LDAP Applications
Lightweight Directory Access Protocol (LDAP) dependent applications can start migrating from 1 July 2025, using the broader guidance on this site in tandem with the LDAP-specific articles in this category:
Applications using LDAP are approved to migrate to Entra ID though there can be some aspects of the migration that are not straightforward. If your application is using LDAP, it is suggested that you setup a consultation with the IDaaS Migration Team before proceeding. They can be reached via - gbl_idaas_team@pwc.com
LDAP-to-Entra ID Migration Assessment
Current State
Certain PwC Identity (ForgeRock) applications make LDAP calls to Directory Services (OpenDJ) via an LDAP client. These can be in addition to their SSO integration or can be direct calls to LDAP.
Future State
To support the migration of these applications from PwC Identity (ForgeRock) to Entra ID, several alternatives were evaluated:
-
Protocol Update: Update application code/configuration to use another protocol (SAML, OAuth/OIDC) to authenticate or obtain user information using tokens.
-
Graph API Integration: Switch to the Graph API in instances where tokens do not provide the required information.
-
One AD LDAP Source: Leverage the existing One AD directory as an LDAP source (applicable to applications that only support internal PwC users).
App Migration Approaches for LDAP Dependencies
The recommended option for ALL applications, including applications currently performing LDAP calls to ForgeRock OpenDJ, is to migrate to Entra ID via one or more of the options listed below:
1 - Token Claims
If your application only needs to query/lookup details about the authenticated user (i.e., the user using the application) then this information can be retrieved via token claims.
If your application needs to retrieve information about users other than the individual using the application, another option will have to be implemented.
2 - Microsoft Graph API Integration
If your application has ability to make REST calls to retrieve user information, you can use Graph API to retrieve user information. You will need to request required Graph API permissions (delegated and/or application level).
For complete guidance, review the topic on Migrating from LDAP to Graph API, a process which involves working with the M365 team, whose SharePoint site contains detailed information and procedures on how to engage with and request appropriate permissions from them. Once you have obtained the permissions, you will need to update your application accordingly.
Additional Guidance:
MS Graph API Approval Matrix, which provides a detailed breakdown of all Graph API permissions and notes which APIs scopes are authorized for use and which require additional security approvals.
3 - LDAP calls to One AD
If your application does not support token claims, Graph API, must use LDAP and ONLY has internal users, you have the option of switching the LDAP calls from ForgeRock OpenDJ to One AD, which requires requesting a service account via SNow.
Once the service account has been created, you will need to update your LDAP client. Please refer to the Appendix for the appropriate values.
Other Options
If your application does not support any of the above options, you will have to engage Identity teams (Engineering/Architecture) along with your application stakeholders (Architects, SMEs, etc.) to discuss and seek an alternative/viable solution to move forward. You can engage the Identity team by sending an email with all the necessary details to: gbl_idaas_team@pwc.com
NOTE: If you are currently using the GUM API for external user management, this approach does not apply to you - your application will be included in a later migration wave
LDAP Options - High Level Flow
