Forum Discussion
Questions about moving Windows endpoint from locally joined domain to Azure AD
Just a couple questions, when moving a current AD domain joined endpoint (i.e. Windows 10/11 Pro) to Azure AD.
1. Does the user's desktop look/feel change upon their next Azure AD-centric login, versus their previous domain joined profile?
2. If there were previously changes pushed out to the endpoints via local AD Domain GPOs, do those changes still remain on the endpoint machine, even after the cutover to Azure AD?
3. Is there a way to have an Azure AD authenticating machine, while still allowing the machine to access local network SMB shares, if the Azure AD and Local AD domain are in hybrid mode?
- Joe StockerBronze Contributor
When moving a current AD domain joined endpoint (i.e. Windows 10/11 Pro) to Entra ID (Azure AD):
Q: Does the user's desktop look/feel change upon their next Azure AD-centric login, versus their previous domain joined profile?
A: Yes, when you join a machine to Entra and remove it from AD, there is a separate user profile created and nothing is caried over from the AD profile. For example, they will lose access to their former Desktop and Documents. If their documents were synced to OneDrive via "Known Folder Move" and if their web browser was signed in so that all their favorites were synced, then that will lesson the user disruption. Another benefit of Entra P1 is the Enterprise Roaming feature which saves many of the Windows Settings to the Cloud.
Reference:
https://learn.microsoft.com/en-us/entra/identity/devices/enterprise-state-roaming-enable
and
https://learn.microsoft.com/en-us/entra/identity/devices/enterprise-state-roaming-windows-settings-reference#windows-settings-details2. If there were previously changes pushed out to the endpoints via local AD Domain GPOs, do those changes still remain on the endpoint machine, even after the cutover to Azure AD?
No, but you can import those GPO's into Intune here:
https://learn.microsoft.com/en-us/mem/intune/configuration/administrative-templates-import-custom3. Is there a way to have an Azure AD authenticating machine, while still allowing the machine to access local network SMB shares, if the Azure AD and Local AD domain are in hybrid mode?
Yes, an Azure AD joined computer can access local SMB shares and websites that require IIS authentication and/or resources that use NTLM authentication.
Requirements:Devices must be running Windows 10 version 2004 or later.
Your Windows Server domain controllers must run Windows Server 2016 or later and have patches installed for the following servers:
- See additional requirements here: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises#prerequisites
- Then create the Create a Kerberos Server object
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises#create-a-kerberos-server-object