(WIP) Project - EntraAD - Infrastructureless

Synopsis: Outline of migrating from on-premsis to EntraAD.

Published October 23rd, 2025
Last Modified: October 23rd, 2025

Intro: This will hopefully become an indepth outline for migrating from on-prem Active Directory to EntraAD with the goal of decommissioning on prem servers.






Quick Run Down

    1.) Verify Licenses

    2.) Systems Audit

    3.) Profile Migrations - Planning

    4.) EntraAD Prep

    5.) Profile Migrations - Implementation

Verify Licensing

    Users can login to an Azure-joined computer with any valid AAD identity; however, Windows 10 Endpoint Management requires Intune entitlements at the user level.

    Suitable subscriptions as of this writing:

    • Microsoft 365 Business Premium
    • Enterprise Mobility & Security E3 (add-on)
    • Intune only (add-on)

Systems Audit

    1. Begin a device tracker document, with device exports from your RMM. Possibly included device exports from S1, or Intune if there are doubts that RMM has all the devices.
    2. All computers should be Windows 10 or 11.

Profile Migrations - Planning

EntraAD Prep

    1. Audit Current Azure AD Environment:

      Clean up Hybrid Azure AD Joined Devices:
      • Clean up disabled machines in On-Prem AD.
      • Disable Inactive machines in On-Prem AD.
      Clean up Azure AD 'Registered' Devices:
      • Remove "Stale" Devices directly from Azure AD. Azure AD 'Registered' Devices'

    2. Azure AD > Devices > Device Settings > Users may join devices to Azure AD

    • Default setting is All, meaning any authenticated user can join any device This is typically not desired, but can be left alone for the project until completion.
    • Recommend to change to Selected and add the Device Enrollment Manager account. (If one does not exist, create one. Procurement / PC Builds Team will need this service account in order to Azure AD join new machines.)

    3. Azure AD > Mobility > Microsoft Intune > MDM/MAM user scope

      These should both normally be set to All (default) . MAM settings can be left alone, but MDM user scope will need to be set to "All".
      Device Enrollment Manager account needs to be added to this group.
      Creating a DEM Account

    4. Disable requirement for Windows Hello for Business under Windows Enrollments.

Profile Migrations - Implementation

Newest Post