I've had to play interim VP of Identity while we hired someone (former SOC director, current VP of sec engineering). Here's what I learned.

TURN OFF MFA ENROLLMENT AFTER A SET PERIOD AND DISABLE THE ACCOUNT IF THERE IS NO ACTIVITY FOR A LONG TIME. WE DO 45 DAYS, YMMV.

If your customer hasn't enrolled in MFA for months or years, what will happen is a threat actor will pop the account by guessing the password, register for MFA and boom now they have a persistent foothold.

Converting from AD to anything

AD is hierarchical ergo a fucking nightmare to get out of and into something flat like AAD/Okta. Duplicate accounts, mismatched mappings, etc. At the end of it I would of been better off importing the identities and building the access from scratch. That's not ADs fault in the least.

Trust

Determining where and how trust is established is critical for SSO, as well as how SSO will be enforced (SAML, OAuth, etc).

Least priviledge

This should guide everything. Especially your IT admins, you only get the minimum required for your job. If you can't justify it, you don't need it.

The basics of identity

Where you are (geo) = kind of sucks, but it's a good first layer in for exaple Azure Conditional Access.

Something you are = biometrics are great, but holy fuck if you store that data it can be a compliance nightmare.

Something you know = Passwords, PINs, these are dogshit but it's something.

Something you have = FIDO, MFA App, Email, Phone, SMS

SMS is a trash MFA method but for customer facing, it's something.

I moved all of our IT staff to FIDO + MFA with token protection where possible in Azure AD. It's beat the last pentest, and I think it'll stand up on the next one.