Been doing Azure migrations for a while now, and I keep seeing the same surprises come up for people tackling this for the first time. Not a 'here's the official Microsoft process' post — this is the stuff that actually bites you in practice.
Before you start:
- Your on-premises AD is messier than you think.
Run Azure AD Connect in staging mode before you commit to anything. You will find stale accounts, duplicate UPNs, malformed attributes, and service accounts with passwords that haven't changed since 2009. Fix this BEFORE sync, not after.
- Licensing math will surprise you.
Don't just look at Azure VM compute costs. Factor in: Azure Hybrid Benefit (huge if you have Windows Server/SQL licenses), Reserved Instances (1yr or 3yr), and right-sizing (most on-prem servers are significantly over-provisioned). I've seen projects cut projected cloud costs by 40% just from proper right-sizing and licensing optimization before migration.
- The dependency map is never complete.
Whatever discovery tool you use (Azure Migrate, Movere, etc.) — there will be undocumented application dependencies that only surface during cutover. Build a rollback plan for every single workload. Every. Single. One.
During migration:
- Migrate dev/test first. Always.
No exceptions. It finds your process gaps without production consequences.
- ExpressRoute takes weeks to provision.
If you need private connectivity (regulated industries, latency-sensitive apps), start the ExpressRoute order the moment you decide to migrate. Don't wait until you're a week from cutover.
- DNS is where migrations die.
Specifically: TTLs that you forgot to lower, legacy hardcoded IPs in application config files, and split-horizon DNS configurations that worked fine on-prem but break in hybrid. Audit your DNS configuration exhaustively before cutover.
- Azure Firewall is not your on-prem firewall.
Don't try to replicate your on-prem firewall rules 1:1 in Azure Firewall. It won't work and you'll spend a week debugging. Design for the new environment.
- Storage account access tiers will cost you.
Anything hitting your Azure storage that you didn't expect (backup jobs, log shipping, legacy apps you forgot about) will show up in your first month's bill. Enable Storage Analytics and watch it for 2 weeks before going live.
Security gotchas:
- No MFA = instant compromise.
In the 72 hours after DNS cutover, attackers are actively probing newly-migrated environments. Enforce MFA on day one, not month two when 'everything is stable.'
- PIM on day one, not later.
Standing Global Admin access is a gift to attackers. Set up Azure AD PIM from the start. Everyone thinks they'll do it 'after things settle down.' They don't.
- Private Endpoints are non-negotiable for regulated workloads.
If you're migrating anything that touches PII, PHI, cardholder data, or CUI — use Private Endpoints for every PaaS service. Public endpoints on storage accounts containing sensitive data is one of the most common Azure security misconfigurations I see.
Post-migration:
- The first Azure bill will shock you.
Not because Azure is expensive — because of the resources you forgot about. Schedule a cost review 30 days post-migration without exception. Unused disks attached to deleted VMs, oversized VMs that weren't right-sized, unnecessary public IP allocations — these add up fast.
- Backup validation is not optional.
You tested that the backup job ran. Did you test that it restores? Different question. Schedule a restore test for every critical workload within 30 days of migration.
- Azure Monitor is not configured by default.
You need to explicitly enable diagnostics settings to get logs into Log Analytics. Don't discover this at incident response time.
- Your users will find a way to access resources from personal devices.
If you haven't configured Conditional Access to require compliant devices (or at minimum MFA) for cloud resource access, your Azure environment is accessible from any laptop, anywhere. Conditional Access is not optional.