On Demand Migration Active Directory now adds Azure AD Join device migration support from on premise and Hybrid Domain Joined workstations running with Windows 10 or Windows 11 while preserving the User Profiles and File/Folder Security Permissions.
This step-by-step guide walks through how to configure On Demand Migration Directory Sync and Active Directory Project to perform device migration to Azure AD.
This guide covers the following topics:
Azure AD Device Join Requirements
Prepare the Provisioning Package
Configure and Synchronize your objects between source On-Premises Active Directory and target Azure AD Tenant
Configure Device Migration Project
Perform Device Azure AD Join migration
Validate the device post Azure AD Join
Frequently Asked Questions
Client is licensed for On Demand Migration Active Directory and Directory Sync
One Global Administrator Account for each Microsoft 365 tenant
One Domain Administrator Account for each On-Premises Active Directory attached to the tenant
One dedicated server to install the Directory Sync agent
Permissions to download and install Directory Sync agent
The local agent must meet the following minimum hardware requirements:
At least one (1) Windows Server 2012 R2, 2016 or 2019
Additional Windows servers may be deployed; limit of 5.
CPU: 4 Cores
Memory: 4GB Free
Disk: 40GB Free Disk Space excluding Operating System
Important Tip: Do not install local agents on AD domain controllers in a production environment.
The local agent must meet the following minimum software requirements:
Windows Server 2012 R2, 2016 or 2019
.NET 4.7.2. NOTE: .NET will automatically be installed if needed.
TLS 1.2 or higher
2012 R2 or 2016
Directory Sync web interface uses TCP port 443 (HTTPS).
Agent web connections use port 443 to Directory Sync host application.
DCs use TCP ports 139, 389 (UDP), 445, and 3268.
SID History functionality uses TCP ports 135, 137-139, 389 (UDP), 445, 1027, 3268, and 49152-65535. (Optional)
Local Active Directory Account (Optional, required for Hybrid Tenant)
Agent installer will prompt for a domain account with permission to read and write on-premises Active Directory.
An agent intended to sync all domains in a forest must have rights to all domains and objects used in workflows.
Azure AD Application Account
An account with Global Administrator Role is required to grant permissions and establish connection when adding a Cloud Environment.
Azure AD PowerShell Accounts
Three (3) PowerShell accounts are automatically created to read and update objects in the cloud. To do this, an OAuth token is used from the account used to add the Cloud Environment.
These PowerShell accounts do not require any Microsoft 365 licenses.
This section will review the environment setup that will be used to perform Azure AD Device Join. To facilitate the migration, please confirm you have the following:
A Hybrid Azure AD tenant including a local on-premises Active Directory with AADC configured.
An Azure AD Only tenant.
A file share that is accessible by the workstation, the file share will be used to store the provisioning package which is needed to perform the Azure AD Join. Later in this guide, we will review how to create the provisioning package using Windows Configuration Designer (WCD).
A Windows Workstation running Windows 10 (Build 1709 or later), or Windows 11 and it has already been Hybrid Azure AD Joined. Please ensure the device is shown as Hybrid Azure AD Joined in Azure Active Directory Portal and Azure AD Joined on the local device. See below sample screen shots.
Device Azure AD Join status
Azure AD Portal Device View
For the purpose of this guide, the following sample objects were created ahead of time and placed in an Organizational Unit in the local On-Premises Active Directory, these objects will need to be synchronized to target Azure AD tenant later in this guide. See the below sample screen shot
Logs into the test device using the source local on-premises AD account and configure the following:
A unique User Profile with customized desktop
Configure Outlook Profile, OneDrive and Teams client using the source Office 365 account.
Setup Local Folders, Share Folders with custom permission ACL using the objects from the above section.
After preparing the environment and the device, make a note of the current setup and we will review the data after device is migrated.
© 2023 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Nutzungsbedingungen Datenschutz