Forum Discussion
Device Migration from On-prem AD to Azure AD
I understand and from the first post I see ask is to migrate your endpoint windows devices from local AD join to Azure AD join and most of the response are around enrollment and hybrid etc. which I are kind of not correct. I know the solution and you will need to leverage third-party which is in my view is not very expensive considering the value it brings.
1. For your machine to be able to fully Azure AD join, it needs to be disjoined from local AD and then join to Azure AD. If it is kept connected to local AD and synced to cloud, then it is hybrid join.
2. For larger scale deployment, it is not feasible and possible for admins to reach out to every user and disjoin the machine and manually join to Azure AD
3. If you do it manually you will lose the user profile and this will not be nice user experience.
So how do you solve this
Well, there is a tool from ForensIT (Corporate Edition) that migrate your machine and its user profile residing on local machine from domain or local to Azure AD join. You will need to create a deployment package using the wizard it provides and at the end it will create .exe file. Deploy that exe file either through GPO or through SCCM whichever works for you. Now one of thing here is, if you create provisioning package (.ppkg) file that ForensIT tool ask at one point, this .pkgg file can be created using Windows Configuration designer tool (WCD). Basically, you will be able to automate the whole process of even joining the machine to Azure AD. So, download windows configuration design tool (its free from MS and available in Windows Store) and follow the wizard very easy. At the end you will have .ppkg file. Use this file in ForensIT tool when it ask you to provide this at somepoint in wizard. At the end, you will .exe and all good.
When this .exe is run.
it will migrate the domain profile to Azure AD user profile such that all the settings, apps, desktop data everything stay as-is
it will disjoin the machine from the local AD
it will auto join the machine to azure ad using the provisioning package you created using WCD
you will need to reboot machine twice
that's it and you will have your machine fully Azure AD joined and with user profile and data intact!
thank you.
https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-bulk-enroll
It's a real challenge to remotely get a device to safely leap from the top of one building to another without any wires or safety lines and not fall 1000 feet below to its death. I'm using a PowerShell script that connects to the remote machine, copies over the PPKG generated from the WCD above, uninstalls the SCCM agent, (waits 5 minutes because ccmsetup.exe /uninstall returns immediately but continues to uninstall in the background) Then I create a scheduled task that runs the PPKG on first login, then I disjoin the computer from the AD domain. I'm also experimenting with ways to install a Wi-Fi profile because our Wi-Fi profiles come from GPO so when you disjoin, you lose Wi-Fi. We connect them with EAP/TLS so I've had to do a lot of screwing around with our RADIUS server to build authn/authz rules that let the device on Wi-Fi before and after the transition. I've had to make a copy of the GPO-based Wi-Fi profile, export it with netsh then create another scheduled task that loads the wifi profile after domain disjoin on first boot. You can't pre-load the wifi profile when it's connected to AD because the GPO profile is in the way. I think I'm also going to need a step that enables RDP after disjoin because, again, we turn that on with GPO and once you disjoin, it goes back to default off.
I don't think this helps much for the person who is just trying to convert user devices from AD > AAD without messing with hybrid but figured it was worth mentioning.
- Copies