Migrating to Azure Active Directory

At WME we frequently are asked what is the best modern approach to managing identifies and users and devices in the most efficient, cost effective, and secure way. Microsoft offers the following platform options for integrating with Azure Active Directory (AAD):

  • Hybrid – Integration of AAD with on-premises AD with AAD Connect (most common)
  • Cloud only – All devices, users, and applications are cloud based (recommended)
  • AAD Domain Services (AAD DS) – Extends AAD with Domain Controller as a service
  • AD hosted in Azure – Hybrid mode where AD domain controllers are hosted in Azure VM

There are benefits and challenges to the approaches above.  You can review Microsoft’s documentation Compare Active Directory-based services in Azure for a more detailed comparison. Hybrid is the most common approach which allows you to continue to use your legacy on-premises applications and infrastructure while starting to leverage modern services such as Exchange online, Mobile Device Management (MDM), or Single Sign-On (SSO) for web-based applications.

If you have no legacy infrastructure or applications preventing you from going to a modern only cloud infrastructure. This is the approach we recommend to reap the most security benefits and cost savings. There are also third-party Cloud Directory services available another option for a price. If you need assistance in assessing your environment to determine if you are ready for a modernization of your infrastructure, contact us at info@winwmgmtexperts.com.

It has becoming increasingly appealing for clients who using Microsoft 365 for mail services to look at moving their identity, directory, and device management services to the cloud with AD and cutting ties with their on-premises Active Directory (AD) infrastructure. This is especially true for organizations without the resources to secure critical infrastructure like domain controllers as Microsoft recommends.

In some areas, another potential risks of seizure of physical assets by local authorities. One non-profit we recently worked with that defends human rights organizations, was concerned with their government being able to easily seize assets versus meeting Microsoft requirements for seizure of data.

AD Versus AAD

Microsoft considers these two platforms to complement one another.  They are similar in name only, AAD is not a cloud version of AD. Its focus is primarily for management of Office 365,Azure and Single Sign-On (SSO) for web-based applications. AD supports NTLM/Kerberos, LDAP, Group Policies, and Certificate Services which AAD does not.  AAD does provides an alterative to federation from Active Directory Federation Services (AD FS) for application which support SAML and OAuth.

How Do I Migrate?

This begs the question, how to I migrate from AD to AAD? This presents a challenge because there is no migration path from on-premises AD to AAD. In speaking with our Microsoft Partner team, they confirmed the recommended practice was to enroll users in OneDrive for Business and leverage Enterprise State Roading to cache the user data in the cloud. Then perform a fresh install of Windows 10 with a clean AAD Join with new identities. They also recommended using Windows AutoPilot to customize the onboarding experience.

In working with our clients, we have found many are not ready to license & migrate to OneDrive Drive for business and Enterprise State Roaming. In addition, this does not migrate legacy applications settings.  They wanted a seamless process with the least impact to the daily use of their devices.  To accomplish this, we leveraged tried and true migration technology that we have used with countless organizations performing Windows migrations. It required some creative thinking to adapt to an Azure AD migration.

We have developed a semi-automated process which orchestrates migrating from AD to AAD in the following steps:

  1. Configure Hybrid mode and synchronize accounts
  2. Migrate device to AAD (custom scripting):
    • Capture Windows profile user data and application state with User State Migration Tool (USMT)
    • Disjoin domain and join workgroup
    • Azure AD join (Microsoft does not plan offer a way to script this outside AutoPilot, OOBE Bulk Join)
    • Restore AD profile to AAD profile with USMT user mapping
    • Update last logged on user
  3. Remove Azure AD Connect and decommission Active Directory

If you would like our assistance in implementing this migration process contact us at info@winwmgmtexperts.com.

A Look at a Migration

Check out screenshots of a step-by-step semi-automated migration of a Windows 10 device from AD to AAD developed by WME:





Contact Us

On Key

More Posts

Mastering Azure AD Connect - A Comprehensive Guide by WME
Active Directory

Mastering Azure AD Connect – A Comprehensive Guide

Modern businesses are fast moving toward cloud-based infrastructure. In fact, cloud-based business is not just a trend anymore but a strategic necessity. Microsoft’s Azure Active Directory (Azure AD) has become a frontrunner in this domain. It

Read More »
Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.