question

DerekRuss-7838 avatar image
0 Votes"
DerekRuss-7838 asked sikumars commented

Migration from Hybrid to AAD

I am trying to do my research on migrating off of our hybrid environment to AAD. All of our workstations are Hybrid joined. Will I need to remove them from the on-prem AD and add them back to AAD? Any links to documentation would be appreciated.

Thanks,

Derek

adfs-to-aad-migration
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

sikumars avatar image
0 Votes"
sikumars answered sikumars commented

Thanks for reaching out.

When you say Hybrid, I assume you mean Hybrid Azure AD Join. If you are not sure about current state of devices then I would recommend you to use dsregcmd /status utility and figure out current state of device ( example : DJ, HAADJ, or WPJ ) before remove devices from the on-prem AD.

This utility must be run as a domain user account which lists the device join state parameters.

Sample device state output:

Domain Joined (DJ):
121303-image.png

Hybrid Azure AD Joined (HAADJ):
121311-image.png

Workplace Joined (WPJ):
121255-image.png


Refer below steps to perform cleanup depends on current device state of windows 10 devices, once that has completed then you can perform Azure AD Join.

Domain Joined (DJ):
This would be straight forward, whereas unjoin devices from the on-prem AD and then disable or delete Windows 10 devices in your on-premises AD.

Hybrid Azure AD join
For hybrid Azure AD joined devices, make sure to turn off automatic registration in AD using the Controlled validation article. Then the scheduled task won't register the device again. Next, open a command prompt as an administrator and enter dsregcmd.exe /debug /leave . Or run this command as a script across several devices to unjoin in bulk.

and remove devices from the on-prem AD and then Disable or delete Windows 10 devices in your on-premises AD, and let Azure AD Connect synchronize the changed device status to Azure AD. Reference: https://docs.microsoft.com/en-us/azure/active-directory/devices/faq#hybrid-azure-ad-join-faq

Workplace Joined (WPJ)/Azure AD Registered
Remove Workplace Joined as per this link and remove devices from the on-prem AD and then Disable or delete Windows 10 devices in your on-premises AD, and let Azure AD Connect synchronize the changed device status to Azure AD.

I would strongly recommend to refer this article, Cleanup Azure AD Devices.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


image.png (12.2 KiB)
image.png (11.0 KiB)
image.png (16.4 KiB)
· 8
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

hi @sikumars-msft

Thank you for the reply. the machines are Workplace Joined. So i would need to run that script in the article? Will the user's lose their profile?

0 Votes 0 ·

Yes, you can either run WPJCleanUp.cmd or manually remove Workplace Joined from "Access Work or School" setting on the device. Once disconnected and removed from domain join then user would still have access to local profile but not domain profile.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well .

0 Votes 0 ·

@sikumars-msft what about changing users to cloud only?

0 Votes 0 ·
Show more comments