On Demand Migration Current - Azure AD Device Join Quick Start Guide

Setting up the Directory Sync Local Environment Setting up the Directory Sync Cloud Environment Configure Directory Sync Template Configure Directory Sync Workflow Running Directory Sync Workflow and validating the sync results

On Demand Migration Active Directory Project

Install the local agent on the workstation Setup the Azure Bulk Enrollment Repository and Azure AD Join Migration Profile

Perform Device Migration Validate Device Post Azure AD Join

Frequently Asked Questions

Can I use configure Wi-Fi access point for my devices to use post Azure AD Join? I cannot connect to my devices via Remote Desktop Service post Azure AD Join. What is the Azure AD NetBIOS name for my Azure AD Users? Can I provision a local administrator for my devices during Azure AD Join process? Can I provision additional applications and adding a certificate for my devices during Azure AD Join process? My device is Azure AD Joined, it is prompting me to setup MFA and Windows Hello, is this normal? After my user devices are Azure AD Joined to the target tenant, how can users switch their Microsoft Apps such as OneDrive, Teams, and Outlook to start using target tenant account? Is there a way that I can use On Demand Migration Active Directory to migrate my devices if they are Azure AD Join only in the source?

About Us

Introduction

On Demand Migration Active Directory now adds Azure AD Join device migration support from on premise and Hybrid Domain Joined workstations running with Windows 10 or Windows 11 while preserving the User Profiles and File/Folder Security Permissions.

This step-by-step guide walks through how to configure On Demand Migration Directory Sync and Active Directory Project to perform device migration to Azure AD.

Topics

This guide covers the following topics:

Azure AD Device Join Requirements
Environment preparation
Prepare the Provisioning Package
Configure and Synchronize your objects between source On-Premises Active Directory and target Azure AD Tenant
Configure Device Migration Project
Perform Device Azure AD Join migration
Validate the device post Azure AD Join
Frequently Asked Questions

Requirements

General

Client is licensed for On Demand Migration Active Directory and Directory Sync
One Global Administrator Account for each Microsoft 365 tenant
One Domain Administrator Account for each On-Premises Active Directory attached to the tenant
One dedicated server to install the Directory Sync agent
Permissions to download and install Directory Sync agent

Hardware

The local agent must meet the following minimum hardware requirements:

At least one (1) Windows Server 2012 R2, 2016 or 2019
Additional Windows servers may be deployed; limit of 5.
CPU: 4 Cores
Memory: 4GB Free
Disk: 40GB Free Disk Space excluding Operating System

Important Tip: Do not install local agents on AD domain controllers in a production environment.

Software

The local agent must meet the following minimum software requirements:

Windows Server 2012 R2, 2016 or 2019
.NET 4.7.2. NOTE: .NET will automatically be installed if needed.
TLS 1.2 or higher

Domain and Forest Functional Levels

2012 R2 or 2016

Network

Directory Sync web interface uses TCP port 443 (HTTPS).
Agent web connections use port 443 to Directory Sync host application.
DCs use TCP ports 139, 389 (UDP), 445, and 3268.
SID History functionality uses TCP ports 135, 137-139, 389 (UDP), 445, 1027, 3268, and 49152-65535. (Optional)

Accounts

Local Active Directory Account (Optional, required for Hybrid Tenant)

Agent installer will prompt for a domain account with permission to read and write on-premises Active Directory.
An agent intended to sync all domains in a forest must have rights to all domains and objects used in workflows.

Azure AD Application Account

An account with Global Administrator Role is required to grant permissions and establish connection when adding a Cloud Environment.

Azure AD PowerShell Accounts

Three (3) PowerShell accounts are automatically created to read and update objects in the cloud. To do this, an OAuth token is used from the account used to add the Cloud Environment.
These PowerShell accounts do not require any Microsoft 365 licenses.

Environment Preparation

This section will review the environment setup that will be used to perform Azure AD Device Join. To facilitate the migration, please confirm you have the following:

A Hybrid Azure AD tenant including a local on-premises Active Directory with AADC configured.
An Azure AD Only tenant.
A file share that is accessible by the workstation, the file share will be used to store the provisioning package which is needed to perform the Azure AD Join. Later in this guide, we will review how to create the provisioning package using Windows Configuration Designer (WCD).
A Windows Workstation running Windows 10 (Build 1709 or later), or Windows 11 and it has already been Hybrid Azure AD Joined. Please ensure the device is shown as Hybrid Azure AD Joined in Azure Active Directory Portal and Azure AD Joined on the local device. See below sample screen shots.

Device Azure AD Join status

Azure AD Portal Device View

Lightbulb Important Tip: For additional detail on how to configure an Hybrid Azure AD Join device, please refer to this Microsoft Article at Configure hybrid Azure Active Directory join - Microsoft Entra | Microsoft Docs

For the purpose of this guide, the following sample objects were created ahead of time and placed in an Organizational Unit in the local On-Premises Active Directory, these objects will need to be synchronized to target Azure AD tenant later in this guide. See the below sample screen shot
Logs into the test device using the source local on-premises AD account and configure the following:
- A unique User Profile with customized desktop
- Configure Outlook Profile, OneDrive and Teams client using the source Office 365 account.
- Setup Local Folders, Share Folders with custom permission ACL using the objects from the above section.