Hello All, We want to migrate our On-Prem AD devices to Azure AD and enroll into intune. We have Azure AD sync and all but needs to convert machine to Azure AD join only not Hybrid AD. So we would like to create new user profile on machine. We have used two methods so far.1) Reset the machine and use join to Azure AD from OOBE. ( Issue - This will make user a Administrator for that machine and we dont want that )2) Unbind from on-prem AD, join to Azure AD manually but the same issue like number 1.3) Using Hardware Hash, register devices to Autopilot and then reset all the machines. ( Issue - This will take too long to migrate 250 machines and helping remote workers are quite difficult ) Has anyone tried any different method or is there any expert suggestion ? Thanks!

AravindPadmanabhan I understand and from the first post I see ask is to migrate your endpoint windows devices from local AD join to Azure AD join and most of the response are around enrollment and hybrid etc. which I are kind of not correct. I know the solution and you will need to leverage third-party which is in my view is not very expensive considering the value it brings. 1. For your machine to be able to fully Azure AD join, it needs to be disjoined from local AD and then join to Azure AD. If it is kept connected to local AD and synced to cloud, then it is hybrid join. 2. For larger scale deployment, it is not feasible and possible for admins to reach out to every user and disjoin the machine and manually join to Azure AD3. If you do it manually you will lose the user profile and this will not be nice user experience.So how do you solve this Well, there is a tool from ForensIT that migrate your machine and its user profile residing on local machine from domain or local to Azure AD join. You will need to create a deployment package using the wizard it provides and at the end it will create .exe file. Deploy that exe file either through GPO or through SCCM whichever works for you. Now one of thing here is, if you create provisioning package (.pkgg) file that is ask at one point, this .pkgg file can be created using Windows Configuration designer tool. Basically you will be able to automate the whole process of even joining the machine to Azure AD. So download windows configuration design tool (its free from MS and available in Windows Store) and follow the wizard very easy. At the end you will have .pkgg file. Use this file in ForensIT tool when it ask you to provide this at somepoint in wizard. At the end, you will .exe and all good. When this .exe is run.it will migrate the domain profile to Azure AD user profile such that all the settings, apps, desktop data everything stay as-isit will disjoin the machine from the local ADit will auto join the machine to azure ad using the provisioning package you created using WCDyou will need to reboot machine twicethat's it and you will have your machine fully Azure AD joined and with user profile and data intact! thank you.

0--O1 There is a Microsoft article on this. When you unjoin a computer from an AD Domain and move it to a workgroup, Windows will use the domain name as the workgroup name. Then when you try to Azure AD Join the computer, the computer will start looking for the AD domain. It will stop looking in 3 hours (times-out). To work around this, when you unjoin the computer from AD, change the workgroup name to anything else that is not the name of the AD (e.g., change it to Workgroup). Then when you Azure AD Join the computer, it happens in real time.

Amit_Trivedi112214 My company is attempting almost the exact same situation.... for 1800 devices. Please, if anyone has a comprehensive strategy for this solution I'd appreciate it greatly.My understanding developed from the linked articles is the steps for accomplishing this would be to:1. create an AutoPilot profile which either acknowledges a present local administrator account or creates it when the device hits Azure2. create a Group which applies the required applications for my company3. use the Bulk update to target my on-premises machines for moving to Azure (how do I make sure the devices i select for bulk autopilot are not flagged as "personal" in on-premises AD?)4. Clear my on-premises record of devices after each device appears in Azure AD5. Start a sync in Intune and allow it to push apps and add any missing administrator account based on the Group and Profile settingsThank you for any clarifications available.

Chris-Yue With workforce scattered everywhere using on-prem creds is a challenge. I am a fan of using MECM to enable comanagement and then at the next cycle redeploy the machines with AzureAD only using an autopilot Json file during OOBE to lock in the domain and make sure it is setup for MDM. I have found replacements within Intune for most GPO functions and not getting constantly hung up in whether they are doing sync or async processing simplifies things, especially with them not being on-prem much at the moment.

A lot late and sorry for bumping the thread. Has anyone found a solid solution yet?I am in the same shoes, and tried a silent join using GPO. Everything went well and upon reboot, the system went through setting up bio metrics etc. (we use biometrics with intune only).However, upon second reboot the device was unable to verify my PIN.I reached out to MS, they were unable to help but suggested that as the machine is still joined to AD (GPO enrollment does not drop the AD) the system might be looking fro AD as the login authority and PIN is registered in AAD.Other that this issue, everything works smooth and it's very silent join seamless for the user.

Device Migration from On-prem AD to Azure AD

42 Replies

AvinashG
Copper Contributor
Jul 09, 2020
Amit_Trivedi112214
please help us if you were able to complete the migration.
- DeyKilledKenny
  Copper Contributor
  Oct 09, 2020
  AvinashG Hey Avinash,
  We have found out a work around to this.
  While the machine is joined to a local domain domain1.com
  To be able to enroll it in Intune MDM (without joining the doamin AzureCloud.com doamin).
  You first have to remove any management tools for example (SCCM Client). Once that client is removed, you should be able to Enroll in Mobile Device management from Settings -> Accounts -> Access work or school. Under related settings, you will get an option to enroll in MDM, once you do it, it should be easy after that.
  
  Hope this helps.
CyxITNathan
Copper Contributor
May 19, 2020
Amit_Trivedi112214

My company is attempting almost the exact same situation.... for 1800 devices.

Please, if anyone has a comprehensive strategy for this solution I'd appreciate it greatly.

My understanding developed from the linked articles is the steps for accomplishing this would be to:

1. create an AutoPilot profile which either acknowledges a present local administrator account or creates it when the device hits Azure
2. create a Group which applies the required applications for my company
3. use the Bulk update to target my on-premises machines for moving to Azure (how do I make sure the devices i select for bulk autopilot are not flagged as "personal" in on-premises AD?)
4. Clear my on-premises record of devices after each device appears in Azure AD
5. Start a sync in Intune and allow it to push apps and add any missing administrator account based on the Group and Profile settings

Thank you for any clarifications available.
- DeyKilledKenny
  Copper Contributor
  Jun 11, 2020
  I'm in the same boat as you.
  If anyone has a good approach to be able to join a machine to AzureAD while joined to local domain, that would be great!
  - Thijs Lecomte
    Bronze Contributor
    Jun 11, 2020
    You might be looking for hybrid Azure AD Join?
    This way the device is joined to local AD and registered to AAD, which enables management through Intune
    https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan
JonasBack
Steel Contributor
Feb 11, 2020
We use Autopilot to move computers over. But in general, we get them Azure AD joined/managed using Endpoint Manager whenever we replace the hardware and yes, this will take a long time if you don’t plan to replace computers within the next year or so. So sometimes we simply re-install computers.

If you have specific requirements of which users to set as local admin, we use this script: https://tech.xenit.se/add-you-own-local-admin-users-on-azure-ad-devices/
- Amit_Trivedi112214
  Copper Contributor
  Feb 11, 2020
  JonasBack Thank you for your reply. We have almost 300 machines and would like to migrate by end of this year, so resetting machine/Auto Pilot will take more time and not efficient for us.
  - JonasBack
    Steel Contributor
    Feb 11, 2020
    I think you mean that you don’t want to reinstall (reset) every machine, correct?
    
    Have not tried it but check the ”Bulk Enrollment” mentioned here: https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin

Forum Discussion

Device Migration from On-prem AD to Azure AD