Facing the sunset of a critical system is never easy. When it comes to something as fundamental as identity management, such as the end of life for SAP Identity Management (SAP IDM) and Microsoft Identity Manager (MIM), the stakes are even higher. With end-of-life dates looming in 2027 and 2029, many CIOs and CISOs are navigating a complex landscape of migration decisions.
To help you prepare, we’ve compiled a detailed guide for your migration and spoken with leading identity management partners who have guided hundreds of organizations through these critical transitions. Our goal is to help you understand the strategic implications, execution challenges, and selection criteria that matter most to executive decision-makers.
The insights in this article come from Evolveum partners, including Ventum, ACEN, IT Concepts, Unicon, Zephon, Innovery, DAASI International, ISSP, Qriar, and Identicum – all specialists in enterprise identity management.
Why should organizations start planning their SAP IDM/MIM migration now instead of waiting until closer to the end-of-life dates?
Ventum: Successful migrations don’t happen overnight – and they definitely don’t happen smoothly under pressure. Starting now gives your organization breathing room to plan strategically rather than reactively. Waiting too long introduces serious risks: resource bottlenecks, rushed decisions, and rising costs. By acting now, you’re not just avoiding risk, you’re also giving your team the opportunity to modernize processes, align with new security standards, and choose a platform that fits future needs, not just today’s.
ACEN: Think capacity planning. If you need expertise for 2026-2028 roll-outs, professional talent will already be engaged with organizations that planned their migration early. These legacy platforms won’t get extended; they’re antithetical to SAP and Microsoft’s cloud-first future.
ITConcepts: IAM projects are more complex than they appear at first, often involving multiple stakeholders, legacy integrations, and unclear requirements. Early engineering requirements and a thorough analysis of your current architecture are essential to ensure you have enough time for implementation, testing, and training. Delaying this increases the risk of rushed decisions and operational issues.
Unicon: Identity systems are deeply integrated into nearly every aspect of business operations. Often, only identity management teams fully understand how critical these systems are to daily functionality, yet IT teams are already stretched thin. Starting early gives you time to build a realistic roadmap, allocate resources effectively, and minimize disruption.
Zephon: Microsoft has not invested in MIM for years, and it is reflected in the product architecture. It is old, cumbersome, and difficult to install, manage, and maintain. You are likely spending more to maintain it than you would to replace it. Since migrations can take a year or more, it’s best to start planning now.
What’s the most effective strategy for executing a successful migration from legacy IDM platforms?
Innovery: Update documentation and clarify goals before starting. Don’t begin until objectives are crystal clear to avoid project risks, delays, and cost overruns. Avoid a one-step migration; instead, analyze the best approach and break it up into multiple steps.
DAASI International: While “Big Bang” migrations might seem faster, in our experience, a slow migration from one product to the other is always better. This can be done by configuring the old system as a source for the new one, allowing you to migrate connected systems one by one. This gives you more time for testing and allows for temporary rollbacks if errors occur. This step-by-step approach also allows for migrating different user types in different stages, such as migrating staff first and then students. It is essential to work on test systems first and only proceed with the productive migration after all requirements are met.
ACEN: The most critical factor is having the entire organization, including senior management, convinced of the necessity and benefits of implementing a modern IGA solution. Often, these projects are started by IT or security teams without broader organizational buy-in, leading to more time spent justifying the program than delivering results. Thorough preparation is key; implementation should only begin once there is clear alignment on priorities, well-understood requirements, and a shared vision for digital identity lifecycle processes.
ISSP: Avoid the ‘just move it over’ trap – legacy systems have years of ad hoc logic and dormant accounts that should be audited first. Don’t over-engineer instead of delivering a minimum viable product (MVP); trying to build the perfect end-state from day one can lead to delays and user fatigue. A better approach is to start with an MVP that provides immediate value and can be expanded iteratively. Celebrate small wins, which often start with getting the core right by redesigning roles and policies based on a proper audit.
Ventum: Engage both IT and business stakeholders early – IAM affects security, compliance, and user experience, not just IT operations. Avoid the ‘lift and shift’ legacy logic, as this creates unnecessary complexity without delivering new value.
What key considerations should organizations keep in mind when selecting a replacement for SAP IDM or Microsoft Identity Manager?
Qriar: Choose a solution that supports both the identity lifecycle and governance with identity standards like SCIM for easy integrations. Look for scalability without heavy upfront investment and an API-first architecture to support future identity fabric concepts.
Ventum: Don’t replicate the past – define future needs and leverage modern capabilities like policy-based access, analytics, and zero trust. Ensure integration with HR, directories, and cloud platforms, and build in governance for regulations like GDPR and NIS2.
ACEN: Prioritize future-proof architecture supporting hybrid/multi-cloud environments. Choose modular, extensible platforms with API-first approaches and flexible licensing models based on actual usage rather than upfront commitments.
Unicon: Start with a clear understanding of your specific needs – avoid overly complex systems if they are unnecessary. Understand the full financial commitment, including the total cost of ownership, and ensure realistic transition planning that matches your organizational capacity.
DAASI International: The next step is to find a product on the market that best meets these requirements, remembering that with open source projects, you always have the option to have needed features implemented.
Identicum: Consider the integration capabilities with existing and legacy systems, vendor support, and licensing costs. It is also critical to assess the vendor’s long-term strategy, ensuring the product has a clear, public roadmap that aligns with your organization’s future needs and that the vendor is committed to ongoing development and support.
Move away from legacy identity management and discover the power of open source IGA.
Key takeaways for successful migrations
The insights from these identity management experts reveal several critical considerations for CIOs and CISOs:
Help might not always be available later on: The window for securing experienced migration expertise is narrowing rapidly. Organizations that delay may find themselves competing for limited talent pools as the sunset dates approach.
The end of one thing is the beginning of a new (modern) opportunity: This forced migration presents a rare chance to eliminate technical debt and align your identity processes with modern principles, be it zero trust, identity analytics or support of hybrid and multi-cloud environments. However, this is only true for organizations that give themselves enough time to approach it strategically rather than reactively.
Success depends on everyone: Success depends heavily on executive agreement and cross-functional alignment. Identity migrations touch every part of the organization, making them as much about change management as technology implementation.
Staying might become more expensive: For many organizations, the total cost of maintaining legacy systems now exceeds the investment required for modern alternatives, making this migration both necessary and economically advantageous.
The consensus is clear: organizations that begin planning now will migrate strategically with adequate resources and time for proper testing. Those who wait will find themselves managing crisis migrations under pressure, with limited options and inflated costs.
The question isn’t whether to migrate, but whether to plan ahead or wait until circumstances force your hand. The window for strategic action is open, but it won’t remain so indefinitely.
About our experts
The insights in this article come from leading identity management specialists who have collectively guided hundreds of enterprise migrations:
- Ventum – With a team of over 170 professionals across Austria, Germany, Switzerland and Poland, Ventum combines diverse expertise to tackle the most complex security challenges.
- ACEN – ACEN is a top-notch provider for complete solutions of cyber security in Belgium, which ensures that companies from various fields are protected against any possible threats coming from the internet.
- ITConcepts – ITConcepts, based in Switzerland, is a leading provider of 360° solutions for automating business processes, with expertise in IAM, IT security, and more.
- Unicon – Unicon is a leading US provider of IT consulting and support for education technology, specializing in using open-source technologies to deliver cost-effective IAM solutions.
- Zephon – Zephon is an American boutique cybersecurity consultancy and managed security services provider that helps businesses maximize their cyber investments through simplification, consolidation, and automation.
- Innovery – Innovery is group operating in Italy, Spain and Mexico offering specialized advisory services for innovative ICT solutions. The company focuses on finance, utility, energy, retail, telecommunication, and public administration markets.
- DAASI International – DAASI International is one of the leading German providers for open source software in the areas of federated Identity & Access Management as well as digital humanities.
- ISSP – ISSP is a group of companies specializing in cybersecurity and data management solutions, managed security services, and professional training that operates in Ukraine, Georgia, Kazakhstan, Poland and Canada.
- Qriar – Qriar is a cybersecurity company wit a presence in Brazil, USA and UAE, that focuses on turning security into a competitive advantage by providing the right people with the right information at the right time.
- Identicum – Since 2005, Identicum has been a professional services company that is focused on Identity and Access Management projects in Latin America and the USA.