Chat now with support
Chat mit Support

On Demand Migration Current - Azure AD Device Join Quick Start Guide


On Demand Migration Active Directory now adds Azure AD Join device migration support from on premise and Hybrid Domain Joined workstations running with Windows 10 or Windows 11 while preserving the User Profiles and File/Folder Security Permissions. 

​This step-by-step guide walks through how to configure On Demand Migration Directory Sync and Active Directory Project to perform device migration to Azure AD.


This guide covers the following topics:

  • Azure AD Device Join Requirements

  • Environment preparation

  • Prepare the Provisioning Package

  • Configure and Synchronize your objects between source On-Premises Active Directory and target Azure AD Tenant

  • Configure Device Migration Project

  • Perform Device Azure AD Join migration

  • Validate the device post Azure AD Join

  • Frequently Asked Questions



  • Client is licensed for On Demand Migration Active Directory and Directory Sync

  • One Global Administrator Account for each Microsoft 365 tenant

  • One Domain Administrator Account for each On-Premises Active Directory attached to the tenant

  • One dedicated server to install the Directory Sync agent

  • Permissions to download and install Directory Sync agent


The local agent must meet the following minimum hardware requirements:

  • At least one (1) Windows Server 2012 R2, 2016 or 2019

  • Additional Windows servers may be deployed; limit of 5.

  • CPU: 4 Cores

  • Memory: 4GB Free

  • Disk: 40GB Free Disk Space excluding Operating System

Important Tip: Do not install local agents on AD domain controllers in a production environment.


The local agent must meet the following minimum software requirements:

  • Windows Server 2012 R2, 2016 or 2019

  • .NET 4.7.2. NOTE: .NET will automatically be installed if needed.

  • TLS 1.2 or higher 

Domain and Forest Functional Levels  

  • 2012 R2 or 2016 


  • Directory Sync web interface uses TCP port 443 (HTTPS).

  • Agent web connections use port 443 to Directory Sync host application.

  • DCs use TCP ports 139, 389 (UDP), 445, and 3268.

  • SID History functionality uses TCP ports 135, 137-139, 389 (UDP), 445, 1027, 3268, and 49152-65535. (Optional)


Local Active Directory Account (Optional, required for Hybrid Tenant)

  • Agent installer will prompt for a domain account with permission to read and write on-premises Active Directory.

  • An agent intended to sync all domains in a forest must have rights to all domains and objects used in workflows.

Azure AD Application Account

  • An account with Global Administrator Role is required to grant permissions and establish connection when adding a Cloud Environment.

Azure AD PowerShell Accounts

  • Three (3) PowerShell accounts are automatically created to read and update objects in the cloud.  To do this, an OAuth token is used from the account used to add the Cloud Environment.

  • These PowerShell accounts do not require any Microsoft 365 licenses.

Environment Preparation

Environment Preparation

This section will review the environment setup that will be used to perform Azure AD Device Join.  To facilitate the migration, please confirm you have the following:

  • A Hybrid Azure AD tenant including a local on-premises Active Directory with AADC configured.

  • An Azure AD Only tenant.

  • A file share that is accessible by the workstation, the file share will be used to store the provisioning package which is needed to perform the Azure AD Join.  Later in this guide, we will review how to create the provisioning package using Windows Configuration Designer (WCD).

  • A Windows Workstation running Windows 10 (Build 1709 or later), or Windows 11 and it has already been Hybrid Azure AD Joined.   Please ensure the device is shown as Hybrid Azure AD Joined in Azure Active Directory Portal and Azure AD Joined on the local device.  See below sample screen shots.

Device Azure AD Join status

Azure AD Portal Device View

LightbulbImportant Tip: For additional detail on how to configure an Hybrid Azure AD Join device, please refer to this Microsoft Article at Configure hybrid Azure Active Directory join - Microsoft Entra | Microsoft Docs

  • For the purpose of this guide, the following sample objects were created ahead of time and placed in an Organizational Unit in the local On-Premises Active Directory, these objects will need to be synchronized to target Azure AD tenant later in this guide.  See the below sample screen shot

  • Logs into the test device using the source local on-premises AD account and configure the following:

    • A unique User Profile with customized desktop

    • Configure Outlook Profile, OneDrive and Teams client using the source Office 365 account.

    • Setup Local Folders, Share Folders with custom permission ACL using the objects from the above section.

After preparing the environment and the device, make a note of the current setup and we will review the data after device is migrated.

Knowledge Base
Benachrichtigungen und Warnmeldungen
Technische Dokumentationen
RSS Feed
Unterstützung bei der Lizenzierung
Technische Support
Alle anzeigen
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen