This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 64%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
I am trying to do my research on migrating off of our hybrid environment to AAD. All of our workstations are Hybrid joined. Will I need to remove them from the on-prem AD and add them back to AAD? Any links to documentation would be appreciated.
Thanks,
Derek
Thanks for reaching out.
When you say Hybrid, I assume you mean Hybrid Azure AD Join. If you are not sure about current state of devices then I would recommend you to use dsregcmd /status utility and figure out current state of device ( example : DJ, HAADJ, or WPJ ) before remove devices from the on-prem AD.
This utility must be run as a domain user account which lists the device join state parameters.
Sample device state output:
Domain Joined (DJ):
Hybrid Azure AD Joined (HAADJ):
Workplace Joined (WPJ):
Refer below steps to perform cleanup depends on current device state of windows 10 devices, once that has completed then you can perform Azure AD Join.
Domain Joined (DJ):
This would be straight forward, whereas unjoin devices from the on-prem AD and then disable or delete Windows 10 devices in your on-premises AD.
Hybrid Azure AD join
For hybrid Azure AD joined devices, make sure to turn off automatic registration in AD using the Controlled validation article. Then the scheduled task won't register the device again. Next, open a command prompt as an administrator and enter dsregcmd.exe /debug /leave . Or run this command as a script across several devices to unjoin in bulk.
and remove devices from the on-prem AD and then Disable or delete Windows 10 devices in your on-premises AD, and let Azure AD Connect synchronize the changed device status to Azure AD. Reference: https://learn.microsoft.com/en-us/azure/active-directory/devices/faq#hybrid-azure-ad-join-faq
Workplace Joined (WPJ)/Azure AD Registered
Remove Workplace Joined as per this link and remove devices from the on-prem AD and then Disable or delete Windows 10 devices in your on-premises AD, and let Azure AD Connect synchronize the changed device status to Azure AD.
I would strongly recommend to refer this article, Cleanup Azure AD Devices.
------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
hi @sikumars-msft
Thank you for the reply. the machines are Workplace Joined. So i would need to run that script in the article? Will the user's lose their profile?
Yes, you can either run WPJCleanUp.cmd or manually remove Workplace Joined from "Access Work or School" setting on the device. Once disconnected and removed from domain join then user would still have access to local profile but not domain profile.
------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well .
@sikumars-msft what about changing users to cloud only?
Yes, you can have cloud only users to join and Sign-in devices with Azure AD .
So do i just need to disable ad-sync so the user's start authenticating to cloud only?
You are right. Here is reference for "Turn off directory synchronization". Please be aware that disable ad-sync is tenant wide changes whereas all synchronized users will be converted to cloud-only.
is it possible to just test for some users?
Not possible, but in this case you can directly create those users identity in cloud directly rather than disabling Ad-sync for your organization.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 17%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDG%3C/text%3E%3C/svg%3E)
Hi Siva,
Currently we have a Hybrid Azure AD Join deployment and after doing the steps you provided and also after following the steps in the Microsoft articles the devices are getting deleted from Azure AD. I did the following:
The result after doing all of this is that the device gets deleted from Azure AD, what am I missing here?
Any help or guidance will be highly appreciated.
Dago
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 7.000000000000001%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
@Dago Garcia Were you able to resolve the issue you mentioned with the devices being deleted from Azure AD after following the steps to migrate from Hybrid Joined to AAD Joined? I ask as I am prepping to do the same where the devices are currently Hybrid Joined/Intune enrolled and will be moving to AAD Join only.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 13%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
Would moving the hybrid joined device to an un-synched OU be enough like controlled validation to allow us to remove it from AD and AAD so it can be re-joined to AAD only?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 70%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJJ%3C/text%3E%3C/svg%3E)
Hi Russel,
I've read that moving device out of a syncing OU will is not the proper way of removing HAADJ state. This will not work.