Estimated reading time: 4 minutes
By Jody Tracy, Program Manager, InCommon Academy
In early August InCommon community members gathered for a Thread Meetup, “Navigating Hybrid Identity and Access Management (IAM) and Entra ID Implementation.” InCommon community members are at different phases of their Entra ID deployments and have exchanged insights about challenges and successes. The key takeaway is that organizations shouldn’t view this as an either/or decision between traditional and cloud identity systems, but rather as a strategic integration of both approaches.
The institutions furthest along in their journey emphasized gradual transitions, community collaboration, and keeping research and academic requirements at the center of their decisions. They offered their peers five considerations for navigating hybrid IAM and Entra ID implementation.
1 – You are not alone; many institutions are running dual SSO systems.
The discussion illustrated that nearly every institution is grappling with the same challenge of managing both traditional identity providers like Shibboleth or Central Authentication Service (CAS) alongside Entra ID. This isn’t a sign of poor planning, but rather the reality of modern research and education (R&E) IT. Universities described similar architectures with hundreds of integrations split between systems. Hybrid is the new normal, not a temporary state.
2 – InCommon Federation remains a critical requirement; plan accordingly.
Even with Microsoft’s growing capabilities, Entra ID doesn’t natively support multilateral federation like InCommon. Institutions consistently cited research collaboration and academic resource access as non-negotiable requirements that keep Shibboleth in the picture. Solutions like Cirrus Identity Bridge or security assertion markup language (SAML) proxy configurations are becoming essential tools, not just optional add-ons.
3 – MFA migration is more complex than it appears.
Multiple institutions shared hard-won lessons about transitioning from Duo to Microsoft multi-factor authentication (MFA). One institution specifically mentioned “scars” from their switchover, emphasizing the need to remove other Entra MFA methods before implementing Duo’s External Authentication Method (EAM). The technical integration is achievable, but user communication, help desk preparation, and telephony cost planning are often underestimated. One participant noted, “reconfiguring and re-registering for multi-factor seems to be the other big user engagement portion of this, which is harder than the technical [aspects] a lot of the time.”
4 – Cost and licensing complexity drives architecture decisions.
The financial reality is that not every institution can afford to provision all identities in Entra ID. One university’s example of 1.25 million total identities with only 80,000 in Entra illustrates this challenge. Institutions are making strategic decisions about which users get provisioned where, and these decisions fundamentally shape their technical architecture. Factor in the true cost of licensing all user types (students, alumni, faculty, staff, affiliates, and guests) early in your planning.
5 – Community knowledge sharing is your best resource.
And finally, the most valuable part of the discussion wasn’t in the technical details. It was institutions sharing real experiences, both successes and failures. Thread Meetups are a direct response to the community’s desire to learn from peers. As one attendee noted, “you can listen to 60 different people tell you what they’re doing with Entra and get 60 different answers.Leverage InCommon’s community network to benefit from peer collaboration and shared learning experiences.
Stay tuned! There will be future Thread Meetups and other opportunities to engage with the community.
Have questions or ideas for this discussion? Let us know! Contact Jody Tracy.
About InCommon Academy Thread Meet Ups
Unravel complexities. Stitch in what matters. Together. Join fellow IAM professionals in our focused, community-driven discussions designed to spark meaningful dialogue on the topics that matter most to you. Thread Meetups are offered as the need arises. No matter the topic of the day, you’ll join a collaborative dialogue with peers who share your professional interests and experience. Thread Meetups are a space to talk through what’s timely and relevant — whether you’re wrestling with implementation challenges, exploring emerging trends, or seeking new perspectives. These meetups provide just the right environment where you can walk away with a new idea, a connection, or a clearer path forward.