locked
Moving AD joined devices to AAD joined devices Best Practise RRS feed

  • Question

  • Can someone help me with this scenario;

    We are planning to move from on premise AD to Azure AD.

    All colleagues have an Office 365 E3 account and will have added their Office 365 account to their device for Single Sign On and device registration.

    What are the next steps and what happens to the user profile?

    Disconnect from AD?

    How can I get the logon screen after starting the device to log on as an Office 365 user?

    Are the user profiles lost?

    Is everybody still a member of the local administrators group as they where when AD joined?

    Is the way to go Windows ICD?

    I know a lot of questions, but I hope someone can help me or guide me to a good resource.

    Thanks a lot in advance! 

    Wednesday, December 13, 2017 7:01 PM

All replies

  • Hi Richard!

    Are you willing give up Windows AD and all of the on-premises workloads, file servers, etc? Or keep that around, so you can still use what's left on-prem?

    If you still need co-existence, the idea is that you keep Windows AD and provide Single Sign-On (SSO):

    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-appssoaccess-whatis

    Currently domain-joined machines can be registered automatically into Azure AD: https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup

    If setup well, users can keep their profiles, usernames and passwords - but that depends on how you started and whether you have your on-premises Windows AD domain also in the cloud.

    Thanks,

    Florian


    The views and opinions expressed in my postings do NOT necessarily correlate with the ones of my friends, family or my employer. Let's give the thread opener a chance to mark an answer themselves.

    Wednesday, December 13, 2017 7:32 PM
  • Hi Florian,

    Thanks for your quick reply!

    Yes we will move our data center with infrastructure to another location.

    Office automation will be separated from the data center and will be moved to Azure.

    For now there is co-existence with Windows AD with Single Sign On, but only till the data center is moved.

    Domain-joined machines are Azure AD registered, not yet Azure AD joined. Is Azure AD join only possible when the devices are no longer member of Windows AD, so Microsoft Intune is the primary MDM authority?

    How do I get from a Windows AD joined device to a Azure Ad joined device?

    Do I have to un-join the device from Windows AD, while the device is Azure AD registered (not Azure AD joined)?

    How do I get the logon screen to log on to logon in Azure Ad?

    Is the way to go Windows ICD?

    Sorry for the amount of questions, thanks for your response in advance :-)

    Thursday, December 14, 2017 9:59 AM
  • Hi Richard!

    Wow - you have a lot on your plate - I have customers who plan for this to happen over several months :) How many seats are we talking, if you don't mind me asking?

    I suppose you could keep the boxes Windows AD-joined and auto-register the machines into Azure AD, so they become hybrid AADJoined. Later, I suppose you'll unjoin the machines from Windows AD and join them to Azure AD proper. As far as I know, there's no known/foreseen path to do that in bulk. I guess you could script that - or turn that into a self-service function, if you plan it clever enough.

    AADJoin + Intune MDM management can be one step - if you enforce auto-MDM when a device joins AAD.

    Logon is a different beast - do you have, by any chance, the Windows AD UPN in line with the domain in Azure AD? Windows AD: @contoso.com, Azure AD registered the custom domain: @contoso.com ? If so, you should be able to do Password Hash Sync to the cloud. If Windows AD UPN and AAD logon name are in line, Windows 10 should acquire a Kerberos ticket from Windows AD and a token from Azure AD just fine -- no problem there, then. The Hybrid AADJoined'ness may help with keeping the profile and user information when you do the cut Windows AD -> AAD.

    All very theoretical - I haven't played this through, yet. Depending on how "hard" you want to play this - what's wrong in moving all data to the cloud and - on the cutover day, have the user re-stage their machine, wiping the OS with the domain-join and set the box up again, AADJoined properly.

    Thanks,

    Florian


    The views and opinions expressed in my postings do NOT necessarily correlate with the ones of my friends, family or my employer. Let's give the thread opener a chance to mark an answer themselves.

    Thursday, December 14, 2017 9:03 PM