Blog Azure Migration

Don’t Migrate to the Cloud Until You Know & Do This

You’ve set up your Azure landing zone, and now think the migration can begin.

But hold on: there are a few key steps you need to take first, or your move to the cloud will cause more trouble than it should.

This article walks you through the essential steps to complete once your landing zone is deployed.

Let’s go over them!

Author

Niels Kroeze IT Business Copywriter

Reading time 4 minutes Published: 11 November 2025

7 Steps You Must Take Before Migrating to Azure

1. Connection: set up hybrid connectivity

Part of your landing zone deployment involved setting up either Expressroute, site-to-site VPN or vWAN. However, such covers only the Azure side. You still need to configure the on-premise side – or nothing will work.

For ExpressRoute, work with your provider to provision the circuit, then connect it to Azure and back on-prem through your gateway.
For a site-to-site VPN, create the gateway connection and define the local network so traffic can flow.
For vWAN, configure the required gateway connections.

Now your on-prem environment and the cloud is properly connected, we aren’t there yet. There are six more things you need to do.

2. Extend with Active Directory Domain Controllers

Don’t forget your domain controllers (DCs) when you migrate to the cloud. Unless you are transitioning to a cloud-only environment, you will need to extend your DCs to Azure. Otherwise, every authentication request has to travel back on-prem, which slows logins, adds latency, and hurts reliability.

Setting up a DC in Azure is no rocket science, just do this:

Build a VM.
Promote it to a domain controller.
Ensure VPN or ExpressRoute connectivity so the DC can talk to on-premises.
Create a new site in AD Sites and Services.
Add your Azure subnets to that site.

This tells other VMs in Azure that the new DC is the closest one, making authentication faster.

3. Users: Microsoft Entra Connect

Unless you’re going cloud-only completely, you’ll need to bring your existing users into Azure after deploying your landing zone is ready to be able to replicate your identities to the cloud. You can use either Microsoft Entra Connect (previously AD Connect) or Microsoft Entra Cloud Sync for this:

Install the tool on an on-premises server.
It syncs users to the cloud along with all AD properties and metadata.
Passwords stay safe with Password Sync – it only transmits a hash, not the actual password.
Users keep the same password on-premises and in the cloud. Sign-ins are verified against the hash.

4. Always DNS: enable hybrid DNS

Active Directory domains need DNS to work, both in the cloud and on-prem.

Cloud: Use Private DNS Zones in Azure to resolve internal names and private endpoints. Link them to your virtual networks so all VMs can access them.
On-Prem: Configure conditional forwarders on your on-prem DNS servers that point to a DNS forwarder in Azure (for example, a VM or domain controller). That Azure forwarder can resolve names in the Private DNS Zones.
Hybrid lookups: Use Azure DNS Private Resolver or custom DNS servers in Azure to enable name resolution between cloud and on-prem.
Optional: Configure Azure Firewall as a DNS proxy to forward requests to your DNS forwarders and support FQDN rules.

Once done, point your Azure VNETs to these custom DNS servers to complete hybrid DNS resolution.

5. Keep an eye out: configure monitoring

As part of deploying your Landing Zone, you need to monitor your cloud resources and Azure service health. This shows if everything is running as it should.

Deploy the Azure Monitor Baseline for your landing zone.
Use it to set up monitoring alerts for VMs and cloud services, notifying you of issues so you can address them quickly.

6. Get out & in: routing

Just deploying your Azure Firewall (and almost any NVA firewalls) doesn’t make it effective; all firewall traffic is blocked until you add explicit allow rules. What you should do is route traffic to it and set rules for what to allow or block.

1. Outgoing traffic

Any traffic leaving your spoke networks should go through the firewall for inspection.
Every subnet in your spoke networks needs a route table with a route for 0.0.0.0/0 pointing to the firewall.

2. Firewall rules:

All traffic to the Azure Firewall is blocked by default.
Add Network or Application rules to allow the traffic you want to flow.

3. Inter-spoke routing:

Many organisations use a hub-spoke network topology. Make sure routes between spokes are correctly configured if traffic needs inspection or filtering via the hub firewall.

Internet egress:

If you want to allow outgoing internet traffic, you will need to configure explicit rules that allow it through.

7. Defend: Microsoft Defender for Cloud

When deploying your new landing zone, set policies to enable Microsoft Defender for Cloud for your Azure subscriptions which can protect your landing zone.

Defender for Cloud evaluates your resources against Microsoft’s security baseline and generates a security score, highlighting areas for improvement. You don’t need extra technical setup immediately, but review the recommendations and plan how to improve your security posture.

As you migrate resources into Azure, be ready to implement these improvements as part of your migration optimisation. Keep checking back for new recommendations, so your environment stays secure throughout the migration process.

Closing thoughts

Now that you have these seven key areas set up, your landing zone is prepared for migration.

Need help or advice to ensure your leap towards the cloud is smoothly and efficient? Intercept can help you!