Forum Discussion
Convert Hybrid Azure AD Join Device to Azure AD Join Only
Hi , We are in Hybrid state ( SCCM+ Intune =CoManaged ) and Hybrid Azure AD Join . Now as next step moving to cloud only , We are moving device from Hybrid to Azure only State . While testing Manually remove a device from AD domain post reboot noticed that not able to even login with Azure that means loose the complete state ( AD as well as Azure ) , Login with Local account found with DSREGCMD that device is not attached to any . If I just removed the AD domain why this has removed from Azure AD Join as well .What is best way to Remove domain join but keep Azure AD join , Loose Users settings as well.
Thanks MSB
9 Replies
There are three common ways to migrate Windows devices to Microsoft Entra ID Join:
Traditional Method: Reset Device and Re-Provision using Windows Autopilot (data protected with OneDrive)
This approach wipes and resets the device, then re-provisions it as a cloud-only Entra ID–joined device using Windows Autopilot. To avoid data loss, user files are synced to OneDrive first.Simple flow
- Sync user folders (Desktop, Documents, Pictures) to OneDrive
- Add devices to Autopilot and trigger a device reset
- Device boots into Windows Autopilot
- User signs in using Entra ID credentials
- Device auto-configures security policies, applications, and compliance settings
- OneDrive restores user files after sign-in
What users experience
- New Windows setup experience
- Applications reinstall
- Settings and preferences reset
- Files are restored, but desktop look-and-feel is new
Pros
- Clean and secure approach, Microsoft-recommended
- Ideal for device refresh or security rebuild
- Fully automated provisioning
Limitations
- Requires device reset
- Limited end-to-end logging/monitoring of the full migration activity (depends on how you implement it)
- User downtime typically 1–3 hours
- User profile/settings are not preserved
- Requires strong OneDrive adoption
Manual Method: Leave Domain and Join Entra ID (no reset, but profile migration required)
IT manually unjoins the device from Active Directory and joins it to Entra ID without resetting Windows.Simple flow
- Unjoin device from on-prem AD
- Join device to Entra ID
- Back up LAPS and BitLocker recovery keys
- User signs in with Entra ID (new Windows profile is created)
- Manually copy user data and limited settings (browser data, some app settings)
- Update device ownership (if DEM is used)
- Remove local admin rights if needed (depending on join method and policy)
What users experience
- New Windows profile
- Files may be copied manually (often requires permission mapping to access the old profile)
- Applications might need reconfiguration
- Some settings are lost
Pros
- No full device reset
- Often faster than Autopilot reset
- Does not depend on OneDrive
Limitations
- Manual and error-prone
- Requires old profile permission/SID mapping to move data correctly
- Risk of data/settings loss
- Limited logging/monitoring and harder troubleshooting
- Not scalable for large environments
Modern Method: Migrate using Opsole Migrate (no reset, minimal downtime)
Opsole Migrate enables an in-place migration from AD/Hybrid join to Entra ID Join without resetting the device, while preserving the existing user profile and minimizing downtime.Simple flow
- Deploy Opsole Migrate remotely (Intune or GPO)
- Run migration under IT scheduling or user self-service
- Device is disjoined from AD and joined to Entra ID
- User profile is preserved, including BitLocker and LAPS continuity
- User signs in and continues working with minimal interruption
What users experience
- No reset
- Same desktop, files, apps, and settings
- Minimal interruption (typically 10–15 minutes, device-dependent)
Pros
- No device reset and no new user profile
- Minimal downtime
- Detailed logging and monitoring by phase
- Scalable for large enterprises
- Well-suited for business-critical users and large fleets
Why customers prefer this approach
- Minimal disruption to daily work
- No retraining or confusion
- Faster completion for larger device fleets (100+ devices)
- Lower support ticket volume
To move devices between join states, i.e. hybrid to entra joined, aka cloud native, the user will barely notice, have a look at PowerSyncPro Migration Agent, it can reconfigure 10's of thousands of machines in minutes, repermissioning user profile, apps, security, workloads, can also handle bitlocker, AIP and much more.
We recently (in the last 4months) used it to migrate two different companies, 2x 12k+ workstations in a single weekend per company. Worked a dream. 90% of devices were up and running by 10am the Monday morning, the others were international, annual leave or different time zones. Average reconfiguration time was 7 minutes for the user. It will also do offline domain join too.
- Hi,
Does it also apply to Windows Sever? I need to convert a server from "Entra ID Hybrid join" to "Entra ID join only"
Thank youNstellar yes, you have the option of including servers when creating your batches. Drop sales @ powersyncpro .com and they can setup a demo for you.
that migration path simply does not exist ... i am also exploring options for the same objective: migrating from hjaad to aad only
the only option you will find in official MS doc is to reset computer, preferably using autopilot - that will allow you to remove admin right if you need so.
- Hello, i open back the topic ? 3 years after, is there still no possibility to switch hybrid ad join device to azure ad join? i know that Quest is providing a solution but you have to pay ...
- When you are in a hybrid state, computers are sync'ed.
That means that when you remove the AD computer on-prem, it's also removed in the cloud.
If you want to change a PC from hybrid to AAD, you need to remove the device from AD and add it to add manually. This will remove the current AD profile - Hi,
Azure community and all of its sub communities:
https://techcommunity.microsoft.com/t5/azure/ct-p/Azure
