Thanks for the reply James.

I understand AAD isn't a direct replacement for AD and that we would lose some functionality which AAD cannot provide, however, we are ok with this. We're not running SQL, Exchange or any other on-prem applications which requires AD so it would be much simpler for us to go full cloud. If we were setting up a new business this is exactly what we would do. Create the new users, groups and mailboxes within AAD and then enrol the client devices in to AAD. I guess we could setup a new Azure tenant/subscription, setup new users, groups, etc and then migrate the M365 mailboxes and on-prem file data but this just seems very long winded when we already have this in the existing tenant/subscription. We just want to cut the ties with our on-prem AD so we can manage everything from Azure/M365 portal.

Unfortunately no. Seems Microsoft are actively encouraging customers to move away from their on-prem products and over to their cloud solution but offer no supported migration path or guidance. I completely understand AAD isn't a complete substitute for AD, however, for most small/medium sized organisation Azure/M365/Intune etc offers more than enough.

I am aware of an unsupported method to migrate AD to AAD, however, there is still a lot of manual work involved and if you hit any issues its very unlikely MS will offer any help.

Hi James,

Thanks for the reply and the link.

As mentioned in my original post the issue only appears to be effecting some users and only for desk applications (ie: Teams, OneDrive, etc) but not browser apps. We have the 'Allow users to remember multi-factor authentications on devices they trust' enabled and set for 90 days. The problematic users appear to be prompted most day when first opening the Teams app or OneDrive app. All users have Hybrid joined Windows 10 devices.

Current Branch 2002

Sorry for the delayed reply, with the covid situation this was put on the back burner for a while. Here's what i've tried:

• Retired two Win10 devices (laptops) from within Intune. Both had a status of 'co-managed'.
  

• Deleted the same two devices from Azure AD.
  

• Ensured the SCCM agent was uninstalled from both Win10 laptops.
  

• Allowed Azure AD Sync to synchronise the on-prem computer accounts back to AAD (we have a GPO in place to auto hybrid join Win10 computers).
  

• Rebooted the two Win10 laptops, ran GPUDATE /FORCE and rebooted again (again we have a GPO in place to auto enrol computers into Intune).

Unfortunately, both devices have reappeared back in Intune as 'co-managed'. Something somewhere (either within the Win10 registry or within the AD computer account) must still be marked as SCCM managed? Any other thoughts or suggestions would be appreciated.