Forum Discussion

MSBSKBMKB's avatar
MSBSKBMKB
Copper Contributor
Jan 28, 2021

Convert Hybrid Azure AD Join Device to Azure AD Join Only

Hi , We are in Hybrid state ( SCCM+ Intune =CoManaged ) and Hybrid Azure AD Join . Now as next step moving to cloud only , We are moving device from Hybrid to Azure only State . While testing Manuall...
Lucaraheller's avatar
Lucaraheller
MCT
Mar 03, 2026

Hi MSBSKBMKB​ ,

What you are experiencing is expected behavior in a Hybrid Azure AD Join scenario.

In a Hybrid Azure AD Join configuration, the Azure AD registration is dependent on the on-premises domain join. The device is domain-joined first, and then Azure AD registration is performed automatically through Azure AD Connect and SCP (Service Connection Point). The Azure AD join state is tied to the domain trust.

When you manually remove the device from the on-prem AD domain (unjoin from domain), the secure channel is broken. As a result:

– The device loses its domain trust
– The Hybrid Azure AD Join registration becomes invalid
– dsregcmd will show the device as not joined to either AD or Azure AD

This is why you lose both states.

Hybrid Azure AD Join is not the same as Azure AD Join. In Hybrid, Azure AD registration depends on the domain join. Once you remove the domain, the Azure AD identity associated with that device is no longer valid.

There is no supported way to simply “remove domain join but keep Azure AD join” on an existing Hybrid device. The device must be rejoined properly as Azure AD Joined.

Best practice to move from Hybrid Azure AD Join to Azure AD Join only

The supported approach is:

  1. Prepare Intune for full management (ensure MDM authority is Intune only).
  2. Make sure device compliance, configuration profiles, and enrollment profiles are ready.
  3. Plan user data migration (since user profiles will change).
  4. Perform a controlled reset and Azure AD Join.

Recommended methods:

Option 1 (Preferred): Autopilot Reset or Fresh Start
– Reset the device
– Join directly to Azure AD during OOBE
– Enroll into Intune
This gives you a clean Azure AD Joined state.

Option 2: Manual migration (more complex, not recommended at scale)
– Back up user data
– Unjoin from domain
– Reboot
– Join to Azure AD manually
– Re-enroll in Intune
– Migrate user profile (using tools like USMT or third-party profile migration tools)

Important consideration: User Profiles

When you move from domain-joined to Azure AD Joined:

– The user SID changes
– The Windows profile path changes
– Existing domain user profiles will not automatically attach to the Azure AD account

That is why you see loss of user settings.

If preserving user profile is required, you need a profile migration strategy (for example USMT, ForensIT, or similar tools).

Enterprise recommendation

For production environments, the cleanest and most supported path is:

– Deploy Windows Autopilot
– Reset device
– Azure AD Join during OOBE
– Enroll in Intune

Trying to convert Hybrid to Azure AD Join in place without reset is not supported and leads to broken identity state, exactly like you observed.

Summary

– Removing domain join breaks Hybrid Azure AD Join by design.
– You cannot keep Azure AD Join after removing on-prem domain in Hybrid scenario.
– The correct path to cloud-only is reset and rejoin as Azure AD Joined.
– Plan for user profile migration if needed.

If you want, I can also outline a step-by-step migration plan for moving a full fleet from Hybrid to Azure AD Join only in a controlled manner.