Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Migrating from Hybrid to pure Azure AD

Copper Contributor

We've currently got our domain/environment setup in a Hybrid AD. We've got a DC with AzureAD Connect installed and syncing to Azure. 

 

The plan is to uninstall AzureAD connect, demote the DC server, manually join computers to AzureAD. Will this work? I'm trying to understand if there is any consideration when uninstalling the AzureAD connect or disconnecting the server from Azure. 

 

Thanks!

6 Replies
Biggest concern is if you have any on-prem servers (File shares / printers etc.) that would still need local creds. Also you're going to need or probably want to invest into a profile moving tool. This is a newer one that supports migrating to AzureAD. There is another profwiz but I had issues with that, but you can check this one as well: https://ppm.laplink.com/

This will make it less painful to migrate users, otherwise you will have to setup new profiles when joining to azure.

If you are going to use InTune there are other considerations as to just joining them to azure AD doesn't fulling install the Intune management agent on the machine, not sure if this has been fixed since we did our migration but you used to have to completly put the machine in a reset state and join with the computer join experience in order to get this agent to install, which provided most of the GPO functionalities running as system etc.

Thanks for the insights @Chris Webb ! Much appreciated. There aren't any plans to get them Intune managed, but its in the pipeline. I guess i'll know soon enough if the problem you mentioned is fixed. Out of curiosity, when did you experience this problem...was it recently, or years ago?

 

Cheers

Last Year. But Did a quick search it's no longer an issue apparently.

https://oliverkieselbach.com/2017/11/29/deep-dive-microsoft-intune-management-extension-powershell-s...

"UPDATE: Intune In-Development announcement March 2020
PowerShell scripts support for BYOD devices. PowerShell scripts will support Azure AD registered devices in Intune. This functionality does not support devices running Windows 10 Home edition.

The workflow is basically like this. If a PowerShell script is assigned to a user group (device groups are not supported since 22th of Oct.) and the agent is not installed, it will be pushed down automatically to the device via EnterpriseDesktopAppManagement CSP by Intune. Microsoft Intune network requirements and endpoints that must be reachable can be found here. This can be verified and traced in the “Advanced Diagnostics Report” of the MDM management."
Be aware, if you join to AAD only and don't have Intune setup, there is no way to automatically enroll all of your computers in Intune.

I strongly advise to join to AAD and Intune at the same time.

Otherwise, the join to Intune has to be initiated locally by users who need local admin
I hadn't considered that, thanks for the insights. May need to reconsider our approach now.

Some organizations may not be able to move some of their applications to a public cloud, such as Microsoft Azure or any other public cloud, due to their own policies. However, any organization can benefit from having some of its applications in the public cloud and other on-premises applications. But a hybrid environment can create an extremely complex environment for the various platforms and technologies used in public clouds compared to on-premises environments.

 

Microsoft provides the best hybrid cloud solution that allows you to optimize your existing assets on campus and in the public cloud for stability in the Azure hybrid cloud. With Azure Stack (local) and Azure (public cloud), make the most of your existing skills and get a flexible and integrated approach to building applications that can run in the cloud or on campus.

When it comes to security, you can centralize management and security in a hybrid cloud. You can control all your assets from the data center to the cloud by logging in to on-premises and cloud applications. This can be achieved by extending Active Directory to the hybrid cloud and using identity management.

 

To do this it is suggested to hire the services of Microsoft Azure experts who have experience, skills and verified their credentials with the Microsoft Azure Certification with good scores.

 

Finally, you can naturally distribute and analyze data, use similar query languages ​​for cloud and on-premises assets, and implement analysis and in-depth training in Azure to enrich your data. It can be, regardless of its source.

https://azure.microsoft.com/en-us/blog/hybrid-cloud-just-got-easier-new-azure-migration-resources-an...