IAM/PAM migrations are among the highest-risk infrastructure projects an organisation can undertake. A failed IdP migration can lock users out of all applications. A failed PAM migration can block all administrative access. Successful migrations require careful planning, phased execution, robust rollback plans, and extensive testing.
Migration Types
Migration Type
Complexity
Risk Level
Typical Duration
Directory migration (AD → AD)
High
High
6-18 months
IdP migration (Okta → Azure AD)
High
Very High
6-12 months
PAM migration (CyberArk → BeyondTrust)
High
High
6-12 months
On-prem → cloud IdP
Medium-High
High
3-9 months
IGA platform migration
Medium-High
Medium
6-12 months
MFA provider migration
Medium
Medium
2-6 months
Protocol upgrade (Kerberos → SAML)
Low-Medium
Low-Medium
1-4 months
Migration Strategies
Big Bang (Cutover)
All users and systems are migrated simultaneously in a planned cutover event.
Maintain old PAM in read-only mode, then decommission
Rollback Planning
Rollback Trigger Criteria
Trigger
Description
Action
Critical application failure
Top-10 business app non-functional after migration
Pause migration, rollback app to old IdP
Widespread authentication failure
> 5% of migrated users cannot authenticate
Rollback to old IdP for affected user group
Performance degradation
Auth latency > 2x baseline for > 30 minutes
Scale up or rollback
Security incident
Migration introduces vulnerability
Immediate rollback, incident investigation
Catastrophic failure
Complete IdP/PAM outage
Execute full rollback plan
Rollback Procedures
Rollback Scenario
Procedure
RTO
RPO
Single app rollback
Change app auth config back to old IdP
30 minutes
Zero (data loss not applicable)
User group rollback
Revert DNS/routing for group to old IdP
1 hour
Zero
Full IdP rollback
Fail over to old IdP infrastructure
4 hours
< 5 minutes (session data)
Full PAM rollback
Activate old PAM, redirect connectors
4 hours
< 1 hour (credentials rotated during migration)
Key Takeaways
IAM/PAM migrations are among the highest-risk infrastructure projects — a failed IdP migration can lock users out of all applications, and a failed PAM migration can block all administrative access
Four migration strategies exist: big bang (all-at-once, highest risk, for fewer than 500 users), phased (by group, app, geography, or business unit), coexistence (old and new systems operate simultaneously with attribute synchronisation), and hybrid (phased migration with coexistence period)
IdP migration follows five phases: assessment (4-8 weeks), planning (4-8 weeks), build and test (4-8 weeks), phased execution (8-16 weeks with pilot → early adopters → phased rollout → long tail), and post-migration stabilisation and optimisation
PAM migration presents unique challenges including credential portability (passwords cannot be exported in plaintext — use API import with staged rotation), session recording continuity (archive old recordings, maintain search), and connector reconfiguration for all managed systems
Coexistence requires attribute synchronisation between old and new IdPs — password hash sync (PHS) for seamless user authentication during transition, directory sync for attribute consistency, and credential import for PAM
Rollback planning must define trigger criteria (critical app failure, widespread auth failure, performance degradation, security incident, catastrophic failure) with specific rollback procedures, RTO targets, and RPO for each scenario
Application inventory (100% coverage of all apps, auth methods, and protocol versions) is the single most critical success factor for IdP migration — undocumented apps are the leading cause of migration failures