Move PC's from Hybrid joined to AAD only

Brass Contributor

We are joining together 3 tenants, 1 of which is running a hybrid intune setup.
Is there any possible way to move the hybrid PC's to the new tenant, and in the process "convert" them to AAD only? 

The only way i see of doing this is to manually un-enroll the hybrid PC's both from intune and AD, and then enroll them to the new tenant.

I hoping someone here can tell me there is an easier and more end-user-friendly way of doing this. 

6 Replies

@Hjorthen : No straight forward roadmap from MS and I can think of dirty solution but definitely not an user friendly.

Exactly my issue - there is no direct approach to this described from MS.
Only half solutions and semi-suggestions to be found.

Was it IT-personal only that would be affected the issue would not be so big - but since all level of end-users must be able to complete the task mostly but them selfs, this makes it challening.
I even tried with a PPKG package - but that simply fails, since the PC's are already enrolled in another tenant.
Have you thought of perhaps reimaging them with a Task Sequence preparing them for autopilot via Cloud Only Profile?
re-imaging will not be an option giving the amount of PC's involved.
That was the first suggestion/idea that i had since it would be the most simple way to do it.

Right now the working idea is to find a solution that has a minimum effect on the endusers ability to work / downtime for the endusers - which i'm getting close to thinking is getting close to impossible... Hence my reason for reaching out here to see if anyone and ideas or experince with the same issue.
Hello, what about using the PowerShell command: "Remove-Computer", wrap it as an app and push it from Intune? The parameter: "-UnjoinDomainCredential" makes it possible for you to supply the credentials needed to unjoin the device. I would create a specific account for this with minimum privileges to do the job (do not use domain admin or similar).

//Nicklas Ahlberg
This would probably be the route. Also, there will be a lingering Azure AD Object as well. Perhaps you'll need to do a dsregcmd /leave as well. Definitely a cool scenario to test out.