Migrating Enterprise VR Identities: From Meta Workrooms to Horizon

Hook: You’re facing a hard deadline — and migration risk

Meta’s February 16, 2026 shutdown of the standalone Workrooms app forces IT teams to migrate identities, SSO, device enrollments, and access policies to Horizon or an alternative. If you’re responsible for enterprise VR, you need a repeatable, low-friction playbook that protects access, preserves data, and maintains compliance during decommissioning. This guide is a hands‑on technical playbook for developers and IT admins to migrate user identities, permissions, and SSO integrations with minimal downtime.

Why this matters in 2026

In late 2025 and early 2026 the VR landscape consolidated. Big vendors shifted investment toward mixed-reality wearables and consolidated productivity tools into platform-level services like Horizon. That trend increases the pressure on enterprises to move quickly while meeting tighter compliance expectations (data residency, audit trails) and adopting passwordless / FIDO standards that became mainstream in 2024–2026.

Key risk: incomplete deprovisioning or mis-mapped roles can create persistent access gaps or expose corporate resources during an app sunset.

Executive playbook: 7 phased migration plan

Follow these phases. Each phase contains concrete tasks, validation checks, and code examples where relevant.

1. Assess & inventory
2. Design identity & permission mapping
3. Prepare SSO/OIDC and provisioning integrations
4. Device enrollment & MDM migration
5. Data export, continuity, and meeting assets
6. Test, stage, and pilot
7. Cutover, monitor, decommission

Phase 1 — Assess & inventory (Days 0–7)

Inventory everything Workrooms touches.

• Users: count active vs inactive accounts, SSO tied accounts, guest accounts.
• Auth methods: OIDC, SAML, legacy username/password, passkey usage.
• Provisioning: SCIM endpoints, automations, group sync schedules.
• Devices: Quest/Meta headsets enrolled in Horizon-managed services or MDM.
• Data: Meeting recordings, chat logs, uploaded assets, calendar integrations.
• Permissions & roles: who has admin/host/moderator rights?

Export a CSV or JSON mapping of users, groups, roles, provisioning IDs, and device IDs. This inventory will be your ground truth for reconciliation.

Phase 2 — Design identity & permission mapping (Days 3–10)

Workrooms and Horizon use different access models. Create a deterministic mapping table that preserves least privilege.

• Map Workrooms roles → Horizon roles (example below).
• Decide claim names and token lifetimes for OIDC tokens.
• Define SCIM group attribute mapping and canonical group IDs.
• Plan fallback for legacy users (e.g., non-SSO) — require re-enrollment with enterprise SSO.

Example mapping:

// Example role mapping table (JSON)
{
  "workrooms:host": "horizon:room_manager",
  "workrooms:presenter": "horizon:presenter",
  "workrooms:participant": "horizon:user",
  "workrooms:guest": "horizon:external_collaborator"
}

Phase 3 — Prepare SSO/OIDC and provisioning (Days 5–14)

This is the core work. You will:

• Verify OIDC metadata endpoints and JWKS URLs for both Workrooms (if still active) and Horizon.
• Implement or update claim mappings: role claims, groups, tenant_id, device_id.
• Enable SCIM (v2) provisioning for automated user/group syncs.
• Support token introspection and revocation endpoints for deprovisioning.

OIDC: Authorization Code flow (example Node.js)

Use the standard code flow and request explicit claims for role/group mapping.

// Express example: redirect to OIDC provider
app.get('/auth/redirect', (req, res) => {
  const state = randomString();
  const url = `${OIDC_AUTHORIZATION_ENDPOINT}?response_type=code&client_id=${CLIENT_ID}` +
    `&scope=openid profile email groups&redirect_uri=${encodeURIComponent(REDIRECT_URI)}` +
    `&state=${state}`;
  res.redirect(url);
});

// Token exchange (server-side)
app.post('/auth/callback', async (req, res) => {
  const code = req.query.code;
  const tokenRes = await fetch(TOKEN_ENDPOINT, {
    method: 'POST',
    headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
    body: `grant_type=authorization_code&code=${code}&redirect_uri=${encodeURIComponent(REDIRECT_URI)}&client_id=${CLIENT_ID}&client_secret=${CLIENT_SECRET}`
  });
  const tokens = await tokenRes.json();
  // Validate ID token, extract claims, map roles
});

SCIM provisioning: example PATCH to update group membership (Python)

import requests
scim_url = 'https://api.horizon.example.com/scim/v2/Groups/{groupId}'
headers = { 'Authorization': f'Bearer {PROVISION_TOKEN}', 'Content-Type': 'application/json' }
patch = {
  'schemas': ['urn:ietf:params:scim:api:messages:2.0:PatchOp'],
  'Operations': [
    { 'op': 'Replace', 'path': 'members', 'value': [{'value': 'user-12345'}] }
  ]
}
res = requests.patch(scim_url, json=patch, headers=headers)
print(res.status_code, res.text)

Validation: after SCIM updates, confirm user appears in Horizon with expected role claim and group membership. Use token introspection to verify claims.

Phase 4 — Device enrollment & MDM migration (Days 7–21)

Deploy a device migration plan for headsets. Common approaches:

• Automated: Use Android Enterprise / zero-touch and MDM to re-enroll devices into Horizon-managed policies.
• Manual: Provide secure QR codes or provisioning codes to end users for re-enrollment.
• Certificate-based authentication: issue device certificates tied to enterprise PKI for device identity.

Checklist:

• Export device IDs and serial numbers from Workrooms/managed services.
• Revoke old device certificates and rotate keys as devices are re-enrolled.
• Apply new compliance policies (screen lock, telemetry allowed, USB restrictions).
• Ensure device-level telemetry and logging are forwarded to your SIEM.

Example enrollment flow (recommended):

1. Generate per-device enrollment token via MDM API.
2. Send token to device via secure channel or QR code with expiration.
3. Device calls MDM to fetch configuration, installs enterprise cert, and registers device_id in your identity store.

Phase 5 — Data export, continuity, and meeting assets (Days 5–14)

Preserve critical meeting data early in the process. Export recordings, transcripts, calendars, and shared assets. Consider retention policies and legal holds.

• Export meeting recordings and map them to GUIDs so Horizon can reference them after migration (if supported).
• Preserve chat logs in your archive store (S3, GCS) with metadata tags: user_id, timestamp, room_id.
• Export calendar integrations (ICal/Exchange) and reconnect in Horizon via OAuth or delegated API access.

If direct data transfer between Workrooms and Horizon isn’t supported, build a migration microservice to:

1. Fetch and normalize assets from Workrooms export APIs.
2. Upload assets to your enterprise storage with access control.
3. Post metadata to Horizon via its content API or create links in user profiles.

Phase 6 — Test, stage, and pilot (Days 10–28)

Before full cutover, run staged pilots with 5–10% of user base across departments. Create a test matrix:

• Authentication types: OIDC, SAML, passwordless, legacy.
• Provisioning: create, update, deprovision operations via SCIM.
• Device policies application and certificate rotation.
• Analytics: login success rate, token error rate, latency.

Implement monitoring dashboards: login failures, token introspection errors, SCIM sync errors, MDM enrollment failures. Set automated alerts for >1% error rates.

Phase 7 — Cutover, monitor, and decommission (Days 21–35)

Cutover strategy options:

• Big bang: switch SSO endpoints and disable Workrooms access on a scheduled weekend window.
• Phased: migrate by organizational unit or priority group; keep Workrooms read-only for others.

Recommended: phased cutover with forced re-enrollment window. Communicate timelines to users and provide helpdesk scripts.

Decommission checklist:

• Revoke Workrooms app credentials and client secrets.
• Disable SCIM provisioning to Workrooms.
• Revoke device certificates tied to Workrooms-only trust anchors.
• Finalize data retention or deletion per policy and regulatory holds.

Advanced technical patterns & code examples

1) Claim mapping and token validation (JWT introspection)

Always validate JWTs server-side with the OIDC provider’s JWKS. Use the kid header to pick keys for signature verification. Enforce audience and issuer checks and validate token_exp.

// Pseudocode for JWT validation
const jwt = require('jsonwebtoken');
const jwks = await fetchJWKS(JWKS_URI);
const publicKey = selectKey(jwks, token.header.kid);
const payload = jwt.verify(token, publicKey, { audience: CLIENT_ID, issuer: ISSUER });
// Map payload.roles to Horizon roles

2) SCIM delta sync & reconciliation

Use incremental SCIM syncs to avoid replacing groups wholesale. Track lastModified timestamps and implement idempotent operations.

// Example: fetch SCIM Users modified since last sync
GET /scim/v2/Users?filter=meta.lastModified%20gt%20"2026-01-01T00:00:00Z"

3) Device certificate issuance (example flow)

1. MDM requests CSR from device or generates key on-device.
2. CSR posted to your internal CA API and signed certificate returned.
3. Device stores cert in secure hardware keystore and registers device_id to identity provider.
4. Mutual TLS used for device API calls to Horizon.

Testing checklist (pre-cutover)

• OAuth login success > 99% across pilot users.
• SCIM provisioning latency < 30s for user creation in pilot.
• Device re-enrollment success > 95% in pilot; fallback documented for failures.
• Access control: mapped roles enforce expected actions in Horizon test org.
• Audit logs forwarded to SIEM and retention policies validated.

Common pitfalls and mitigations

• Unmapped roles: Mitigation — default-role deny policy and staged exception process.
• SCIM rate limits: Mitigation — batch operations and exponential backoff.
• Device enrollment failures: Mitigation — one-click QR re-enrollment and helpdesk swift support.
• Token mismatch errors: Mitigation — clock skew handling, token lifetime harmonization.
• Data leakage during export: Mitigation — encrypt exports at rest (AES-256), transit (TLS 1.3), and use asset access controls.

Compliance & audit considerations

Document every step — who initiated provisioning, who approved role changes, when devices were re-enrolled. Maintain immutable logs for:

• Auth events (login, token issuance, token revocation)
• Provisioning events (create/update/delete via SCIM)
• Device lifecycle events (enroll, revoke, wipe)

In 2026 auditors expect evidence of least privilege and deprovisioning workflows tied to HR feeds and SCIM. Build a reporting dashboard that shows orphaned accounts and last activity.

Real-world mini case study (anonymized)

One global engineering firm had 3,200 Workrooms users and 600 managed headsets. They followed a 28-day phased plan: inventory, map roles, configure SCIM & OIDC to Horizon, and pilot 320 users. Key wins:

• Zero production credential exposure due to immediate client secret rotation.
• Reduced device enrollment support tickets by 70% after introducing QR-based re-enrollment and pre-generated enrollment tokens.
• Improved audit posture: all user role changes were tied to HR events via SCIM and visible in the SIEM.

Metrics to report post-migration

• Authentication success rate (by flow)
• Provisioning latency and error rate
• Device enrollment completion rate
• Time-to-deprovision for terminated users
• Number of orphaned accounts

Future-proofing: 2026+ recommendations

• Adopt FIDO2/WebAuthn for passwordless and device-bound authentication where possible — VR platforms increasingly support passkeys in 2025–26.
• Standardize on SCIM v2 and OIDC for identity flows to reduce vendor lock-in.
• Implement device identity using certificate-based mutual TLS for machine-to-machine calls.
• Invest in automated compliance pipelines: automated reporting for access reviews and retention holds.

Rollout timeline template (example)

1. Week 1: inventory & mapping
2. Week 2: implement OIDC claims & SCIM endpoints
3. Week 3: device enrollment scripts & pilot
4. Week 4: phased cutover & final data migration
5. Week 5: decommission Workrooms endpoints, finalize retention

Final checklist before decommissioning Workrooms

• All active users exist in Horizon with correct role claims.
• SCIM deprovision pipeline verifies termination events are applied.
• All headsets re-enrolled and old certs revoked.
• All meeting assets exported or referenced in Horizon.
• Audit logs archived and SIEM ingestion validated.

Closing thoughts

The 2026 wave of VR consolidation is a chance to reduce fragmentation and elevate security: migrate to platform-level identity and device controls, automate provisioning, and adopt passwordless where possible. A methodical, staged approach minimizes business disruption while improving your security baseline.

Call to action

Use the checklist and code samples above to scaffold your migration. Need a tailored runbook, SCIM adapters, or OIDC claim mapping scripts for your environment? Contact our integration team for a migration health check and pilot automation—get a concrete plan you can execute within 30 days.

Related Reading

• Beauty Routines for Frequent Flyers: Preventing Dehydration and Dull Skin
• Tested Accessories Buyers Love: From MagSafe Wallets to Portable Chargers—What to Include in Listings
• Affordable Tech That Helps Fans Recover Faster After Intense Training
• Checklist: 10 Signs Your Office Purchasing Stack Has Too Many Tools
• Rechargeable vs Traditional Hot-Water Bottles: Pick the Coziest Gift