Skip to content

Choose your language

  • No results

Choose your login

  • No results
Support

How can we help?

PaperCut's AI-generated content is continually improving, but it may still contain errors. Please verify as needed.

Lightbulb icon
Lightbulb icon

Here’s your answer

Sources:

* PaperCut is constantly working to improve the accuracy and quality of our AI-generated content. However, there may still be errors or inaccuracies, we appreciate your understanding and encourage verification when needed.

Lightbulb icon

Oops!

We currently don’t have an answer for this and our teams are working on resolving the issue. If you still need help,
User reading a resource

Popular resources

Help center

FAQs
Conversation bubbles

Contact us

Migrating from on-premises Active Directory to Microsoft Entra ID - considerations and best practices

This page applies to:

Last updated September 30, 2025

Introduction

Is your organization planning a shift from a traditional on-premises Active Directory (AD) to cloud-based Microsoft Entra ID for identity management?

If you rely on PaperCut MF for print management, you’re likely wondering how this change will impact your print environment and what’s needed for a smooth transition.

This page applies to you if…

You’re a system administrator, and your organization has decided to migrate its user identities from the local Active Directory to Microsoft Entra ID. However, PaperCut MF is deeply integrated with your current on-premises AD for user authentication, tracking print usage, managing quotas, and generating reports.

You need a clear path to reconfigure PaperCut MF to work seamlessly with Entra ID without disrupting user experience, losing valuable historical print data, or compromising existing print controls and workflows.

Key questions on your mind might be:

  • How do I ensure all my existing PaperCut user accounts, along with their data like print history, balances, and card/PIN information, are preserved when we switch to Entra ID?
  • What’s the best way to sync users from Entra ID?
  • Will our current print reporting be affected, and how can we keep historical print data?
  • What are the potential pitfalls, and how can we guarantee a successful migration with minimal disruption?

Migrating PaperCut MF alongside your identity infrastructure requires careful planning. This guide details considerations, challenges, and steps for a successful transition, ensuring PaperCut MF operates effectively in an Entra ID environment.

Different user identification methods

A challenge arises when migrating from on-prem Active Directory to Entra ID due to differing user identification methods. While Active Directory utilizes sAMAccount names (traditional usernames), Entra ID employs User Principal Names (UPNs).

This discrepancy creates issues in tracking print jobs within mixed environments, as the print job “owner” (for example, “bobsmith”) may not align with the synchronized UPN in PaperCut (for example, “ bobsmith@papercut.com ”).

sAMAccountName vs. User Principal Name (UPN)

Prior to examining potential approaches, it’s crucial to understand the variety of identity formats that may be encountered. A comparison between the two prevalent types of user identifiers is beneficial for this purpose.

Feature

sAMAccountName (On-Premises AD)

User Principal Name (UPN) (Entra ID / Modern AD)

Username Format

username or DOMAIN\username

username@domain.com (email-like format)

Example

jsmith or YOURDOMAIN\jsmith

jsmith@yourcompany.com

Usage

Older logon name, pre-Windows 2000 logins, often used for legacy applications, NetBIOS names.

Modern logon name, email address, primary identifier in Entra ID, used for cloud services.

Uniqueness

Must be unique within a domain. (Other users in the Forest may have the same username.)

Must be unique across the entire Entra ID tenant (global).

Key for Migration

Often the attribute you'll use for matching existing users (e.g., mapping to Alias in PaperCut).

The primary identifier for users in your new cloud environment.

Key considerations

Primary Entra ID Sync Source

You’ll need to configure PaperCut MF’s primary sync source to Microsoft Entra ID. For that procedure, head over to Synchronize user and group details with standard Entra ID .

PaperCut MF relies on a primary source for core user information. Entra ID must be the primary sync source. When using Entra ID, PaperCut will typically use the User Principal Name (UPN) as the primary username.

It is crucial to understand how PaperCut MF handles UPNs and to prepare your environment accordingly. For detailed guidance, refer to Preparing to use UPN usernames when syncing with the standard Entra ID sync method .

For a phased migration, a secondary source (like LDAP to your old Domain Controller) is optional and allows:

  • continued synchronizing user details from your old domain controller
  • PaperCut to retain links to old AD accounts for reporting purposes while you gradually transition users to Entra ID.

(Optional) Secondary LDAP Sync Source

For a phased migration consider setting up a secondary sync source using LDAP to continue synchronizing user details from your old domain controller.

Do I really need a secondary server?

A secondary LDAP sync might not be necessary if:

  • all essential user attributes (including card numbers, PINs, and group memberships) are accurately mirrored between your on-premises AD to Entra ID
  • Entra ID contains the onPremisesSamAccountName (or an equivalent attribute) that PaperCut can use to match existing users.

However, ensuring consistency of critical identifiers (pin numbers, card numbers, etc..) that PaperCut uses is crucial.

Matching accounts

A key technique for matching accounts during a phased migration is aliasing. This method involves mapping the onPremisesSamAccountName to the Alias field in PaperCut, as described in Aliasing in PaperCut . This mapping is crucial for PaperCut MF to recognize that an Entra ID-synced account (using its UPN) is the same user as an existing on-premises AD account (using its sAMAccountName).

Why consider mapping onPremisesSamAccountName to the Alias field (aliasing)?

This technique prevents the creation of duplicate users and safeguards historical data (balances, print history, card/PINs) linked to the old identity. It’s particularly useful during phased migrations to bridge identity formats and maintain service continuity. However, verify all required attributes are present and consistent.

Account matching methods

To ensure data retention, existing on-premises accounts must be accurately matched to their Entra ID UPN counterparts. If they aren’t matched, Entra ID accounts will be created as new accounts in PaperCut and will start with zero history, zero balance (unless new user creation rules apply), and no associated card/PIN.

Matching can be achieved through either of the following methods:

  • Aliasing — This method matches existing on-premises accounts to Entra ID accounts by mapping a legacy identifier (like onPremisesSamAccountName) to the Alias field. It is suitable for short-term use or phased migrations, as described in Aliasing in PaperCut .
  • Renaming Usernames — For a complete cutover, renaming on-premises usernames to their Entra ID UPNs is recommended. This maintains account details (PINs, balances) and aligns with the new platform. As documented in Renaming user accounts .

Discarding legacy AD Sync (Entra ID only)

This section addresses the complexities of a complete transition to Entra ID.

User Card/PIN & b. User Balance

These are stored within the PaperCut MF database. If user accounts are correctly matched, these details remain unchanged.

User reports

This is the most challenging aspect. If you switch entirely to Entra ID and remove the old AD accounts from PaperCut, historical reports based on the old AD identities (typically the sAMAccountName) will no longer function as expected. PaperCut will then rely on the Entra ID User Principal Name (UPN). Mitigating this requires careful consideration of the following:

  • Dual sync (transitional) — The most reliable approach is a temporary dual synchronization. Maintain the secondary LDAP sync to your old Domain Controller. This allows PaperCut to retain links to old AD accounts for reporting while you gradually transition users to Entra ID. This allows time to generate necessary historical reports before fully switching.
  • Export/Import reports — Before the final cutover, export all essential historical reports from PaperCut. This creates a static snapshot, preserving the data.
  • Custom Reporting — If you have the expertise, you might be able to customize PaperCut’s reporting to use a cross-reference table mapping Entra ID UPNs to the old sAMAccountName to reconstruct reports. This is complex and time-consuming.
  • Accept Data Loss (Partial) — In some cases, the cost of maintaining historical data may outweigh the benefits. You might have to accept some data loss for very old reports, focusing on preserving recent data.

Other impacts

  • Group Memberships — Ensure group memberships are correctly synchronized from AD to Entra ID. PaperCut MF may use groups for access control or print quotas.
  • Authentication — Thoroughly test authentication after migration. Users should be able to log in to PaperCut MF user interface using their Entra ID credentials, for example, user@domain.com .
  • Print Queues Verify that print queues and their configurations are unaffected by the user migration.
  • Scripts/integrations — If you have custom scripts or integrations that rely on specific AD attributes, for example, a common attribute used in on-premises AD is sAMAccountName, frequently used for logon names and application integrations, then in Entra ID, the primary user identifier is typically the User Principal Name (userPrincipalName) and other attributes like mail or givenName/surname,any scripts will need to be updated to use the corresponding Entra ID attributes.
  • UPN Login — Consider if users are currently using UPNs to log into computers, as this will affect the transition if the users are required to change the way they log onto their computer, for example, from sAMAccountName (DOMAIN\user) to UPN ( user@domain.com )

Account purging

  • Using the Delete users that do not exist in the selected source (on “Synchronize Now” only) option will purge non-existent accounts. Exercise caution and ensure all required accounts are correctly linked before purging any old accounts.

Migration approach

  • Phased migration vs. full cutover — Determine whether to migrate users in phases or perform a full cutover. A phased approach allows for gradual transition and testing.
  • Bulk renaming — Consider scripting the bulk renaming of usernames to UPNs for a more efficient full cutover, as explained in Renaming users in PaperCut MF/NG .

Key recommendation: thorough testing is essential!

Set up a test environment that mirrors your production setup as closely as possible.

Migrate a small group of users first to identify and resolve any issues before impacting everyone. Pay close attention to user matching, card/PINs, balances, and reporting. The dual sync approach is the safest, though more complex.

If you opt for a direct cutover, be prepared for potential reporting challenges. Contact PaperCut support for their best practices and recommendations for Entra ID migrations. They may have specific tools or advice to offer.


Comments