Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Device Migration from On-prem AD to Azure AD

Copper Contributor

Hello All,

 

We want to migrate our On-Prem AD devices to Azure AD and enroll into intune. We have Azure AD sync and all but needs to convert machine to Azure AD join only not Hybrid AD. So we would like to create new user profile on machine.

 

We have used two methods so far.

1) Reset the machine and use join to Azure AD from OOBE. ( Issue - This will make user a Administrator for that machine and we dont want that )

2) Unbind from on-prem AD, join to Azure AD manually but the same issue like number 1.

3) Using Hardware Hash, register devices to Autopilot and then reset all the machines. ( Issue - This will take too long to migrate 250 machines and helping remote workers are quite difficult )

 

Has anyone tried any different method or is there any expert suggestion ?

 

Thanks!

 

28 Replies
We use Autopilot to move computers over. But in general, we get them Azure AD joined/managed using Endpoint Manager whenever we replace the hardware and yes, this will take a long time if you don’t plan to replace computers within the next year or so. So sometimes we simply re-install computers.

If you have specific requirements of which users to set as local admin, we use this script: https://tech.xenit.se/add-you-own-local-admin-users-on-azure-ad-devices/

@Jonas Back Thank you for your reply. We have almost 300 machines and would like to migrate by end of this year, so resetting machine/Auto Pilot will take more time and not efficient for us.

 

 

I think you mean that you don’t want to reinstall (reset) every machine, correct?

Have not tried it but check the ”Bulk Enrollment” mentioned here: https://docs.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin

@Amit_Trivedi112214 

 

My company is attempting almost the exact same situation.... for 1800 devices.

 

Please, if anyone has a comprehensive strategy for this solution I'd appreciate it greatly.

My understanding developed from the linked articles is the steps for accomplishing this would be to:

1. create an AutoPilot profile which either acknowledges a present local administrator account or creates it when the device hits Azure

2. create a Group which applies the required applications for my company

3. use the Bulk update to target my on-premises machines for moving to Azure (how do I make sure the devices i select for bulk autopilot are not flagged as "personal" in on-premises AD?)

4. Clear my on-premises record of devices after each device appears in Azure AD

5. Start a sync in Intune and allow it to push apps and add any missing administrator account based on the Group and Profile settings

Thank you for any clarifications available.

I'm in the same boat as you.
If anyone has a good approach to be able to join a machine to AzureAD while joined to local domain, that would be great!
You might be looking for hybrid Azure AD Join?
This way the device is joined to local AD and registered to AAD, which enables management through Intune
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan
@Amit_Trivedi112214
please help us if you were able to complete the migration.
In regards to issue 1 and users getting local admin rights, are you using Intune? If so you can create a deployment profile in which you state that users don’t have admin rights. Target that to your devices and after the OOBE the user will have standard user rights.
As far as I know there aren’t any supported methods to migrate devices from AD to an native Azure-AD joined stated without resetting the device.

@AvinashG Hey Avinash,

We have found out a work around to this.

While the machine is joined to a local domain  domain1.com

To be able to enroll it in Intune MDM (without joining the doamin AzureCloud.com doamin). 

You first have to remove any management tools for example (SCCM Client). Once that client is removed, you should be able to Enroll in Mobile Device management from Settings -> Accounts -> Access work or school. Under related settings, you will get an option to enroll in MDM, once you do it, it should be easy after that.

 

Hope this helps.

Hey John,
please see my comment to Avinash.

@DeyKilledKenny 
This isn't the full awnser to the question. The question was how to get from an Domain joined setup to a native Azure AD joined setup for existing devices. The steps you described involve enrolling an Domain device to Azure AD. It doesn't remove the device from the on-prem domain.

Correct, it's half of the answer because we haven't found a way to do it seamlessly (without wiping the devices), hence i said we found a work around. it's not the best solution, but that keeps our business running and met our requirements in a way.
If we find a better way to do it with coming days, I will update this thread for sure.

In my opinion, when you would need to script this, the difficulty would lie in the removal of the PC from the current AD to a workgroup:

  * This could  be done by using the remove-computer cmdlet. (with or without reboot, to be tested)

After that step, inject a WDC package to get it into AzureAD: 

(https://www.nielskok.tech/microsoft365/unattended-azure-ad-join/)

 

If you had your indentities synced up with AD Connect, the SID would be the same as would the profile,....(also to be tested)

 

Interested to hear other solutions also

Hi,

Did you tried to :
Create a local admin account and export hash to intune.
Disconnect user from local domaine.
Connect to azure AD.
Disconnect from local admin account and connect with azure AD USERNAME, that starts enrollment and you Can see in intune you have an autopilote manged machine.
I tried that Without resetting computer.

Hi there,

okay, a little bit late, but this results that users get a new profiles. And this action takes a very long time (about 3 hours while changing from local ad to azure ad). There is probably an very long error timeout.
That is not a top solution.

Researching for best practice. Perhaps with SCCM on prem support.

Our devices are currently Hybrid Azure AD Joined and I am considering moving new devices over to Azure AD joined to simplify enrolment to Windows Hello for Business and Autopilot.

 

The only downsides I could see is as follows:

No login scripts will run at sign in when connected to the LAN
No Group Policy control
No granular control regarding local admin rights to the local device (it is all or nothing)

 

Just wondering if anyone has found any other disadvantages/benefits and what motivated you to consider making the change over to Azure AD Joined?

 

@Chris Yue With workforce scattered everywhere using on-prem creds is a challenge.  I am a fan of using MECM to enable comanagement and then at the next cycle redeploy the machines with AzureAD only using an autopilot Json file during OOBE to lock in the domain and make sure it is setup for MDM.  I have found replacements within Intune for most GPO  functions and not getting constantly hung up in whether they are doing sync or async processing simplifies things, especially with them not being on-prem much at the moment.

@0--O1  There is a Microsoft article on this.  When you unjoin a computer from an AD Domain and move it to a workgroup, Windows will use the domain name as the workgroup name.  Then when you try to Azure AD Join the computer, the computer will start looking for the AD domain.  It will stop looking in 3 hours (times-out).  To work around this, when you unjoin the computer from AD, change the workgroup name to anything else that is not the name of the AD (e.g., change it to Workgroup).  Then when you Azure AD Join the computer, it happens in real time. 

A lot late and sorry for bumping the thread. Has anyone found a solid solution yet?

I am in the same shoes, and tried a silent join using GPO. Everything went well and upon reboot, the system went through setting up bio metrics etc. (we use biometrics with intune only).
However, upon second reboot the device was unable to verify my PIN.
I reached out to MS, they were unable to help but suggested that as the machine is still joined to AD (GPO enrollment does not drop the AD) the system might be looking fro AD as the login authority and PIN is registered in AAD.
Other that this issue, everything works smooth and it's very silent join seamless for the user.