(WIP) Project - EntraAD - Infrastructureless
Synopsis: Outline of migrating from on-premsis to EntraAD.
Published October 23rd, 2025
Last Modified: November 8th, 2025
Intro: This will hopefully become an indepth outline for migrating from on-prem Active Directory to EntraAD with the goal of decommissioning on prem servers. Includes migration of Users, Computers.
Published October 23rd, 2025
Last Modified: November 8th, 2025
Intro: This will hopefully become an indepth outline for migrating from on-prem Active Directory to EntraAD with the goal of decommissioning on prem servers. Includes migration of Users, Computers.
Quick Run Down
-
1.) Verify Licenses
2.) Systems Audit
3.) Migrating Computer Objects - Planning
4.) EntraAD Prep
5.) Migrating User Objects
6.) Profile Migrations - Implementation
Verify Licensing
- Microsoft 365 Business Premium
- Enterprise Mobility & Security E3 (add-on)
- Intune only (add-on)
Users can login to an Azure-joined computer with any valid AAD identity; however, Windows 10 Endpoint Management requires Intune entitlements at the user level.
Suitable subscriptions as of this writing:
Systems Audit
-
1. Begin a device tracker document, with device exports from your RMM. Possibly included device exports from S1, or Intune if there are doubts that RMM has all the devices.
2. All computers should be Windows 10 or 11.
Migrating Computer Objects - Planning
-
Migration of computer objects can be done tactfully with profile migrations. After EntraAD Joining a machine, profwhiz can be used to migrate the previous profile to the EntraAD account.
ProfWhiz Setup
EntraAD Prep
-
1. Audit Current Azure AD Environment:
- Clean up disabled machines in On-Prem AD.
- Disable Inactive machines in On-Prem AD.
- Remove "Stale" Devices directly from Azure AD. Azure AD 'Registered' Devices'
- Default setting is All, meaning any authenticated user can join any device This is typically not desired, but can be left alone for the project until completion.
- Recommend to change to Selected and add the Device Enrollment Manager account. (If one does not exist, create one. Procurement / PC Builds Team will need this service account in order to Azure AD join new machines.)
-
Clean up Hybrid Azure AD Joined Devices:
2. Azure AD > Devices > Device Settings > Users may join devices to Azure AD
3. Azure AD > Mobility > Microsoft Intune > MDM/MAM user scope
-
These should both normally be set to All (default) . MAM settings can be left alone, but MDM user scope will need to be set to "All".
Device Enrollment Manager account needs to be added to this group.
Creating a DEM Account
4. Disable requirement for Windows Hello for Business under Windows Enrollments.
Migrating User Objects
-
Process for converting users to cloud only objects:Severing AD