You're welcome. Watch out for the next few videos to cover the other (more approved and supported!) methods. Whilst this is a nice proof of concept, it's really a last resort in my opinion :-)
I'm trying to test this, but his guide on setting up the directory was a little vauge. Can you explain how you set up your folder structure? I got confused because he says Download the PowerShell App Deploy Toolkit and place the contents in the “Toolkit” folder, but there is no toolkit folder in the AADMigration folder, does he mean for us to copy the appdeploy toolkit folder to the AADM folder? And when he says to place the OnedriveLib and bulk token to the files directory, is he meaning AADM\FILES or AADM\Toolkit\files as there is a files folder within the toolkit folder.
i was able to get the folder structure all sorted out and it "starts" migration...i just cant seem know why is not azuread joining if i even have the ppkg file going correctly
again, there will need some tweaks if it doesnt work, so if you are able to get it going, share some tips to fix it, im stuck with end points not azuread joining and when they do, users cant login
Seems a good option, I have done this in the past using the USMT but need to have twice the local profile size in free disk space or a very fast network location.
Haha, I also look forward to Andrew's Friday Newsletter!! But I didn't notice this! looks like magic. moving from AD joined to Azure AD joined device is a real bore! will certainly be checking this out.
Hi, thanks for this info. However, i've just done my first migration. Never even heard of "Wipe and load". This is what i did to my hybrid joined w10 devices: 1. unjoin device from domain (ensure local admin account access) 2. reboot into local admin account 3. rename computer and reboot back into admin account 4. Join AAD using intune licenced admin account 5 sign out and back in as AAD user (so that they are not granted admin access). This process takes about 15 mins per device. The main caveat i've found is that if the domain-joined account has a profile that takes up a lot of hard disk space, then you will essentially double that when joined AAD as above (OneDrive for business is in operation here). Does your method convert or remove the domain only profile?
Thanks Kevin, The only MS Supported method to migrate is Wipe & Load (AKA Rebuild the device). The method shown here is experimental, unsupported and for illustration purposes only, to show what is technically possible. According to the blog (www.modernendpoint.com/managed/Migrating-AD-Domain-Joined-Computer-to-Azure-AD-Cloud-only-join/#determine-your-delivery-method-and-update-prepare-devicemigrationps) it does not migrate user data and leverages OneDrive for Business, so very likely has a similar result to your own.
@@theCMC Thanks for the reply. That's very interesting. I'm the PM running the migration project with our external IT Provider and i've followed their recommended method. And they are supposed to be a MSP Gold Partner. No wonder i'm doing more work on the project than they are.
Kevin, I am trying to do it the way you have described only, I am not able to login with the AAD account. I can still access the local account. Any ideas?
@@wesleyjones6535 Hi, its been a while since i did this now. Are you step 4, in my list? You certainly need to ensure that the AAD account has as intune licence.
@@kevinjackson5191 yes. I’m piloting this and my test group, all user have E5 licenses. I am a global admin. I see on my test device, it didn’t get the AzureADPRT. I’ve open a case with Microsoft.
Heya, I'm looking for a video that helps with steps to move away from hybrid and ad connect to just Cloud. Do you have a video that shows how to get rid of ad connect and just run with Entra after hybrid (for users) has been in place? Thanks for all the content you create!
Same here. We use ImmyBot deployment. There's a task built-in to run ProfWiz. So we really just pay for the number of licenses and get ImmyBot to push the task to several computers at a time. Works great!
Do you have good documentation for this because ForensIT documentation is horrible when trying to follow it. Also how many machines did you do this for? I've been told I have to pay for the corporate license per machine and it will be well over $6,000 for us.
@@stevenwest992 I used the documentation from them. While testing it out I discovered how it worked. I used it for smaller environments of my customers, so I got the professional edition for about 160€.
i'm looking to do this transfer from hybrid to entra ID AD joined , is this still the best way (other than wipe and load) given this video is over a year old ?
This looks incredible! One question though.. Onedrive was setup pre migration, but what happened after migration? I assume the intune policy for Onedrive (if created/assigned) would kick in, but I didn't see anything about this in your video.. Sidenote, I've had issues with signing in silently with OneDrive on AAD joined VMs despite setting up the policy in Intune. Compliant devices are excluded from requiring MFA with Conditional Access but the Onedrive app remains untouched (logged out). If anyone has got an idea what might be wrong, I'd appreciate some guideance 😊 I was thinking that maybe the device being a VM may be the reason behind this behaviour since interactive/remote logon is used via the Hyper-V manager. Haven't had the time to test with AAD joined physical hardware yet, so I don't know if the outcome will be different. (Edit: physical hardware gave the same result, so I'm still head scratching 😉) Thanks for great content Dean!
I actually do want to do a wipe and load. Can you make a video about deploying modern computers with MDT? Where MDT installs vanilla Windows 11 and Autopilot takes over?
I'm not sure what's going wrong, but after following the video and the configuration steps from the link, it appears to do the right steps, installs onedrive (if not installed), onreboot it checks for sync and then starts the process, creating the temp account, a couple more restarts for the migration account and then get the migration complete message. In AD the device has been disabled, but it hasn't been added to Azure. And then of course, the AD accounts not longer work on the device. Any one had this and what did I miss?
Hi, Thanks for some great content. Is this a better method for migrating from local AD to Azure AD, than using Forensit User Profile Wizard Release 24 ? I have been using Forensit for years, with very few problems.
I have to admit I've not used Forensit UPW, R24. Or any Forensit tool for that matter! I will highlight that this approach (like the wipe & load approach) relies on OneDrive Known Folder Move approach, which won't necessarily include all user data. I'd be interested to hear your thoughts!
We also used Forensit and it handled re-ACLing of the existing user profile like a champ. Minimal downtime, no new user profile. AAD-joined, in our case also Intune-managed device on the other side with same user profile they were using prior to migration. I highly recommend Forensit as a solution to migrate devices to AAD.
@@thejesusofbaghdad Hi bro. If you have any document regarding this entire process. Pre migration steps. Migration steps. Post migration steps. Please share link
@@theCMC Thank you for the response, is there any other alternative way to do the same? We are trying to move all on-prem and hybrid Entra joined devices to Entra only, without taking the Wipe\ Autopilot method.
Sean believes that it will be considered a Shared device. Check out this blog post for more info: www.modernendpoint.com/managed/Dynamically-Update-Primary-Users-on-Intune-Managed-Devices/
My company is looking to migrate fully from in on prem to cloud! This video is so helpful, appreciate it!
You're welcome. Watch out for the next few videos to cover the other (more approved and supported!) methods.
Whilst this is a nice proof of concept, it's really a last resort in my opinion :-)
@@theCMC Which video are you referring to?
can anyone help me with the folder structure, the instructions seem a bit vague?
I'm trying to test this, but his guide on setting up the directory was a little vauge. Can you explain how you set up your folder structure? I got confused because he says Download the PowerShell App Deploy Toolkit and place the contents in the “Toolkit” folder, but there is no toolkit folder in the AADMigration folder, does he mean for us to copy the appdeploy toolkit folder to the AADM folder? And when he says to place the OnedriveLib and bulk token to the files directory, is he meaning AADM\FILES or AADM\Toolkit\files as there is a files folder within the toolkit folder.
i was able to get the folder structure all sorted out and it "starts" migration...i just cant seem know why is not azuread joining if i even have the ppkg file going correctly
@@FUSION619 would you mind emailing me screenshots of your deployment folder? I would be really grateful!
@@FUSION619 I have script I can send you that’ll work for the bulk token.
@@Uncleruckus-N0Relati0n sorry for the delay, just sent the screenshots over...
again, there will need some tweaks if it doesnt work, so if you are able to get it going, share some tips to fix it, im stuck with end points not azuread joining and when they do, users cant login
Doesn't Profile Wizard Simplify this?
How is it possible that no one has documented the folder structure yet? Can someone please provide the folder structure details?
Seems a good option, I have done this in the past using the USMT but need to have twice the local profile size in free disk space or a very fast network location.
Forensit Prowiz was designed exactly moving existing computers to another domain, azure AD or other combinations without a wipe.
Haha, I also look forward to Andrew's Friday Newsletter!!
But I didn't notice this! looks like magic. moving from AD joined to Azure AD joined device is a real bore! will certainly be checking this out.
Hi, thanks for this info. However, i've just done my first migration. Never even heard of "Wipe and load".
This is what i did to my hybrid joined w10 devices:
1. unjoin device from domain (ensure local admin account access)
2. reboot into local admin account
3. rename computer and reboot back into admin account
4. Join AAD using intune licenced admin account
5 sign out and back in as AAD user (so that they are not granted admin access).
This process takes about 15 mins per device. The main caveat i've found is that if the domain-joined account has a profile that takes up a lot of hard disk space, then you will essentially double that when joined AAD as above (OneDrive for business is in operation here).
Does your method convert or remove the domain only profile?
Thanks Kevin,
The only MS Supported method to migrate is Wipe & Load (AKA Rebuild the device).
The method shown here is experimental, unsupported and for illustration purposes only, to show what is technically possible.
According to the blog (www.modernendpoint.com/managed/Migrating-AD-Domain-Joined-Computer-to-Azure-AD-Cloud-only-join/#determine-your-delivery-method-and-update-prepare-devicemigrationps) it does not migrate user data and leverages OneDrive for Business, so very likely has a similar result to your own.
@@theCMC Thanks for the reply. That's very interesting. I'm the PM running the migration project with our external IT Provider and i've followed their recommended method. And they are supposed to be a MSP Gold Partner. No wonder i'm doing more work on the project than they are.
Kevin, I am trying to do it the way you have described only, I am not able to login with the AAD account. I can still access the local account. Any ideas?
@@wesleyjones6535 Hi, its been a while since i did this now. Are you step 4, in my list? You certainly need to ensure that the AAD account has as intune licence.
@@kevinjackson5191 yes. I’m piloting this and my test group, all user have E5 licenses. I am a global admin. I see on my test device, it didn’t get the AzureADPRT. I’ve open a case with Microsoft.
Heya, I'm looking for a video that helps with steps to move away from hybrid and ad connect to just Cloud. Do you have a video that shows how to get rid of ad connect and just run with Entra after hybrid (for users) has been in place? Thanks for all the content you create!
Hey Phil - I don’t have that actually, but I can see how it might be a good video to create.
That would be amazing 🤩, most videos are like ..here's how to get ad hybrid and then your stuck there lol 😆 thanks again, legend!!
Hi, trying to test this. Anyone figure out the folder structure perhapss?
This shit doesnt work
would anyone share the folder structure ?
We use ForensiT ProfWiz for these migrations. Can recommend it!
I wonder if I can get a license to do a video of it…!
Same here. We use ImmyBot deployment. There's a task built-in to run ProfWiz. So we really just pay for the number of licenses and get ImmyBot to push the task to several computers at a time. Works great!
Do you have good documentation for this because ForensIT documentation is horrible when trying to follow it. Also how many machines did you do this for? I've been told I have to pay for the corporate license per machine and it will be well over $6,000 for us.
@@stevenwest992 I used the documentation from them. While testing it out I discovered how it worked. I used it for smaller environments of my customers, so I got the professional edition for about 160€.
How about Quest - On Demand Migration? that does it all.
i'm looking to do this transfer from hybrid to entra ID AD joined , is this still the best way (other than wipe and load) given this video is over a year old ?
do you have to do this on every machine?
I have seen many of nice hacks using power shell script, but these cant be used in Production but good to know 😊
What about profwiz?
This looks incredible! One question though.. Onedrive was setup pre migration, but what happened after migration? I assume the intune policy for Onedrive (if created/assigned) would kick in, but I didn't see anything about this in your video..
Sidenote, I've had issues with signing in silently with OneDrive on AAD joined VMs despite setting up the policy in Intune. Compliant devices are excluded from requiring MFA with Conditional Access but the Onedrive app remains untouched (logged out). If anyone has got an idea what might be wrong, I'd appreciate some guideance 😊 I was thinking that maybe the device being a VM may be the reason behind this behaviour since interactive/remote logon is used via the Hyper-V manager. Haven't had the time to test with AAD joined physical hardware yet, so I don't know if the outcome will be different. (Edit: physical hardware gave the same result, so I'm still head scratching 😉)
Thanks for great content Dean!
I actually do want to do a wipe and load. Can you make a video about deploying modern computers with MDT? Where MDT installs vanilla Windows 11 and Autopilot takes over?
Sure can. I’ll see what I can do!
I'm not sure what's going wrong, but after following the video and the configuration steps from the link, it appears to do the right steps, installs onedrive (if not installed), onreboot it checks for sync and then starts the process, creating the temp account, a couple more restarts for the migration account and then get the migration complete message. In AD the device has been disabled, but it hasn't been added to Azure. And then of course, the AD accounts not longer work on the device.
Any one had this and what did I miss?
I'm having the same issue. Did you resolve it?
Any solution for this?
Thanks for the video. But what configuration must take place on Azure to facilitate this?
Hi, Thanks for some great content. Is this a better method for migrating from local AD to Azure AD, than using Forensit User Profile Wizard Release 24 ? I have been using Forensit for years, with very few problems.
I have to admit I've not used Forensit UPW, R24. Or any Forensit tool for that matter!
I will highlight that this approach (like the wipe & load approach) relies on OneDrive Known Folder Move approach, which won't necessarily include all user data.
I'd be interested to hear your thoughts!
We also used Forensit and it handled re-ACLing of the existing user profile like a champ. Minimal downtime, no new user profile. AAD-joined, in our case also Intune-managed device on the other side with same user profile they were using prior to migration. I highly recommend Forensit as a solution to migrate devices to AAD.
@@thejesusofbaghdad
Hi bro.
If you have any document regarding this entire process.
Pre migration steps.
Migration steps.
Post migration steps.
Please share link
This is really promising however reading the instructions im slightly lost regarding on where the files are required to go for this to work?
Why not moving to HAADJ then to AADJ ?!
That’s the MS approach. If it works for you then great! It needs a wipe and load between the HAADJ and the AADJ though.
So this script will move both Hybrid join and on-prem AD joined devices to Entra only right?
That’s how it was designed, but I’ve not used it since this video was created.
@@theCMC Thank you for the response, is there any other alternative way to do the same? We are trying to move all on-prem and hybrid Entra joined devices to Entra only, without taking the Wipe\ Autopilot method.
Someone mentioned Forensit Profwiz, but I’ve never used that either.
Question: What happens if I run this using the system account? Eg:- using the RMM tool? GUI won't display to the user, right?
For me, not see GUI if i run from RMM
You might as well have just created a blog that states the process works for all the help this one is
From my experience blog posts aren’t great on RUclips, but thanks for the suggestion!
How would you recommend the final step: turn of sync and turning users into Cloud only ?
I wouldn’t suggest you move the users over unless you really need to. Hybrid Users aren’t so bad in my opinion.
@@theCMC
Thank you but I’m demoting the only AD hardware to have my 28 users in the cloud.
For domain join only (not hybrid) who will the primary user be onthe device?
Sean believes that it will be considered a Shared device. Check out this blog post for more info: www.modernendpoint.com/managed/Dynamically-Update-Primary-Users-on-Intune-Managed-Devices/
I am not going to tell you how to do dat either 😂😂😂😂😂
I have to admit, it sounded much more mean than I had hoped when I came to editing!
@@theCMC lol
Easy, just host the files on an ftp then run this command:
curl $fileaURL -o $C:\destinationfolder\filename
Tool is worthless without method of deployment
Agreed. I think an update is required for this video.