Chat now with support
Chat with Support

On Demand Migration Current - Entra ID for Devices User Guide

Introduction

On Demand Migration Entra ID for Devices helps you transition from hybrid AD to the cloud by migrating Windows 10 and Windows 11 devices to Entra ID without reimaging and rebuilding profiles. This SaaS solution automatically creates workflows for your project using a simple step-by-step setup wizard, with no servers or complex configuration required.

This is one of three SaaS solutions Quest offers for device migration. Please reference the user guide for the solution you have purchased:

Planning the Migration Project

A typical migration project using Entra ID for Devices can be broken up into four (4)phases.

  • Phase 1: Create a Workflow with the Workflow Wizard
  • Phase 2: ReACL Devices
  • Phase 3: Cutover Devices
  • Phase 4: Cleanup

    Note: The Cleanup process typically occurs several months after the completion of the project.

This user guide walks you through the steps required to complete each phase, which can also be used to migrate devices from AD environments to Entra environments. The Microsoft Entra ID Device Join Quick Start Guide walks you through the process of configuring and performing migrations for AD to Entra migrations.

Best practices for each phase of the migration project are presented below:

Phase 1: Create a Workflow with the Workflow Wizard

  • The wizard begins with selecting the environment type for both source and target environments. Only Local is available for the Source Environment Type and only Cloud is available for Target Environment Type.

  • Workflow options are configured and CSV files containing the Users, Groups and Devices to import and the Users and Groups to match in the Target are uploaded.

  • Microsoft Entra ID Join Profiles and Repositories are configured.

Phase 2: ReACL Devices  

  • Run a ReACL (file level re-permissioning) job on as many Devices as possible early in the process.

  • ReACL is a non-destructive process that can be repeated as often as necessary up until Cutover in Phase 5.

  • Troubleshoot any Devices with ReACL jobs which did not complete successfully.

  • Run a ReACL job again close to the actual Cutover date. This will allow you to complete most of the ReACL process early and provide time to resolve any issues with things such as anti-virus software and Group Policies.

Phase 3: Cutover Devices  

  • Using some test Devices, Users, and Groups, verify a successful Device Cutover.

  • Typically, a final ReACL job should be run the weekend before the scheduled Cutover to ensure any new Users and other changes are processed.

  • A workstation reboot is required after the target account is enabled, the source account is disabled, and the Cutover is complete. This is usually completed in the evening when fewer end-users are impacted. Any impacted end-users should be alerted that this reboot is necessary.

  • Optionally, use the Autopilot Cleanup option to prepare the AutoPilot-provisioned device for migation. This must be done before the cutover if the source Entra ID Joined device is Autopilot-provisioned and the Entra ID Join Profile has the Autopilot/Intune Cleanup option selected.

Phase 4: Cleanup  

  • The Cleanup phase typically takes place about two months after all Device Cutovers are complete. During the Cleanup phase, all permissions should be removed from the source domain and then the Active Directory agent should be removed from the Devices.

  • Optionally, use the Set Intune Primary User action after the Device Cutover is completed.

Requirements

Networking  

Outbound Internet Access  

By default, each computer being migrated will require outbound access to the public Internet to securely communicate with the On Demand Migration services.

Important Tip: If your organization requires computers communicate externally using a web proxy see our web proxy configuration requirements.

Application Ports  

Each computer being migrated will require the Active Directory device agent and this agent will communicate to the On Demand Migration services, outbound over ports:

  • 80
  • 443
  • 3030

Domain Controller Ports  

Active Directory migrations also require a variety of Microsoft defined ports for communication between domain controllers. For a complete list of required ports, click here.

Important Tip: For complete port information, review the Service overview and network port requirements for Windows documentation from Microsoft Support.

 

Accounts  

Microsoft Entra ID Application Account

  • When creating a new Cloud Environment, an account with the Global Administrator Role is required to grant permissions and establish a connection.

 

Devices  

The following is required for any Active Directory Computer(s) (devices) that will be migrated.

Device Agents  

Each Active Directory Computer that will be migrated must have an agent installed on the workstation to orchestrate local jobs that must occur to prepare and execute the workstation’s domain move.

Operating Systems  

All computers or servers being migrated to the new domain must run one of the following operating systems:

  • Windows 10
  • Windows 11

Please Note: Entra ID Device Join is only supported for Windows 10 and 11.

PowerShell  

  • All client operating systems must have at least PowerShell 2.0 installed.

.NET Framework  

  • All Devices must have .NET Framework 4.7.2 or newer installed. This will appear as ".NET 4.7.2 Extended" in the add/remove programs list.
  • If not present, an appropriate version of .NET Framework will be installed during agent installation if an internet connection is available.

 

Web Proxy  

Some organizations may require all computers communicating externally direct their traffic through a web proxy to centralize communications. Active Directory agents can be configured to use a web proxy for communication to the On Demand Migration cloud services.

Proxy Server  

  • At least one (1) standard web proxy that supports http/TCP traffic.

Proxy Address  

  • The associated web proxy URL must be defined during configuration of the device agent.

Security  

  • If accessing the web proxy requires an additional username and password this will be required during configuration of the device agent.

Ports  

All agents configured to use a web proxy will utilize the following outbound TCP ports:

  • 80
  • 443

Please Note: Agents configured to use a web proxy will not require UDP port 3030. For more information, see the Web Proxy Configuration under Architecture.

Important Tip: Additional bandwidth overhead may occur when a web proxy is utilized to centralize all traffic.

Setup

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating