Share via

Migration devices Microsoft Entra hybrid join.

Tsunami Technology 0 Reputation points
2026-04-22T16:39:14.0733333+00:00

seeking assistance to migrate devices currently hybrid joined to Microsoft Entra joined, aiming to shut down their on-premises domain controller without losing any data.

Communication between AD to 365 by using AD coonect.

Currently intune setup in place for Andriod and iPad as well windows devices.

Goal is move device windows base one by one users and disconnect from AD.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Raja Pothuraju 47,505 Reputation points Microsoft External Staff Moderator
    2026-04-28T09:36:36.4333333+00:00

    Hey there Tsunami Technology,

    You can definitely move your Windows PCs from Microsoft Entra Hybrid Joined (AD + Azure AD) to pure Microsoft Entra Joined. There isn’t a magic “convert” button—you’ll migrate each device off your on-premises domain and then join it directly to Entra. Here’s a high-level playbook you can tweak for your environment:

    1. Plan & Prep
      • Inventory devices (OS versions, hardware, apps) and group them into logical batches.
      • Ensure every user has a Microsoft Entra identity (via Azure AD Connect) and the right Intune/Entra licenses.
      • Decide if you’ll use Windows Autopilot or manual join (Settings > Accounts > Access work or school > + Connect > Join this device to Azure Active Directory).
      • Create Intune device profiles, app assignments and Conditional Access policies ahead of time.
    2. Backup & Profile Migration
      • Have users sync their Documents/Desktop to OneDrive or run USMT to capture their profile if you need non-cloud data.
      • If you prefer a tool-based approach, consider the User State Migration Tool (USMT) or third-party profile-migration solutions.
    3. Pilot Batch
      • Pick a small group of early adopters or test machines.
      • Remove the device from the on-prem AD domain: • In System → About → Change settings, unjoin from domain and reboot.
      • Join to Azure AD: • Go to Settings → Accounts → Access work or school → + Connect and choose “Join this device to Azure Active Directory.”
      • After join, users sign in with their Entra credentials and get a new local profile.
    4. Reapply Configuration via Intune
      • Install the Company Portal (if not auto-installed).
      • In Intune, monitor that the device checks in, receives device configuration profiles, compliance policies, Win32/LOB apps, scripts, etc.
      • Verify access to Exchange/Outlook, Teams, OneDrive and any internal resources that use Conditional Access or SSO.
    5. Data Migration & Cleanup
      • Copy data from the old (domain) profile to the new Entra profile if it wasn’t OneDrived.
      • Remove any stale computer objects from both on-prem AD and Azure AD (you can automate cleanup with PowerShell or the Microsoft Entra Device Cleanup script).
    6. Repeat in Waves
      • Proceed in small batches, iterating on any issues found in the pilot.
      • Keep Azure AD Connect and your on-prem DCs online until all machines are migrated.
    7. Decommission
      • Once every device is Entra-joined and no workloads rely on your domain controllers, you can retire the on-prem DCs.
      • After a suitable validation period, remove Azure AD Connect if you’re going fully cloud-only (or keep it if you still sync identities for other reasons).

    Useful links for more detail:

    Hope that gives you a clear workflow—good luck, and let us know if you hit any snags!

    Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-04-22T16:39:35.42+00:00

    To move from Microsoft Entra hybrid joined devices to Microsoft Entra joined devices and retire on-premises domain controllers, devices must be rebuilt or reset; there is no in-place conversion path.

    Key principles from the documentation:

    1. No supported in-place conversion from Hybrid join to Entra join
      • There is no Microsoft-supported process to convert an existing Hybrid Microsoft Entra joined Windows device directly to Microsoft Entra joined without a Windows reset or reinstallation.
      • For hybrid joined devices, a full device wipe/reset is required; Windows Autopilot Reset does not support hybrid joined devices.
      • Therefore, the migration must be planned as a re-provisioning of each Windows device.
    2. Recommended migration approach Microsoft guidance is to align the move to Microsoft Entra join with natural lifecycle events (hardware refresh, OS upgrade, or troubleshooting requiring a reset): For each Windows device/user, high-level process:
      1. Prepare the environment
      • Ensure Microsoft Entra join is enabled and Intune is ready to manage Microsoft Entra joined Windows devices. Intune can manage both Microsoft Entra Join and Hybrid Microsoft Entra Join endpoints.
      • Confirm that required apps, policies, and configurations for Windows are defined in Intune for Microsoft Entra joined devices.
      • Plan how users will access any remaining on-premises resources from Microsoft Entra joined devices (for example, via VPN or other supported methods). Microsoft Entra joined endpoints can access on-premises resources and use SSO.
      1. Choose a per-device migration trigger
      • Use one of:
        • Hardware refresh (new device)
        • OS upgrade or reimage
        • Planned device reset for migration
      • This minimizes user disruption and allows a clean move to Microsoft Entra join.
      1. Re-provision the device as Microsoft Entra joined
      • Wipe or reimage the existing hybrid joined Windows device.
      • During Windows Out of Box Experience (OOBE) or via Windows Autopilot, join the device directly to Microsoft Entra ID (Microsoft Entra join), not to the on-premises domain.
      • Enroll the device into Intune as part of the Microsoft Entra join process so that Intune policies and apps are applied.
      1. Restore user data and apps
      • Restore user data from backups or cloud storage (for example, OneDrive, if already in use) to avoid data loss.
      • Reinstall or push required applications via Intune.
      1. Decommission the old hybrid state
      • Once the user is fully working on the Microsoft Entra joined device and all required resources are accessible, remove or retire the old hybrid joined device object from on-premises AD and Microsoft Entra ID as per organizational policy.
    3. Coexistence during transition
      • Microsoft Entra Join and Hybrid Microsoft Entra Join endpoints can coexist in the same environment; they are not mutually exclusive.
      • This allows a phased, one-by-one migration of Windows devices while on-premises domain controllers still exist.
      • Hybrid Microsoft Entra Join should not be the long-term end state if the goal is a cloud-native environment; the end goal is Microsoft Entra Join for Windows endpoints.
    4. Dependency on on-premises domain controllers
      • Hybrid Microsoft Entra joined endpoints require line-of-sight to on-premises AD domain controllers for initial sign-in and password changes. If the domain is unavailable, users can be blocked from signing in.
      • Because the plan is to shut down domain controllers, all Windows endpoints must be moved off Hybrid Microsoft Entra Join to Microsoft Entra Join before decommissioning the domain.
    5. Intune and compliance/Conditional Access
      • Intune can manage both Microsoft Entra Join and Hybrid Microsoft Entra Join Windows client devices.
      • Both join types support Intune compliance policies and Conditional Access when managed by Intune or co-managed.
      • As devices are re-provisioned to Microsoft Entra join, ensure compliance policies and Conditional Access rules are aligned to support the new join type.
    6. Practical migration pattern for “one-by-one” user moves For each Windows user/device:
      1. Confirm all needed policies/apps are available via Intune for Microsoft Entra joined devices.
      2. Backup or sync user data to a cloud or network location.
      3. Wipe/reset or reimage the device.
      4. During setup, join the device to Microsoft Entra ID (Microsoft Entra join) and enroll into Intune.
      5. Restore user data and validate access to Microsoft 365 and any required on-premises resources.
      6. After successful cutover, retire the old hybrid device object and, once all devices are migrated, decommission the on-premises domain controllers.

    This approach allows gradual, user-by-user migration from hybrid joined to Microsoft Entra joined devices without data loss, while maintaining coexistence until the on-premises domain can be safely shut down.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.