Forum Discussion

Amit_Trivedi112214's avatar
Amit_Trivedi112214
Copper Contributor
Feb 10, 2020

Device Migration from On-prem AD to Azure AD

Hello All,

 

We want to migrate our On-Prem AD devices to Azure AD and enroll into intune. We have Azure AD sync and all but needs to convert machine to Azure AD join only not Hybrid AD. So we would like to create new user profile on machine.

 

We have used two methods so far.

1) Reset the machine and use join to Azure AD from OOBE. ( Issue - This will make user a Administrator for that machine and we dont want that )

2) Unbind from on-prem AD, join to Azure AD manually but the same issue like number 1.

3) Using Hardware Hash, register devices to Autopilot and then reset all the machines. ( Issue - This will take too long to migrate 250 machines and helping remote workers are quite difficult )

 

Has anyone tried any different method or is there any expert suggestion ?

 

Thanks!

 

  • CyxITNathan's avatar
    CyxITNathan
    Copper Contributor

    Amit_Trivedi112214 

     

    My company is attempting almost the exact same situation.... for 1800 devices.

     

    Please, if anyone has a comprehensive strategy for this solution I'd appreciate it greatly.

    My understanding developed from the linked articles is the steps for accomplishing this would be to:

    1. create an AutoPilot profile which either acknowledges a present local administrator account or creates it when the device hits Azure

    2. create a Group which applies the required applications for my company

    3. use the Bulk update to target my on-premises machines for moving to Azure (how do I make sure the devices i select for bulk autopilot are not flagged as "personal" in on-premises AD?)

    4. Clear my on-premises record of devices after each device appears in Azure AD

    5. Start a sync in Intune and allow it to push apps and add any missing administrator account based on the Group and Profile settings

    Thank you for any clarifications available.

  • A lot late and sorry for bumping the thread. Has anyone found a solid solution yet?

    I am in the same shoes, and tried a silent join using GPO. Everything went well and upon reboot, the system went through setting up bio metrics etc. (we use biometrics with intune only).
    However, upon second reboot the device was unable to verify my PIN.
    I reached out to MS, they were unable to help but suggested that as the machine is still joined to AD (GPO enrollment does not drop the AD) the system might be looking fro AD as the login authority and PIN is registered in AAD.
    Other that this issue, everything works smooth and it's very silent join seamless for the user.
    • v-9khald's avatar
      v-9khald
      Copper Contributor

      AravindPadmanabhan 

       

      I understand and from the first post I see ask is to migrate your endpoint windows devices from local AD join to Azure AD join and most of the response are around enrollment and hybrid etc. which I are kind of not correct. I know the solution and you will need to leverage third-party which is in my view is not very expensive considering the value it brings.

       

      1. For your machine to be able to fully Azure AD join, it needs to be disjoined from local AD and then join to Azure AD. If it is kept connected to local AD and synced to cloud, then it is hybrid join. 

      2. For larger scale deployment, it is not feasible and possible for admins to reach out to every user and disjoin the machine and manually join to Azure AD

      3. If you do it manually you will lose the user profile and this will not be nice user experience.

      So how do you solve this

       

      Well, there is a tool from ForensIT that migrate your machine and its user profile residing on local machine from domain or local to Azure AD join. You will need to create a deployment package using the wizard it provides and at the end it will create .exe file. Deploy that exe file either through GPO or through SCCM whichever works for you. Now one of thing here is, if you create provisioning package (.pkgg) file that is ask at one point, this .pkgg file can be created using Windows Configuration designer tool. Basically you will be able to automate the whole process of even joining the machine to Azure AD. So download windows configuration design tool (its free from MS and available in Windows Store) and follow the wizard very easy. At the end you will have .pkgg file. Use this file in ForensIT tool when it ask you to provide this at somepoint in wizard. At the end, you will .exe and all good.

       

      When this .exe is run.

      it will migrate the domain profile to Azure AD user profile such that all the settings, apps, desktop data everything stay as-is

      it will disjoin the machine from the local AD

      it will auto join the machine to azure ad using the provisioning package you created using WCD

      you will need to reboot machine twice

      that's it and you will have your machine fully Azure AD joined and with user profile and data intact!

       

      thank you. 

       

       

    • Koomafloo's avatar
      Koomafloo
      Copper Contributor

      Quick input as we are in the process of migrating on-prem to native Azure AD. 

       

      At this point we have been doing the migration as devices get replaced, but for the rest here is our process. 

       

      Log into device with DC admin. 

      Create local admin user, no password. 

      Log out and into local user. Remove DC and reboot. 
      Connect to Azure AD with future user desired (user needs to be in azure/365 and licensed, whichever user you register it with will have admin on the pc). 

      Once joined, log out of local user and into future azure user (the one you registered with, or your Azure admin). 
      Remove local user. 

      Log into the employees account that was using the pc if you aren't already.

      We use free profwiz to copy the profile data unattended. 

       

      Its not the fastest option, but it drags the old profile data across to the Azure AD profile and no wipe is needed. Total hands on time is about 20-30 minutes on average, can often times do 5-10 units at once by one guy.

       

      • AravindPadmanabhan's avatar
        AravindPadmanabhan
        Copper Contributor

        Koomafloo 

        Thank you for the reply.

        I was able to silently migrate the devices to MDM, only issue was with windows hello fro business.

        We did not want to create a new profile/break the user connection, as that would change the profile ID and break things for the user. At the end, we decided to stagger the deployment and work slowly by sending replacement laptops.

  • v-9khald's avatar
    v-9khald
    Copper Contributor

    I understand and from the first post I see ask is to migrate your endpoint windows devices from local AD join to Azure AD join and most of the response are around enrollment and hybrid etc. which I are kind of not correct. I know the solution and you will need to leverage third-party which is in my view is not very expensive considering the value it brings.



    1. For your machine to be able to fully Azure AD join, it needs to be disjoined from local AD and then join to Azure AD. If it is kept connected to local AD and synced to cloud, then it is hybrid join. 

    2. For larger scale deployment, it is not feasible and possible for admins to reach out to every user and disjoin the machine and manually join to Azure AD

    3. If you do it manually you will lose the user profile and this will not be nice user experience.

    So how do you solve this



    Well, there is a tool from ForensIT (Corporate Edition) that migrate your machine and its user profile residing on local machine from domain or local to Azure AD join. You will need to create a deployment package using the wizard it provides and at the end it will create .exe file. Deploy that exe file either through GPO or through SCCM whichever works for you. Now one of thing here is, if you create provisioning package (.ppkg) file that ForensIT tool ask at one point, this .pkgg file can be created using Windows Configuration designer tool (WCD). Basically, you will be able to automate the whole process of even joining the machine to Azure AD. So, download windows configuration design tool (its free from MS and available in Windows Store) and follow the wizard very easy. At the end you will have .ppkg file. Use this file in ForensIT tool when it ask you to provide this at somepoint in wizard. At the end, you will .exe and all good.



    When this .exe is run.

    it will migrate the domain profile to Azure AD user profile such that all the settings, apps, desktop data everything stay as-is

    it will disjoin the machine from the local AD

    it will auto join the machine to azure ad using the provisioning package you created using WCD

    you will need to reboot machine twice

    that's it and you will have your machine fully Azure AD joined and with user profile and data intact!



    thank you. 



    • DanWheeler706's avatar
      DanWheeler706
      Icon for Microsoft rankMicrosoft
      I am doing the AD->AAD shuffle as well but for kiosk-type devices. I'm using the bulk enrollment method:
      https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-bulk-enroll

      It's a real challenge to remotely get a device to safely leap from the top of one building to another without any wires or safety lines and not fall 1000 feet below to its death. I'm using a PowerShell script that connects to the remote machine, copies over the PPKG generated from the WCD above, uninstalls the SCCM agent, (waits 5 minutes because ccmsetup.exe /uninstall returns immediately but continues to uninstall in the background) Then I create a scheduled task that runs the PPKG on first login, then I disjoin the computer from the AD domain. I'm also experimenting with ways to install a Wi-Fi profile because our Wi-Fi profiles come from GPO so when you disjoin, you lose Wi-Fi. We connect them with EAP/TLS so I've had to do a lot of screwing around with our RADIUS server to build authn/authz rules that let the device on Wi-Fi before and after the transition. I've had to make a copy of the GPO-based Wi-Fi profile, export it with netsh then create another scheduled task that loads the wifi profile after domain disjoin on first boot. You can't pre-load the wifi profile when it's connected to AD because the GPO profile is in the way. I think I'm also going to need a step that enables RDP after disjoin because, again, we turn that on with GPO and once you disjoin, it goes back to default off.

      I don't think this helps much for the person who is just trying to convert user devices from AD > AAD without messing with hybrid but figured it was worth mentioning.

      - Copies
  • JonasBack's avatar
    JonasBack
    Steel Contributor
    We use Autopilot to move computers over. But in general, we get them Azure AD joined/managed using Endpoint Manager whenever we replace the hardware and yes, this will take a long time if you don’t plan to replace computers within the next year or so. So sometimes we simply re-install computers.

    If you have specific requirements of which users to set as local admin, we use this script: https://tech.xenit.se/add-you-own-local-admin-users-on-azure-ad-devices/
    • DeyKilledKenny's avatar
      DeyKilledKenny
      Copper Contributor

      AvinashG Hey Avinash,

      We have found out a work around to this.

      While the machine is joined to a local domain  domain1.com

      To be able to enroll it in Intune MDM (without joining the doamin AzureCloud.com doamin). 

      You first have to remove any management tools for example (SCCM Client). Once that client is removed, you should be able to Enroll in Mobile Device management from Settings -> Accounts -> Access work or school. Under related settings, you will get an option to enroll in MDM, once you do it, it should be easy after that.

       

      Hope this helps.

  • JohnEijg's avatar
    JohnEijg
    Copper Contributor
    In regards to issue 1 and users getting local admin rights, are you using Intune? If so you can create a deployment profile in which you state that users don’t have admin rights. Target that to your devices and after the OOBE the user will have standard user rights.
    As far as I know there aren’t any supported methods to migrate devices from AD to an native Azure-AD joined stated without resetting the device.
      • JohnEijg's avatar
        JohnEijg
        Copper Contributor

        DeyKilledKenny 
        This isn't the full awnser to the question. The question was how to get from an Domain joined setup to a native Azure AD joined setup for existing devices. The steps you described involve enrolling an Domain device to Azure AD. It doesn't remove the device from the on-prem domain.

  • gabe_stewardson's avatar
    gabe_stewardson
    Copper Contributor
    Hello all,

    Just worked through this thread and ill be taking over IT items for my company and during this time i will br migrating from on prem AD to AAD. Did not know if someone came up with a more simplified way or if Intune or the autojoin worked better.

    LMK

Resources