Intro
Most Cloud Adoption Framework guides start by building platforms. This one starts with people and a plan.
If you’re an MSP or system integrator with on-prem customers or your own data center, use this hybrid-first path to turn strategy into action fast:
▸ Confirm outcomes
▸ Assign roles using RACI (Responsible, Accountable, Consulted, Informed)
▸ Snapshot the digital estate
▸ Choose the “8 Rs” per workload (Retire, Retain, Rehost, Replatform, Refactor, Rearchitect, Rebuild, Replace)
▸ And sequence the first migration wave before touching landing zones
Along the way you’ll get only what you need to move:
▸ A couple of copy-paste PowerShell checks and a small inventory snippet (no forms)
▸ Plus a pointer to Microsoft’s official End-of-Support source for precise dates
The result is a living adoption backlog that respects real-world constraints and actually ships value.
People First: Roles & RACI
Before you touch platforms, make ownership crystal-clear. Define who drives adoption, who runs platform guardrails, and who is accountable per workload.
RACI
| Workstream / Workload | Purpose (what this team owns) | Responsible (R) | Accountable (A) | Consulted (C) | Informed (I) |
|---|---|---|---|---|---|
| Adoption (overall) | Backlog, wave planning, comms & change | Cloud Adoption Lead | Exec Sponsor | CIO, CISO, PMO | Helpdesk, Finance |
| Platform guardrails | Identity, networking, policy, landing zones | Platform/Infra Lead | Head of IT | Security, Networking, Identity | App Owners |
| Security & compliance | Reviews, risk mgmt, compliance mapping | Security Lead | CISO | Platform, Data, Legal | Exec Sponsor, PMO |
| Workload: Customer Portal | Wave 1 delivery for this app | App Team Lead | LoB/Product Owner | Platform, Security, DBAs | Support, PMO |
| Workload: Data Warehouse | Wave 1 delivery for this data platform | Data/Analytics Lead | LoB/Product Owner | Platform, Security, Networking | Support, PMO |
Tip: Replace role titles with names once confirmed. Keep the table in your repo/wiki and update per wave.
Quick checklist
▸ [ ] Accountability set:
Each Wave 1 workload has a named A (Accountable) and an R (Responsible)
▸ [ ] Capacity secured:
Adoption & Platform teams have bandwidth and time-boxed commitments
▸ [ ] Security in the loop:
Security/Compliance are C (Consulted) with a defined review SLA (e.g., 3 business days)
▸ [ ] Cadence agreed:
Reporting rhythm set (weekly/bi-weekly) with a short, consistent template
▸ [ ] Escalation path:
Who unblocks decisions within 24h–48h is documented
▸ [ ] Kick-off booked (60 min):
Outcomes/KPIs (10) → Wave 1 candidates (15) → Draft RACI (15) → Next steps (20)
▸ [ ] Published & visible:
RACI stored in a shared location; owners linked on backlog items
▸ [ ] Next 7–10 days committed:
3–5 tasks assigned with owners & due dates (e.g., estate snapshot, 8Rs workshop, security review)
Prioritize & Sequence Value × Feasibility
Score each candidate workload on Value (business impact) and Feasibility (readiness, risk, effort) from 1–5. Multiply to get a priority score (V×F). Pick a small, representative Wave 1 you can complete in 4–6 weeks.
Value × Feasibility scoring
| Workload | Value (1–5) | Feasibility (1–5) | Score (= V×F) | Notes / Risks | Decision |
|---|---|---|---|---|---|
| Customer Portal (DB + API) | 5 | 3 | 15 | DB dependency; change window needed | ✅ Wave 1 |
| Data Warehouse | 4 | 4 | 16 | Throughput OK; network verified | ✅ Wave 1 |
| Legacy Report Generator | 2 | 5 | 10 | No usage last 6 months | 🔸 Retire / later |
Tip: If you can’t decide an 8R disposition quickly, default to Rehost (bridge) or Replatform (PaaS) and revisit later.
Scenario: On-Prem SQL Server 2014 (End of Support)
Context:
▸ Classic 3-tier app. Database = SQL Server 2014 (End of Support July 9, 2024)
▸ OS = Windows Server 2012 R2 (End of Support Oct 10, 2023)
▸ Goal = reduce risk now, then modernize on your timeline, without rebuilding platforms first
Heads-up on ESU timing:
▸ If you activate paid Extended Security Updates (ESU) for on-prem workloads after the End-of-Support date via Azure Arc (Windows or SQL), Microsoft charges a one-time bill-back for the months that have elapsed in the current ESU year.
▸ In Azure (e.g., Azure VMs/AVS/Stack), ESUs are included, no ESU license fee and no ESU bill-back.
Step 1: Bridge risk in days
▸ Win Server 2012/2012 R2 ESU via Azure Arc + Update Manager
Onboard the server to Azure Arc, purchase/enable ESU, then use Azure Update Manager to schedule deployments and track compliance
▸ SQL Server 2014 ESU
- On-prem/hosted: onboard the instance to Azure Arc-enabled SQL Server and subscribe ESU
- In Azure (VMs/AVS/Stack): ESU is included, you pay only for the Azure resources
▸ Verify backups & monitoring. Define a maintenance window and a simple rollback
Deliverables this week
▸ Arc agent connected on OS + SQL; baseline policies assigned
▸ ESU active (Windows + SQL); Update Manager window & compliance reports configured
▸ Backup-restore test passed
Step 2: 8 Rs per workload
▸ Database (SQL 2014):
Prefer Replatform to Azure SQL Managed Instance in Wave 2 (if feature-compatible).
If not ready, Rehost to an Azure VM as a bridge while you refactor
▸ App/Web tiers:
Likely Retain/Rehost short term; schedule modernization later
Step 3: Wave 1 backlog
▸ Epic: Stabilize “Customer-Portal DB” under ESU
- Feature: Arc onboarding & ESU activation (Windows + SQL)
- Task: Connect servers to Arc; enroll ESU (Windows) & subscribe ESU (SQL)
- Task: Configure Update Manager maintenance window & compliance reports
- Feature: Risk controls
- Task: Verify backups & test restore; alert on failed jobs
- Task: Capture dependencies (app → DB, jobs/ETL, linked servers)
Exit criteria
▸ ESU compliant; last 30 days patch compliance ≥ 95%
▸ Backup-restore test passed
▸ Named Accountable owner for DB & app; Security review SLA ≤ 3 business days
One-liners (sanity checks)
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10sqlcmd -Q "SELECT @@VERSION"Mini tool: Hybrid estate inventory
Read-only, quick snapshot for Windows servers. Exports a CSV with OS info and flags Windows Server 2012/2012 R2 as EoS risk.
What it does
▸ Queries OS caption/version and last boot via CIM/WMI
▸ Flags High risk for WS 2012/2012 R2 (EoS: 2023-10-10)
▸ Writes .\estate.csv for your Wave 1 planning
Requirements
▸ PowerShell 5.1+ (Windows); network reachability to targets
▸ For Option A: RSAT ActiveDirectory module
Option A: Discover from Active Directory (exports estate.csv)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Import-Module ActiveDirectory
Get-ADComputer -Filter 'OperatingSystem -like "*Windows Server*"' -Properties DNSHostName |
Where-Object DNSHostName |
ForEach-Object {
$s = $_.DNSHostName
try {
$os = Get-CimInstance Win32_OperatingSystem -ComputerName $s -ErrorAction Stop
$risk = 'OK'; $eos = ''
if ($os.Caption -match 'Windows Server 2012( R2)?') { $risk = 'High'; $eos = '2023-10-10' }
[pscustomobject]@{
ComputerName = $s
OSCaption = $os.Caption
OSVersion = $os.Version
LastBoot = $os.LastBootUpTime
EoS_End = $eos
Risk = $risk
}
} catch {
[pscustomobject]@{ ComputerName=$s; OSCaption='N/A'; OSVersion=''; LastBoot=''; EoS_End=''; Risk='Unreachable' }
}
} |
Export-Csv -NoTypeInformation -Encoding UTF8 .\estate.csv
Write-Host "Saved to .\estate.csv"
Option B: Target specific servers (no AD needed)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
$servers = @('srv1','srv2','srv3')
$rows = foreach ($s in $servers) {
try {
$os = Get-CimInstance Win32_OperatingSystem -ComputerName $s -ErrorAction Stop
$risk = 'OK'; $eos = ''
if ($os.Caption -match 'Windows Server 2012( R2)?') { $risk = 'High'; $eos = '2023-10-10' }
[pscustomobject]@{
ComputerName = $s
OSCaption = $os.Caption
OSVersion = $os.Version
LastBoot = $os.LastBootUpTime
EoS_End = $eos
Risk = $risk
}
} catch {
[pscustomobject]@{ ComputerName=$s; OSCaption='N/A'; OSVersion=''; LastBoot=''; EoS_End=''; Risk='Unreachable' }
}
}
$rows | Export-Csv -NoTypeInformation -Encoding UTF8 .\estate.csv
Write-Host "Saved to .\estate.csv"
CSV columns
ComputerName, OSCaption, OSVersion, LastBoot, EoS_End, Risk
Tip: Run Windows Terminal/PowerShell as Administrator for fewer RPC/CIM hiccups. Both variants are read-only and safe to run.
EOL & Product Lifecycle
For End of Support (EoS) and lifecycle dates, always use the official Microsoft source:
Tip: In your client work, deep-link the exact product pages (e.g., Windows Server 2012/2012 R2, SQL Server 2014) so readers see the precise dates and ESU notes.
Wrap-up
Plan before platforms.
With owners named, a light estate snapshot, 8-R decisions, and a sequenced Wave 1, you’ve got a living backlog your team can execute next week.
The SQL Server 2014 example shows how to de-risk fast (ESU + hygiene) while keeping options open for the right target (PaaS where possible, VM/HCI where constraints apply).
What’s next
Next time we’ll look at CAF Ready, the minimal guardrails to run Wave 1 safely, still hybrid-first.
Short, practical, and easy to change if priorities shift.