Opella Identity Carve-Out
Led the delivery of a completely new identity foundation for Opella, migrating 16,000 users from Sanofi's corporate directory to a standalone Azure AD with modern security controls.
Problem
Opella could not legally or operationally exist as an independent company while its 16,000 users authenticated against Sanofi's Active Directory. There was no standalone identity fabric, no privileged access management, and no modern MFA. Identity separation was on the critical path for TSA exit and regulatory independence.
Outcome
Led the build of a single-forest Active Directory on Windows Server with modern functional level. Implemented Entra ID Connect with password hash sync and phishing-resistant MFA for administrators. Built a 5-layer Enterprise Access Model enforced by CyberARK Just-In-Time access. Defined Conditional Access policies with secure foundations, break-glass exclusions, and cloud-only control plane accounts.
Impact
Migrated 16,000 users to a unified identity platform with zero authentication downtime. Established a security baseline aligned with the Microsoft Security Compliance Toolkit. Enabled Opella's full regulatory independence from Sanofi.
Identity is not a back-office function. In a carve-out, it is existential. You cannot sign contracts, access patient data, or pass a regulatory audit if you do not own your own directory.
Opella had 16,000 users in Sanofi’s Active Directory. My job was to build them a new one, cut the cord, and do it without anyone getting locked out of their laptop on Monday morning.
The architecture
I drove the decision to build a single-forest, single-domain Active Directory. Complexity is the enemy of security in a greenfield separation. Multiple forests create trust relationships that become attack paths. We kept it tight.
The team built on Windows Server with a functional level that balanced modern features against compatibility. The forest stayed lean: one domain, no unnecessary trusts, no legacy baggage carried over from Sanofi.
Privileged access
I implemented a 5-layer Enterprise Access Model, enforced by CyberARK Just-In-Time access. High-privileged accounts do not sit around with permanent admin rights. They get elevated for specific tasks, for specific time windows, with full audit trails.
Key decisions:
- Control Plane and Management Plane accounts are contained using Authentication Policy. They cannot log in where they should not be.
- High-privileged accounts do not sync to Entra ID. The cloud should not inherit the keys to the kingdom.
- DNS tasks are automated in ServiceNow. No manual DNS record creation by admins. App owners launch forms, the system provisions.
Entra ID and modern authentication
- Entra ID Connect for identity synchronization.
- Password hash sync for authentication.
- Passwordless MFA during build. Phishing-resistant MFA as the target for all administrators.
- Conditional Access with secure foundations applied broadly.
- Break-glass accounts and service principals excluded from standard policies. You need a way in when automation fails.
- Entra ID Control Plane and Management Plane accounts are cloud-only. No hybrid vulnerability for the most sensitive identities.
Security hardening
- Microsoft Security Compliance Toolkit baselines for domain controllers and member servers.
- Windows Firewall enabled on all Control Plane and Management Plane systems.
- Palo Alto firewalls configured as default DNS forwarders on Domain Controllers. Internal DNS never touches external resolvers directly.
- Azure VM backup as a temporary recovery solution, with a roadmap to Semperis or Quest for full AD forest recovery.
- Recycle bin enabled. Basic, but you would be surprised how many directories skip this.
The cutover
We migrated 16,000 users with zero authentication downtime. The security baseline passed internal audit. Opella could finally prove regulatory independence.
Identity is invisible when it works. When it fails, it is the only thing that matters. We made sure it worked.