Forum Discussion
Removing on-prem ad and start using office365/intune
Hello, We are using exchange online and on-prem azure with dir sync to office365. we would like to remove the DC and join all computers to intune and move the users to azure ad in cloud. What...
Fast Track can help some, but the primary steps are to get intune working with auto enrollment first. This way when you azure ad join your machines they are managed from the get go. Depending on how many GPO's you had in your onprem deployment, you'll want to get all that setup ahead of time as well. You can setup test intune groups and assign so only those groups get intune when joined.
Once your intune is setup, you can use a tool such as profwiz to disjoined from the domain. Then you have to login local, joined to azure ad, then use profwiz to assign the azure AD user to your old domain profile. Then you can login with minimal disruption to the user and it'll be joined to azuread. With intune and auto enrollment in place, all the policies will apply on first login.
Here is article I've been using to get going on intune deployment it has everything you need, it wasn't too hard but will take a few days to figure out and get things working: https://docs.microsoft.com/en-us/intune/
Once intune is configured and you get your devices all joined and managed to azure ad, the last step really is removing your azure ad connect so you're users can go cloud only so you can disable that sync in the cloud: https://support.microsoft.com/en-us/help/2619062/you-can-t-manage-or-remove-objects-that-were-synchronized-through-the
Once your intune is setup, you can use a tool such as profwiz to disjoined from the domain. Then you have to login local, joined to azure ad, then use profwiz to assign the azure AD user to your old domain profile. Then you can login with minimal disruption to the user and it'll be joined to azuread. With intune and auto enrollment in place, all the policies will apply on first login.
Here is article I've been using to get going on intune deployment it has everything you need, it wasn't too hard but will take a few days to figure out and get things working: https://docs.microsoft.com/en-us/intune/
Once intune is configured and you get your devices all joined and managed to azure ad, the last step really is removing your azure ad connect so you're users can go cloud only so you can disable that sync in the cloud: https://support.microsoft.com/en-us/help/2619062/you-can-t-manage-or-remove-objects-that-were-synchronized-through-the
Fasttrack should help because if they qualify Microsoft will pay for the migration and do a discovery to determine if it’ll be cloud led or hybrid led. If they have local apps or file servers which authenticate to AD and they can’t be moved to the cloud in a reasonable time then it may need to be hybrid Azure AD join until they are moved or switched out for other apps. I used to use AADP1 to get round this before Hybrid Azure AD Join was introduced because there were reasons they couldn’t go all in with Windows AD join immediately.
I will look into ProfWiz though. Sounds good. Been using Laplink or USMT so far.
Best, Chris
I will look into ProfWiz though. Sounds good. Been using Laplink or USMT so far.
Best, Chris
- Yeah agree, it's a huge ordeal to cover all the in's and out's and unless you know everything it can be overwhelming, but I just laid out the technical high level plan. Of course, all the on-prem / licensing stuff needs figured out in addition too :)
- For sure! It’s a good way to do it too. I would do it exactly the same way!