I saw a tip from a Microsoft PM this week on hardening Entra ID by ditching AD FS for...

I saw a tip from a Microsoft PM this week on hardening Entra ID by ditching AD FS for Password Hash Sync. It's a solid point, especially for teams still running on-premises federation. We've handled migrations where clinging to AD FS left unnecessary attack surfaces open, complicating everything from authentication flows to hybrid identity management. In my experience leading domain consolidations, moving to PHS simplifies the architecture and cuts down on those legacy servers that are prime targets. At scale, with thousands of endpoints, we've seen how it streamlines disaster recovery too, since you're not babysitting federation infrastructure during outages. But there's a trade-off: you need solid planning for sync scopes and fallback auth to avoid disruptions. We at LTC focus on these Entra migrations, drawing from over 250 projects to get the details right. It's about reducing complexity without introducing new risks. What's one legacy auth setup you've migrated away from, and what surprised you in the process?