Share via

Migration from On-Prem active directory to full AzureAD+intune

dummys 45 Reputation points
2026-03-18T14:47:10.7266667+00:00

For now we were in a hybrid Adjoined. The new workstation are no-more hybrid but full AAD.

My goal is to remove the on-prem active directory, but for now we still have AADConnect on the DC and the user are still created from the on-prem Active Directory.

I need to migrate an old RDS-server and I installed a never win2025standard which is Azure ARc enabled and I installed the AADLogin extension.

The user are successfully able to logon to new workstation using ******@domain.xx login.

Before removing all the on-prem active directory infrastructure, I need to be sure that my user can logon on the newer RDS server. The problem is that for now we can't enable Windows Hello for Business as we have old file server. My question is does AADLogin works even without Windows Hello for Business ?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Answer accepted by question author
  1. Q&A Assist
    2026-03-18T14:47:36.2+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Yes. AADLogin (Microsoft Entra login for Windows / AADLoginForWindows extension) works independently of Windows Hello for Business.

    Key points relevant to the scenario:

    1. Authentication model
      • Users can authenticate to Microsoft Entra ID using:
        • Cloud authentication (Password Hash Sync or Pass-through Authentication), or
        • Federated authentication (AD FS or other federation).
      • These methods apply to both cloud-only and hybrid deployments and are not dependent on Windows Hello for Business.
      • Windows Hello for Business is an additional, more secure sign-in method (keys, biometrics, PIN), but not a prerequisite for Entra-based sign-in.
    2. Device registration and join
      • For hybrid or cloud-only deployments, devices register in Microsoft Entra ID.
      • AADLogin uses that Entra identity and device registration to allow sign-in to the server.
      • This works whether or not Windows Hello for Business is deployed.
    3. Windows Hello for Business is optional
      • Windows Hello for Business provides passwordless or MFA-based sign-in (biometrics/PIN + key/cert-based auth), but it is a security feature layered on top of Entra authentication.
      • The deployment options (cloud-only, hybrid, on-premises) describe how Hello for Business integrates with Entra/AD, not a requirement for Entra sign-in itself.
      • Therefore, users can continue to sign in with their ******@domain.xx Entra credentials (username + password, plus any configured MFA) to the new RDS server via AADLogin even if Windows Hello for Business is not enabled.

    So, AADLogin will work without Windows Hello for Business, provided that:

    • The VM is properly registered/connected (Azure Arc + AADLogin extension), and
    • Microsoft Entra authentication (cloud or federated) is correctly configured and reachable from the server.

    References:

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.