Convert Hybrid Azure AD Join Device to Azure AD Join Only

Hi MSBSKBMKB​ ,

What you are experiencing is expected behavior in a Hybrid Azure AD Join scenario.

In a Hybrid Azure AD Join configuration, the Azure AD registration is dependent on the on-premises domain join. The device is domain-joined first, and then Azure AD registration is performed automatically through Azure AD Connect and SCP (Service Connection Point). The Azure AD join state is tied to the domain trust.

When you manually remove the device from the on-prem AD domain (unjoin from domain), the secure channel is broken. As a result:

– The device loses its domain trust
– The Hybrid Azure AD Join registration becomes invalid
– dsregcmd will show the device as not joined to either AD or Azure AD

This is why you lose both states.

Hybrid Azure AD Join is not the same as Azure AD Join. In Hybrid, Azure AD registration depends on the domain join. Once you remove the domain, the Azure AD identity associated with that device is no longer valid.

There is no supported way to simply “remove domain join but keep Azure AD join” on an existing Hybrid device. The device must be rejoined properly as Azure AD Joined.

Best practice to move from Hybrid Azure AD Join to Azure AD Join only

The supported approach is:

1. Prepare Intune for full management (ensure MDM authority is Intune only).
2. Make sure device compliance, configuration profiles, and enrollment profiles are ready.
3. Plan user data migration (since user profiles will change).
4. Perform a controlled reset and Azure AD Join.

Recommended methods:

Option 1 (Preferred): Autopilot Reset or Fresh Start
– Reset the device
– Join directly to Azure AD during OOBE
– Enroll into Intune
This gives you a clean Azure AD Joined state.

Option 2: Manual migration (more complex, not recommended at scale)
– Back up user data
– Unjoin from domain
– Reboot
– Join to Azure AD manually
– Re-enroll in Intune
– Migrate user profile (using tools like USMT or third-party profile migration tools)

Important consideration: User Profiles

When you move from domain-joined to Azure AD Joined:

– The user SID changes
– The Windows profile path changes
– Existing domain user profiles will not automatically attach to the Azure AD account

That is why you see loss of user settings.

If preserving user profile is required, you need a profile migration strategy (for example USMT, ForensIT, or similar tools).

Enterprise recommendation

For production environments, the cleanest and most supported path is:

– Deploy Windows Autopilot
– Reset device
– Azure AD Join during OOBE
– Enroll in Intune

Trying to convert Hybrid to Azure AD Join in place without reset is not supported and leads to broken identity state, exactly like you observed.

Summary

– Removing domain join breaks Hybrid Azure AD Join by design.
– You cannot keep Azure AD Join after removing on-prem domain in Hybrid scenario.
– The correct path to cloud-only is reset and rejoin as Azure AD Joined.
– Plan for user profile migration if needed.

If you want, I can also outline a step-by-step migration plan for moving a full fleet from Hybrid to Azure AD Join only in a controlled manner.

Microsoft provides solid guidance around Hybrid Entra ID Join, Entra ID Join, and device management through Microsoft Intune and Microsoft Entra ID. The foundation and best practices are already well documented by Microsoft.

Where many organizations need additional support is in the execution phase, especially when converting large numbers of devices from Hybrid to cloud-only while keeping the user experience seamless. That’s where tools like Opsole Migrate complement the Microsoft ecosystem.

The goal isn’t to replace Microsoft processes, but to automate and streamline them, preserving user profiles, reconfiguring device join state, backing up BitLocker keys, handling LAPS, and ensuring applications and policies continue working as designed in Intune.

In short, Microsoft provides the platform and architecture, solutions like Opsole Migrate help organizations transition smoothly within that framework, particularly at scale and with minimal user disruption.

There are three common ways to migrate Windows devices to Microsoft Entra ID Join:

Traditional Method: Reset Device and Re-Provision using Windows Autopilot (data protected with OneDrive)
This approach wipes and resets the device, then re-provisions it as a cloud-only Entra ID–joined device using Windows Autopilot. To avoid data loss, user files are synced to OneDrive first.

Simple flow

• Sync user folders (Desktop, Documents, Pictures) to OneDrive
• Add devices to Autopilot and trigger a device reset
• Device boots into Windows Autopilot
• User signs in using Entra ID credentials
• Device auto-configures security policies, applications, and compliance settings
• OneDrive restores user files after sign-in

What users experience

• New Windows setup experience
• Applications reinstall
• Settings and preferences reset
• Files are restored, but desktop look-and-feel is new

Pros

• Clean and secure approach, Microsoft-recommended
• Ideal for device refresh or security rebuild
• Fully automated provisioning

Limitations

• Requires device reset
• Limited end-to-end logging/monitoring of the full migration activity (depends on how you implement it)
• User downtime typically 1–3 hours
• User profile/settings are not preserved
• Requires strong OneDrive adoption

Manual Method: Leave Domain and Join Entra ID (no reset, but profile migration required)
IT manually unjoins the device from Active Directory and joins it to Entra ID without resetting Windows.

Simple flow

• Unjoin device from on-prem AD
• Join device to Entra ID
• Back up LAPS and BitLocker recovery keys
• User signs in with Entra ID (new Windows profile is created)
• Manually copy user data and limited settings (browser data, some app settings)
• Update device ownership (if DEM is used)
• Remove local admin rights if needed (depending on join method and policy)

What users experience

• New Windows profile
• Files may be copied manually (often requires permission mapping to access the old profile)
• Applications might need reconfiguration
• Some settings are lost

Pros

• No full device reset
• Often faster than Autopilot reset
• Does not depend on OneDrive

Limitations

• Manual and error-prone
• Requires old profile permission/SID mapping to move data correctly
• Risk of data/settings loss
• Limited logging/monitoring and harder troubleshooting
• Not scalable for large environments

Modern Method: Migrate using Opsole Migrate (no reset, minimal downtime)
Opsole Migrate enables an in-place migration from AD/Hybrid join to Entra ID Join without resetting the device, while preserving the existing user profile and minimizing downtime.

Simple flow

• Deploy Opsole Migrate remotely (Intune or GPO)
• Run migration under IT scheduling or user self-service
• Device is disjoined from AD and joined to Entra ID
• User profile is preserved, including BitLocker and LAPS continuity
• User signs in and continues working with minimal interruption

What users experience

• No reset
• Same desktop, files, apps, and settings
• Minimal interruption (typically 10–15 minutes, device-dependent)

Pros

• No device reset and no new user profile
• Minimal downtime
• Detailed logging and monitoring by phase
• Scalable for large enterprises
• Well-suited for business-critical users and large fleets

Why customers prefer this approach

• Minimal disruption to daily work
• No retraining or confusion
• Faster completion for larger device fleets (100+ devices)
• Lower support ticket volume

MSBSKBMKB 

To move devices between join states, i.e. hybrid to entra joined, aka cloud native, the user will barely notice, have a look at PowerSyncPro Migration Agent, it can reconfigure 10's of thousands of machines in minutes, repermissioning user profile, apps, security, workloads, can also handle bitlocker, AIP and much more.

We recently (in the last 4months) used it to migrate two different companies, 2x 12k+ workstations in a single weekend per company. Worked a dream. 90% of devices were up and running by 10am the Monday morning, the others were international, annual leave or different time zones. Average reconfiguration time was 7 minutes for the user. It will also do offline domain join too.

MSBSKBMKB 

that migration path simply does not exist ... i am also exploring options for the same objective: migrating from hjaad to aad only

the only option you will find in official MS doc is to reset computer, preferably using autopilot - that will allow you to remove admin right if you need so.