aaron@mccarthy:~/posts/migrate-access-database.md
← cd ../blog.md

The Best Time to Migrate Your Access Database Was Yesterday

(The Second Best Time Is Now)

author: Aaron McCarthy  •  date: Jan 10, 2026  •  reading_time: 18 min
Access Next.js Prisma Azure Migration TypeScript

If your organization still runs on Microsoft Access, you’re not alone—and you’re not stuck. I’ve helped plenty of teams move off it. Access was a legitimate tool for decades. It let power users build real applications without writing code or filing IT tickets. That was genuinely impressive.

But the cracks show fast once you outgrow a single machine, a shared network drive, or a handful of users. This isn’t modernization for the sake of a shinier tool. It’s about scalability, security, maintainability, and capabilities that Access simply cannot provide.

Here’s the technical case for why migration matters, how to do it without freezing the business, and what waiting actually costs you.

## Why Access Becomes a Liability Over Time

1. File-Based Architecture = Bottlenecks

Access uses a file-based engine (Jet/ACE). That means the database is a .accdb file on a shared network drive. When someone runs a query, Access doesn’t ask a server to do the work—it pulls entire tables across the network to the client machine, processes the query locally, and sends the results back. This made sense in 1995 when databases were small and networks were simple. In 2026, it’s a performance disaster waiting to happen.

The problems compound quickly:

  • Entire tables (or large portions) get pulled over the network for every query
  • Query execution happens client-side, burning local CPU and memory
  • Network latency directly impacts every single operation
  • Large datasets cause the application to crawl or hang entirely
  • Multiple users running heavy queries simultaneously can saturate the network link to the file share

Compare that to modern database architectures:

  • Server-side query execution (PostgreSQL, SQL Server), where the database server does the heavy lifting and only returns the result set
  • Optimized query planners that analyze indexes, statistics, and execution paths to find the fastest route to your data
  • Connection pooling and caching that reduce overhead for repeated queries and concurrent users
  • Streaming results that allow paginated, efficient data delivery without loading everything into memory

The bottom line: Access starts choking around 5–10 concurrent users. Past that threshold, you get sluggish forms, timeout errors, and increasingly frustrated people. A proper client-server database handles hundreds or thousands of concurrent connections without breaking a sweat.

2. Concurrency and Data Corruption Risks

This is the one that keeps people up at night. Access uses page-level locking—when one user writes to a record, Access locks an entire 4KB page of the database file. That page likely contains other records, which means other users trying to update different records on the same page get blocked or fail silently.

It gets worse. Because the database is a single file on a network share, if someone’s machine crashes, the network drops, or an ethernet cable gets unplugged mid-write, the file can corrupt. And Access corruption isn’t always obvious—sometimes it shows up as subtly wrong data, missing records, or queries that return different results depending on when you run them. You might not know you have a problem until it’s too late.

If you’ve worked with Access long enough, you’ve seen all of these:

  • Frequent write conflicts when multiple users edit data simultaneously
  • Database corruption when connections drop mid-write or the network hiccups
  • "This database needs to be repaired" becoming a regular Monday morning event
  • The dreaded .ldb lock file that sometimes refuses to release
  • Compact-and-repair rituals that become part of your weekly maintenance routine

Modern database systems have solved these problems decades ago:

  • Row-level locking, where only the specific row being modified is locked, not an arbitrary page of data
  • ACID-compliant transactions; operations either complete fully or roll back cleanly, never leaving the database in a half-written state
  • WAL (Write-Ahead Logging); changes are written to a log before being applied, so the database can recover gracefully from any crash
  • Automated backups and point-in-time recovery, letting you restore to any second in time, not just your last manual backup

3. Security Limitations

I’ll be blunt: Access security is essentially nonexistent by modern standards. The old “User-Level Security” feature was removed in Access 2010. What remains is a single database password stored in the file itself. Anyone with file system access to the .accdb can open it, copy it, or crack the password with freely available tools in seconds.

The gaps are significant:

  • No robust authentication model; there’s no concept of individual user accounts at the database level
  • No built-in role-based access control that scales, so you can’t say "this user can see these tables but not those"
  • File-level access means anyone who can reach the network share can potentially copy your entire database
  • No audit trail; you have no record of who accessed, modified, or deleted what data and when
  • No encryption at rest or in transit, so data flows over the network in the clear

A modern stack gives you a completely different security posture:

  • OAuth / SSO via Auth.js; users authenticate with their corporate credentials (Azure AD, Google Workspace, etc.) instead of shared passwords
  • Fine-grained authorization logic; control access at the page, API endpoint, or even individual record level
  • Encrypted connections (TLS); all data is encrypted in transit between the browser, app server, and database
  • Managed identity in Azure; your application authenticates to the database using certificates, not passwords stored in config files
  • Comprehensive audit logging; track every login, data access, and modification with timestamps and user attribution

4. Deployment Nightmares

Anyone who’s managed an Access application at scale knows this pain intimately. The typical setup is a “split” database: a backend .accdb on a network share with the tables, and a frontend .accdb on each user’s desktop with forms, reports, and queries. When you need to push an update, you distribute a new frontend file to every user and pray they actually replace the old one.

The reality:

  • You distribute .accdb files via email, file share, or sneakernet
  • Version mismatches are inevitable; User A is on version 3, User B is still on version 1, and neither of them knows it
  • Frontend/backend splits still require manual updates and re-linking when paths change
  • Different versions of Access (2016, 2019, 365) can cause compatibility issues
  • There’s no way to push a hotfix instantly to all users

With a modern web application, deployment is a non-event:

  • Deploy once, update instantly; push to your server and every user gets the new version on their next page load
  • Centralized version control; your codebase lives in Git with full history, branching, and code review
  • CI/CD pipelines; automated testing and deployment mean you can ship confidently multiple times per day
  • Zero client installation; users just need a browser, any browser, on any device
  • Rollback capability; if something goes wrong, revert to the previous version in seconds

## Why a Modern Stack Changes Everything

So what does “modern” actually look like? Here’s the stack I use—it directly replaces every capability Access provides and extends far beyond it:

Next.js (App Router)

The full-stack React framework. Next.js gives you hybrid rendering; server-side rendering (SSR) for dynamic pages, static site generation (SSG) for content that rarely changes, and incremental static regeneration (ISR) for the best of both worlds. It includes built-in API routes so your frontend and backend live in the same project, and it’s edge-ready for global performance. Think of it as the application framework that replaces both the Access frontend and the VBA code behind it.

React

The UI layer. React’s component-based architecture means you build your forms, tables, and dashboards as reusable, composable pieces. State management is predictable and testable. The ecosystem is massive. Need a date picker, data grid, or chart library? There are battle-tested options for everything. Unlike Access forms that are trapped in the Access runtime, React components run in any browser on any device.

TypeScript

JavaScript with guardrails. Static typing catches entire categories of bugs at compile time that would only surface at runtime in VBA (or worse, silently corrupt your data). It makes refactoring safe; rename a field and TypeScript tells you every place in your codebase that needs updating. IDE support is phenomenal: autocomplete, inline documentation, and real-time error checking as you type.

Auth.js

Authentication that just works. Plug-and-play support for Azure AD, Google, GitHub, email/password credentials, and dozens more providers. Session management and token refresh are handled automatically. You go from "no authentication" to "enterprise SSO" in an afternoon, not a month. Compare that to Access where "security" means a shared password on the file.

Prisma

A type-safe ORM that makes database access feel natural in TypeScript. You define your schema once, and Prisma auto-generates a fully typed client, so prisma.customer.findMany() knows exactly what fields exist on a Customer. The built-in migration system tracks schema changes over time, so your database evolves alongside your code in a controlled, reversible way. No more manually running ALTER TABLE scripts and hoping for the best.

Tailwind CSS

Utility-first CSS that keeps your styling inline with your markup. No more jumping between HTML and CSS files trying to figure out which class does what. Tailwind’s constraint-based design system means your UI looks consistent and professional by default. It’s incredibly fast for building forms, tables, and dashboards, exactly the kind of UI you’re replacing from Access.

Azure (Hosting)

Microsoft’s cloud platform is the natural home for organizations migrating from Access, especially if you’re already in the Microsoft ecosystem. App Services or Static Web Apps host your application. Azure SQL or PostgreSQL replaces the .accdb file. Managed Identity eliminates hardcoded credentials. Key Vault stores secrets securely. Private networking options keep your database off the public internet entirely. And Application Insights gives you monitoring and alerting that Access could never dream of.

## Architecture Comparison

The difference is stark when you visualize the two architectures side by side:

// Access (Typical)

[User Desktop]
      |
      v
[Shared Network Drive]
      |
      v
[.accdb File]

Single point of failure. No server logic.
File locked during writes. Network-dependent.

// Modern Web App

[Browser — Any Device]
      |
      v
[Next.js App (Azure)]
      |
      v
[API Layer + Auth]
      |
      v
[Database (Azure SQL / PostgreSQL)]

Scalable. Secure. Accessible from anywhere.
Server handles logic, auth, and data integrity.

## How to Migrate: A Practical Approach

Step 1: Inventory Your Access App

Before writing a single line of code, you need a complete picture of what you’re actually replacing. Open the Access application and break it down into four categories:

  • Tables (data model); document every table, its fields, data types, and relationships. This becomes your Prisma schema.
  • Queries (business logic); catalog every saved query, especially the complex ones with joins, aggregations, and calculated fields. These become your API routes and Prisma queries.
  • Forms (UI); screenshot every form and note which fields map to which tables. These become your React components.
  • Reports (output); document every report, its data sources, grouping, and formatting. These become server-rendered pages or PDF exports.

This inventory becomes your migration roadmap. Prioritize by business criticality—migrate the most-used, most-painful modules first.

Step 2: Design Your Database Schema

Translate your Access tables into a proper relational database using Prisma’s schema language. This is also your chance to clean up years of accumulated technical debt—normalize data, add proper constraints, and define relationships explicitly:

model Customer {
  id        Int      @id @default(autoincrement())
  name      String
  email     String   @unique
  createdAt DateTime @default(now())
  orders    Order[]
}

model Order {
  id         Int      @id @default(autoincrement())
  customerId Int
  customer   Customer @relation(fields: [customerId], references: [id])
  total      Decimal
  createdAt  DateTime @default(now())
}

Then run migrations to create the actual database tables:

$ npx prisma migrate dev --name "initial_schema"

Prisma generates SQL migration files and applies them. Every schema change is tracked, versioned, and reversible. No more manually editing tables in the Access design view and hoping you didn’t break something downstream.

Step 3: Move Business Logic to APIs

Your Access queries and VBA modules become Next.js API routes. The key difference: logic now runs on the server, not on the client machine. The database does the heavy lifting and only the results travel over the network.

// /app/api/customers/route.ts
import { prisma } from '@/lib/prisma';

export async function GET() {
  const customers = await prisma.customer.findMany({
    include: { orders: true },
    orderBy: { name: 'asc' },
  });
  return Response.json(customers);
}

export async function POST(request: Request) {
  const body = await request.json();
  const customer = await prisma.customer.create({
    data: {
      name: body.name,
      email: body.email,
    },
  });
  return Response.json(customer, { status: 201 });
}

Every query is type-safe. If you reference a field that doesn’t exist, TypeScript catches it at compile time. No more runtime errors from misspelled field names buried in VBA code.

Step 4: Rebuild the UI with React

Access forms become React components, and the difference is night and day. Instead of a clunky, platform-locked form designer, you’re building with a component model that works on every device and can be styled to look however you want:

export default function CustomerList({ customers }) {
  return (
    <div className="p-4 space-y-2">
      <h2 className="text-xl font-bold">Customers</h2>
      {customers.map(c => (
        <div key={c.id}
             className="border p-3 rounded
                        hover:bg-gray-50 transition">
          <p className="font-medium">{c.name}</p>
          <p className="text-sm text-gray-500">{c.email}</p>
          <p className="text-sm">
            {c.orders.length} orders
          </p>
        </div>
      ))}
    </div>
  );
}

Users access the application from a browser—no Access runtime installation required. It works on desktops, laptops, tablets, and phones. Updating the UI is a code push, not a file distribution exercise.

Step 5: Add Authentication

This is where you leapfrog from “no security” to “enterprise-grade” in about 30 minutes. Auth.js integrates with Entra ID so your users log in with the same credentials they use for Outlook and Teams—no separate passwords to manage:

import NextAuth from "next-auth";
import AzureAD from "next-auth/providers/azure-ad";

export const authOptions = {
  providers: [
    AzureAD({
      clientId:     process.env.AZURE_CLIENT_ID,
      clientSecret: process.env.AZURE_CLIENT_SECRET,
      tenantId:     process.env.AZURE_TENANT_ID,
    }),
  ],
  callbacks: {
    async session({ session, token }) {
      // Add role-based access from Azure AD groups
      session.user.role = token.role;
      return session;
    },
  },
};

From there you layer in role-based access control, page-level authorization, and audit logging. Every login, every data access, every modification—tracked and tied to a specific user. That’s a world away from a shared password on a file.

Step 6: Deploy to Azure

Azure gives you multiple hosting options depending on what you need:

  • Azure App Service, for full-stack Next.js applications with server-side rendering. Supports auto-scaling, deployment slots for zero-downtime updates, and custom domains with managed SSL certificates.
  • Azure Static Web Apps, for frontend-heavy apps with serverless API functions. Lower cost, global CDN distribution, and automatic GitHub/DevOps integration.
  • Azure SQL or PostgreSQL, managed database services with automatic backups, point-in-time restore, geo-replication, and built-in high availability.

Layer on the supporting services:

  • Application Insights for monitoring, with real-time dashboards, error tracking, performance metrics, and custom alerts
  • Key Vault for secrets; connection strings, API keys, and certificates stored securely, never in code
  • VNet integration for security, keeping your database on a private network, inaccessible from the public internet
  • Azure DevOps or GitHub Actions for CI/CD, with automated testing and deployment on every commit

## The Hidden Cost of Waiting

Here’s the uncomfortable truth that never shows up in the budget spreadsheet:

1. Technical Debt Compounds

Every new feature, form, or query you add to your Access application digs the hole deeper. Each addition increases the surface area of the eventual migration, adds more business logic that someone will need to understand and translate, and deepens your coupling to a platform that’s going nowhere. The migration you could handle comfortably today gets harder and more expensive with every passing quarter. Technical debt accrues interest, and the rate is higher than most people realize.

2. Knowledge Risk

In most organizations, there’s one person—maybe two—who truly understands how the Access application works. The quirks, the workarounds, the VBA modules written at 2 AM to fix a bug nobody documented. What happens when that person retires? Changes roles? Gets hit by the proverbial bus? Is the logic in source control, or is it tribal knowledge locked inside a .accdb file on someone’s desktop? A modern codebase in Git with TypeScript is self-documenting in ways Access never will be.

3. Opportunity Cost

While you’re maintaining an Access application, you’re not doing the things a modern platform enables:

  • Mobile access; your field teams can’t enter data from a phone or tablet
  • API integrations; you can’t connect to shipping providers, payment processors, or partner systems
  • Automation workflows; manual processes that could be triggered automatically by data changes
  • Real-time dashboards; management visibility into operations without someone running a report and emailing a PDF
  • AI and analytics; modern data platforms that can surface insights from your data

4. Security Exposure

Old systems don’t age gracefully from a security standpoint. Every day your data sits in an unencrypted file on a network share—no access controls, no audit logging, no centralized identity management—is a day you’re exposed to data breaches, compliance failures, and regulatory risk. The cost of a breach—financial, legal, reputational—dwarfs the cost of migration by orders of magnitude.

## Why the Best Time Was Yesterday

Because migration isn’t a flip-the-switch event. It’s a process. It doesn’t happen in a weekend, and it shouldn’t. The most successful migrations I’ve been part of follow an incremental approach:

  • Start with one module then pick the most painful, most used, or most risky piece
  • Run systems in parallel while you validate the new application against the old
  • Gradually replace functionality, form by form, report by report
  • Decommission Access piece by piece as confidence in the new system grows

This is called the Strangler Fig Pattern—named after the tropical fig that slowly grows around a host tree until it replaces it entirely. You wrap the new application around the old one, routing more traffic to the modern system over time until the legacy app can be safely retired. No big bang. No risky cutover weekend. No disruption to the business.

## A Realistic Migration Strategy

Here’s a phased approach that actually works:

  1. Keep Access as the data source initially, linking your new app to the existing Access data (or a copy) so you can develop against real data without risk
  2. Build a Next.js frontend that reads from it, proving the concept with a read-only view that mirrors existing functionality
  3. Move the database to Azure; migrate the data to Azure SQL or PostgreSQL, update the connection, and validate
  4. Replace forms one-by-one, rebuilding each Access form as a React component, prioritizing the most-used workflows
  5. Sunset Access; once all functionality has been migrated and validated, decommission the Access application

Each step is independently valuable. Even if you stop at step 2, you’ve gained a mobile-accessible, browser-based view of your data. Every step forward reduces risk and expands capability.

## Final Thought

Access was never meant to power modern, multi-user, secure, cloud-connected applications. It got you this far, and that’s genuinely impressive. The rapid development environment, the tight integration with Office, the ability for a power user to build something useful in a day—those were real strengths. But the world has moved on. Access hasn’t.

Migrating to a stack like Next.js + Prisma + Azure isn’t just swapping one tool for another. It’s a foundation shift. You’re moving from a file on a network share to a scalable, secure, globally accessible platform. From tribal knowledge in VBA to a typed, tested, version-controlled codebase. From hoping the database doesn’t corrupt to knowing your data is safe, backed up, and recoverable.

The longer you wait, the harder it gets. Start small. Start messy if you have to. Just start.