Move Hybrid Joined devices to new tenant

Copper Contributor

I have a customer who wants to switch over the tenant due to some merger he has already moved the data of EXO and SPO and domain cutover is pending due to Hybrid Joined devices planning are not yet done. Customer has 1000 devices 

So can anyone please help us understanding the process of switching over the tenant during weekend.

Customer is open to do the POC but the end user impact should be NO or minimum.

Any suggestions are highly appreciated.  

8 Replies
Dsregcmd /leave and repeat the hybrid join process using the scp through the entra connector configured against the new tenant. There is no other supported way atleast.

@rahuljindal-MVP dsregcmd /leave requires local admin rights also we have to do it for 1K Pcs so it would not help as we have to do it during the weekend only

I havent done this.
But my approach would be configure some Script to leave azure ad, desreg... Then deploy it to the machine in the old intune tenant.So devices leave the old tenant.

Then configure the new tenant to auto enroll the devices using autopilot when the new user form the new tenant is loggin in for the first time.
I didn’t say it will be straight forward. Just pointed the supported way of achieving the configuration you want. If you use some sort of Remote management tool then some of the steps can be automated, including dsregcmd /leave. The other option is go Entra ID only identity which will require a device a reset.
1.Remove the source domain hybrid joined Group Policy from the devices OU.

2.Keep all the devices domain joined only

3.Make sure all mail box migrate target domain and move source Tennent domain to Target Tennent as a custom domain

4.If they want to receive email from old domain you have to add proxy address as secondary email

When we say Remove the source domain hybrid joined Group Policy from the devices OU it will not trigger new PCs to join to Azure AD however, how do we make already Hybrid joined devices to Domain Joined only ?

and What difference end user will see After unjoining the machine from Hybrid Azure AD to just Domain Join ?

Based on my research, unjoin requires the local admin rights so how did you deal with that ?
I have created a PS script to unjoin a domain but not sure how it will run on a local system with admin rights, whereas end users don't have admin rights ?

 

Bulk hybrid removal script sample

$devices = Get-AzureADDevice -All $true | Where-Object {$_.DeviceTrustType -eq "Domain Joined"}
foreach ($device in $devices) {
Remove-AzureADDevice -ObjectId $device.ObjectId
}


When users access the new tenant, they will receive prompt from the new tenant asking them to trust it Once they trust there device is become Azure AD joined 

 

@testing11