Forum Discussion

Amit_Trivedi112214's avatar
Amit_Trivedi112214
Copper Contributor
Feb 10, 2020

Device Migration from On-prem AD to Azure AD

Hello All,   We want to migrate our On-Prem AD devices to Azure AD and enroll into intune. We have Azure AD sync and all but needs to convert machine to Azure AD join only not Hybrid AD. So we woul...
Azure Active Directory (AAD)
microsoft intune
JoseJ's avatar
JoseJ
Brass Contributor
Feb 06, 2026

Hey,

We faced the same challenge and could not adopt a disruptive approach due to the 6–8 hours of productivity loss per device.

As a result, we selected https://opsole.com/, which fully automates the approach commonly described as “Option 2 (manual unjoin + join that creates new profiles)”, but without the usual drawbacks. The solution re-ACLs the existing user profile, ensuring there is no user impact. Applications, Outlook profiles and signatures, local files, and application-specific settings remain exactly as they were.

Another major issue we encountered with manual joins was that joining devices using a PPKG removes all cloud device group memberships, since the device is treated as new. This broke security policies, Conditional Access, and Defender configurations. Opsole Migrate addresses this by automatically restoring device group memberships, ensuring policies remain intact.

The biggest factor, however, was productivity downtime:

  • Autopilot: 6–8 hours per device (IT effort, user downtime, increased support tickets)
  • Manual migration: 8–10 hours per device
  • Opsole Migrate: completes the transformation in ~15 minutes

We also evaluated Quest, but our experience with Opsole Migrate was significantly better, both technically and operationally.


Rds / JJ

Lucaraheller's avatar
Lucaraheller
MCT
Feb 08, 2026

Great perspective — and the productivity impact is absolutely a valid concern at scale.

Preserving user profiles and restoring device group memberships can significantly reduce disruption, especially in large transformations.

That said, migrations like this usually raise a broader architectural question:

Are we optimizing for immediate operational continuity, or for long-term cloud governance?

When moving from on-prem AD to full Azure AD Join, it’s not just about device registration. It’s about redefining:

  • Security baseline consistency
    • Device identity lifecycle
    • Conditional Access enforcement
    • Configuration drift from legacy GPO
    • Long-term Intune management maturity

Profile-preserving approaches reduce short-term friction.
Autopilot-style rebuilds strengthen long-term governance and clean-state assurance.

There isn’t a universal right answer — it depends on risk tolerance, security posture, and operational constraints.

I’m curious:

For those who’ve done large-scale AD → Azure AD migrations, which trade-off did you prioritize — continuity or clean baseline? And why?