Removing on-prem ad and start using office365/intune

Deleted
Not applicable

Hello,

 

We are using exchange online and on-prem azure with dir sync to office365.
we would like to remove the DC and join all computers to intune and move the users to azure ad in cloud.

What is the best way to do it?

11 Replies
Microsoft 365 which includes Office 365, Windows 10 and Intune/EMS depending on the SKU you select. It was designed for businesses looking to go 100% cloud and take out the local AD.

Microsoft FastTrack should be able to help you should your Organisation be over 150 users and you are migrating to Microsoft 365.

Best, Chris
Chris had some good tips!!

Basically the steps themselves are:
Stopping the sync:
https://docs.microsoft.com/en-us/office365/enterprise/turn-off-directory-synchronization

Uninstall the adconnect software on the server!
After this the users should be cloud only users!

Enroll devices!
Of course there are some prerequisites and licenses / OS requirements ( read Chris post)

https://docs.microsoft.com/en-us/intune/quickstart-enroll-windows-device
Fast Track can help some, but the primary steps are to get intune working with auto enrollment first. This way when you azure ad join your machines they are managed from the get go. Depending on how many GPO's you had in your onprem deployment, you'll want to get all that setup ahead of time as well. You can setup test intune groups and assign so only those groups get intune when joined.

Once your intune is setup, you can use a tool such as profwiz to disjoined from the domain. Then you have to login local, joined to azure ad, then use profwiz to assign the azure AD user to your old domain profile. Then you can login with minimal disruption to the user and it'll be joined to azuread. With intune and auto enrollment in place, all the policies will apply on first login.

Here is article I've been using to get going on intune deployment it has everything you need, it wasn't too hard but will take a few days to figure out and get things working: https://docs.microsoft.com/en-us/intune/

Once intune is configured and you get your devices all joined and managed to azure ad, the last step really is removing your azure ad connect so you're users can go cloud only so you can disable that sync in the cloud: https://support.microsoft.com/en-us/help/2619062/you-can-t-manage-or-remove-objects-that-were-synchr...



Fasttrack should help because if they qualify Microsoft will pay for the migration and do a discovery to determine if it’ll be cloud led or hybrid led. If they have local apps or file servers which authenticate to AD and they can’t be moved to the cloud in a reasonable time then it may need to be hybrid Azure AD join until they are moved or switched out for other apps. I used to use AADP1 to get round this before Hybrid Azure AD Join was introduced because there were reasons they couldn’t go all in with Windows AD join immediately.

I will look into ProfWiz though. Sounds good. Been using Laplink or USMT so far.

Best, Chris
Yeah agree, it's a huge ordeal to cover all the in's and out's and unless you know everything it can be overwhelming, but I just laid out the technical high level plan. Of course, all the on-prem / licensing stuff needs figured out in addition too :)
For sure! It’s a good way to do it too. I would do it exactly the same way!
Yup! The other way around!!

Hello Guys,


Thanks all for the tips!
How about - 

1. Auto enroll to to intune through GPO
2. stop the sync

3. disconnect them from on-prem domain

If the machines are domain joined then they still will be with intune management after that. I don’t know of a way to automate joining devices strictly to azure ad or I’d be doing it now ;). The goal is cloud only and there is no easy way to convert a domain joined machine to azure joined outside of leaving and joining.
You could automate that but the only part that need to be Done manually is to disconnect them from domain