Identity synchronization challenges across forests and domains
- Custom attributes that don’t cleanly map to cloud directories that break in modern policy frameworks
- Firewalls and proxies that impede cloud-to-ground communication in apps not designed for modern protocols
Integration and Customization Challenges
This is where many organizations get surprised. If you’ve spent years building custom workflows, approval processes, and business rules in SAP IDM or MiM, you might find that Entra ID doesn’t give you the same level of flexibility.
Microsoft has built a solid platform, but it’s designed to work in a certain way. If your business processes don’t align with that approach, you’ll need to either change your processes or find workarounds that add complexity and cost.
The True Cost of Migration
Per-user pricing models appear straightforward during initial evaluations, especially for smaller organizations. But enterprise-scale implementations frequently involve premium features, additional connectors for non-vendor systems, custom development requirements, licensing fees, and subscription costs that significantly impact long-term budgets.
The CISO’s Strategic Migration Playbook
Successfully migrating from legacy platforms requires a comprehensive approach that balances strategic planning with practical, risk-aware execution.
Organizations should begin this process well in advance of sunset dates, as identity system migrations typically require 12-36 months for full implementation in enterprise environments. Here’s a high-level roadmap to help you navigate this transition successfully:
1. Assess Your Current Identity Landscape
Start with a thorough inventory of your existing identity infrastructure. Document not just your systems and integrations, but the actual business processes they support. Often, organizations discover that their identity management has evolved far beyond its original design, with workarounds and customizations that aren’t immediately obvious.
At this stage:
- Identify redundant and orphaned accounts
- Detect inconsistencies between authoritative source systems (like HR) and target directories or applications
- Understand existing identity lifecycle triggers, provisioning flows, and access policies
Also, map your compliance requirements early in the process. Different solutions handle regulatory requirements differently, and understanding these constraints upfront prevents costly discoveries later in the migration.
💡 Best Practice: Use simulation and analysis tools to explore the impact of identity changes without actually applying them. This allows teams to preview account behavior and detect errors or edge cases in advance, reducing risk from the very start.
2. Define Your Requirements
Engage stakeholders across IT, security, and business units to understand their actual needs and requirements. Focus on business outcomes rather than technical feature translations. This approach often reveals opportunities to streamline processes during the migration.
Consider your organization’s five to ten-year trajectory:
- Will your identity needs become more complex or simpler?
- Are you planning to expand internationally?
- What about future acquisitions or mergers?
These factors should guide you in selecting the right solution that will support your needs for years to come.
💡 Best Practice: Keep the initial scope focused and achievable. Successful teams often start with a core domain, like workforce identity lifecycle management, and build outward in manageable iterations. This allows for early value delivery and room for lessons learned to inform future phases.
3. Evaluate Solutions Through a Security Lens
Evaluation processes should extend well beyond feature comparisons and vendor demos. This includes assessing integration capabilities with existing systems, evaluating performance under realistic load conditions, and understanding true customization flexibility, while prioritizing security controls.
- Authentication and credential security: Assess credential storage encryption, supported authentication methods, and multi-factor authentication enforcement capabilities. Examine password policies and session management.
- Audit and compliance capabilities: Verify detailed logging of access decisions, configuration changes, and administrative actions. Confirm log retention periods and export capabilities. Ensure compliance reporting supports your regulatory requirements.
- Vulnerability management: Evaluate security patch frequency, the vendor security track record, and testing procedures, including penetration testing and code reviews. Request vulnerability disclosure timelines and remediation processes.
- Data protection and privacy: Determine data residency locations, processing controls, and personally identifiable information handling procedures. Verify data export, deletion capabilities, and privacy regulation compliance mechanisms.
💡 Best Practice: Favor platforms that allow non-disruptive analysis and prototyping. This ensures you can validate the technical fit, policy alignment, and risk exposure before you commit to full deployment.
4. Build a Risk-Aware Migration Plan
Avoid “big bang” migrations. Successful migrations follow phased approaches that balance early insight with controlled execution. While traditional wisdom often suggests starting with non-critical systems, in identity management, it’s often more effective to connect to foundational, business-critical systems early in a non-invasive, simulation-driven way. This approach provides crucial visibility into your most complex and foundational identity flows without introducing immediate risk. Each migration phase should allow time for:
- Integration challenges
- Refining processes
- Validating assumptions before migrating business-critical systems
Pilot phases should focus on complex integration scenarios rather than simple ones, revealing potential issues early in the process.
Don’t forget about resource planning either – these migrations demand significant technical resources and expertise. Resource allocation should account for senior technical staff being significantly engaged with migration activities for extended periods. Assess internal capabilities honestly and plan for external support where needed, including technical implementation support and change management.
Your migration plan should include comprehensive rollback procedures for each phase, strategies for maintaining security during parallel system operations, and clear incident response procedures for migration-related security events.
💡 Best Practice: Connect to core systems like AD early in the process using non-disruptive simulations. This gives you visibility into your identity baseline, reveals gaps or legacy issues, and sets the stage for safer phased implementation, allowing you to “see before you act.”
5. Invest in Change Management and User Adoption
Technical implementation represents only part of your challenge. Successful migrations require comprehensive change management strategies beginning with key stakeholder involvement from IT, security, and business units during solution selection to ensure buy-in and realistic expectation setting.
Training programs should reflect actual user workflows rather than theoretical processes. Organizations should plan for different user groups with varying technical skills and interaction patterns. The communication roll out should address concerns proactively, provide clear feedback and support channels, and maintain transparency about timelines and impact expectations.
💡 Best Practice: Pair each technical delivery phase with targeted stakeholder communication, user training material development, and clear success measurement. Early small wins, achieved through iterative and low-risk deployments, help establish credibility and build momentum for broader adoption.
Navigating the Identity Management Market Landscape
The identity and access management (IAM) market has matured considerably in recent years with numerous established and emerging platforms worth serious consideration. While vendor-recommended solutions offer integration advantages, they’re not the only options:
- Full-featured identity governance platforms: Vendors focused specifically on identity governance and administration often provide deeper governance capabilities and more flexible customization options than general identity management and lightweight IGA solutions.
- Open source software: Modern open-source identity platforms have gained significant enterprise adoption. These solutions now offer enterprise-grade features, professional support options, and active communities that contribute to the ongoing improvement of the platform, such as testing, answering community questions, and even developing custom connectors, providing maximum flexibility and customization potential.
- Hybrid IGA platforms: Designed to support on-prem, hybrid, and cloud deployment needs. For organizations working in a hybrid operational model or those planning a gradual migration to the cloud, these platforms can be an ideal solution.
Evaluate platforms based on your specific architecture and business needs – consider factors beyond brand recognition. It is worth examining community threads to understand real-world scenarios and engaging with companies with similar challenges. Also, ask for proof-of-concepts where possible.
When it comes to cost, think about the total cost of ownership, including licensing fees, implementation costs, ongoing maintenance, training requirements, and potential needs for external expertise.
The Strategic Path Forward That Shapes the Next Decade
Thousands of organizations affected by the end-of-life of SAP IDM and MiM now face pivotal decisions about their identity management future. While vendor-recommended migration paths offer predictable routes, they may not represent optimal solutions for every environment. The key lies in approaching these decisions strategically rather than reactively.
Take time to understand options fully – evaluate solutions based on specific requirements rather than general market positioning, and consider long-term implications. Today’s identity management market offers mature alternatives across different deployment models, architectural approaches, and business models.
Starting evaluation processes early and considering the full spectrum of available solutions will ensure chosen platforms support long-term organizational objectives. Remember, the decisions made today will impact your identity security operations for the next decade or two.
About Evolveum:
Evolveum is the organization behind midPoint, the leading open source IGA platform recognized by both Gartner and KuppingerCole. MidPoint bridges the gap between IT and business, making it an ideal choice for organizations seeking digital transformation to enhance security and efficiency.