Forum Discussion

Amit_Trivedi112214's avatar
Amit_Trivedi112214
Copper Contributor
Feb 10, 2020

Device Migration from On-prem AD to Azure AD

Hello All,   We want to migrate our On-Prem AD devices to Azure AD and enroll into intune. We have Azure AD sync and all but needs to convert machine to Azure AD join only not Hybrid AD. So we woul...
Azure Active Directory (AAD)
microsoft intune
JohnEijg's avatar
JohnEijg
Copper Contributor
Oct 09, 2020

DeyKilledKenny 
This isn't the full awnser to the question. The question was how to get from an Domain joined setup to a native Azure AD joined setup for existing devices. The steps you described involve enrolling an Domain device to Azure AD. It doesn't remove the device from the on-prem domain.

DeyKilledKenny's avatar
DeyKilledKenny
Copper Contributor
Oct 09, 2020
Correct, it's half of the answer because we haven't found a way to do it seamlessly (without wiping the devices), hence i said we found a work around. it's not the best solution, but that keeps our business running and met our requirements in a way.
If we find a better way to do it with coming days, I will update this thread for sure.
  • Khirtah's avatar
    Khirtah
    Copper Contributor
    Nov 03, 2020
    Hi,

    Did you tried to :
    Create a local admin account and export hash to intune.
    Disconnect user from local domaine.
    Connect to azure AD.
    Disconnect from local admin account and connect with azure AD USERNAME, that starts enrollment and you Can see in intune you have an autopilote manged machine.
    I tried that Without resetting computer.
    • 0--O1's avatar
      0--O1
      Copper Contributor
      May 07, 2021

      Hi there,

      okay, a little bit late, but this results that users get a new profiles. And this action takes a very long time (about 3 hours while changing from local ad to azure ad). There is probably an very long error timeout.
      That is not a top solution.

      Researching for best practice. Perhaps with SCCM on prem support.

      • jfaverman's avatar
        jfaverman
        Copper Contributor
        Aug 11, 2021

        0--O1  There is a Microsoft article on this.  When you unjoin a computer from an AD Domain and move it to a workgroup, Windows will use the domain name as the workgroup name.  Then when you try to Azure AD Join the computer, the computer will start looking for the AD domain.  It will stop looking in 3 hours (times-out).  To work around this, when you unjoin the computer from AD, change the workgroup name to anything else that is not the name of the AD (e.g., change it to Workgroup).  Then when you Azure AD Join the computer, it happens in real time. 

  • Jan Gezels's avatar
    Jan Gezels
    Copper Contributor
    Oct 14, 2020

    In my opinion, when you would need to script this, the difficulty would lie in the removal of the PC from the current AD to a workgroup:

      * This could  be done by using the remove-computer cmdlet. (with or without reboot, to be tested)

    After that step, inject a WDC package to get it into AzureAD: 

    (https://www.nielskok.tech/microsoft365/unattended-azure-ad-join/)

     

    If you had your indentities synced up with AD Connect, the SID would be the same as would the profile,....(also to be tested)

     

    Interested to hear other solutions also

Resources