Hey Rafa,
Thank you for the questions. I will try to answer them as best as I can. I do want to add, however, I do recommend using our professional services for migration/deployment advice.
So, the first and foremost, your migration/strategy plan is a good approach, just remember to test...test...and test!
As mentioned in our KBs, please note:
- User and group attributes (email, UPN, first name, last name) must be identical in both Entra ID and LDAP to prevent duplicate objects.
- SCIM provisioned groups override LDAP groups with the same name.
- Users are automatically removed from LDAP groups and added to SCIM groups when the migration occurs.
Regarding UA identity, since you are not using an On-Prem server for user mapping and plan to use SCIM, you need to use the Identity Agent (IA) feature with Cato. This requires the Cato SDP client to be installed on your machines.
I have provided both KBs below, please do have a good read:
https://support.catonetworks.com/hc/en-us/articles/13815807963293-Using-Cato-Identity-Agents-for-User-Awareness
With the below KB, I believe this feature is still in EA (Early Access), so this may be something that could also interest you, where you don't need a ZTNA license for UA authentication:
https://support.catonetworks.com/hc/en-us/articles/33142804221725-Using-Cato-Identity-Agents-for-User-Awareness-EA-Authentication-without-a-ZTNA-License
So, regarding Entra logins, I believe that Entra ID login events don't contain internal LAN IP addresses; the IA reports data to the respective Cato PoP, which contains the user identity and the socket/site the user is connected to.
I am aware that we have UA for shared hosts, but it requires an active on-prem AD, so I think it will not work in your scenario.
Yes, you are correct. I would recommend disabling Always-On during migration and re-enabling post-migration.
Finally, I am not a Windows Server expert (sorry to say), but logic/common sense tells me you should aim to cut over the parent/child domain together! I would recommend speaking with your respective experts internally on this, as I believe other factors may need some consideration, like group mappings (I.,E cross-domain nested groups, authentication etc).
I hope this helps!