Migration from Hybrid to AAD

Question

Migration from Hybrid to AAD

DerekR 26

I am trying to do my research on migrating off of our hybrid environment to AAD. All of our workstations are Hybrid joined. Will I need to remove them from the on-prem AD and add them back to AAD? Any links to documentation would be appreciated.

Thanks,

Derek

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Siva-kumar-selvaraj 15,721 Volunteer Moderator

Thanks for reaching out.

When you say Hybrid, I assume you mean Hybrid Azure AD Join. If you are not sure about current state of devices then I would recommend you to use dsregcmd /status utility and figure out current state of device ( example : DJ, HAADJ, or WPJ ) before remove devices from the on-prem AD.

This utility must be run as a domain user account which lists the device join state parameters.

Sample device state output:

Domain Joined (DJ):

Hybrid Azure AD Joined (HAADJ):

Workplace Joined (WPJ):

Refer below steps to perform cleanup depends on current device state of windows 10 devices, once that has completed then you can perform Azure AD Join.

Domain Joined (DJ):
This would be straight forward, whereas unjoin devices from the on-prem AD and then disable or delete Windows 10 devices in your on-premises AD.

Hybrid Azure AD join
For hybrid Azure AD joined devices, make sure to turn off automatic registration in AD using the Controlled validation article. Then the scheduled task won't register the device again. Next, open a command prompt as an administrator and enter dsregcmd.exe /debug /leave . Or run this command as a script across several devices to unjoin in bulk.

and remove devices from the on-prem AD and then Disable or delete Windows 10 devices in your on-premises AD, and let Azure AD Connect synchronize the changed device status to Azure AD. Reference: https://free.blessedness.top/en-us/azure/active-directory/devices/faq#hybrid-azure-ad-join-faq

Workplace Joined (WPJ)/Azure AD Registered
Remove Workplace Joined as per this link and remove devices from the on-prem AD and then Disable or delete Windows 10 devices in your on-premises AD, and let Azure AD Connect synchronize the changed device status to Azure AD.

I would strongly recommend to refer this article, Cleanup Azure AD Devices.

------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

DerekR 26 Reputation points

2021-08-10T12:33:04.743+00:00

hi @sikumars-msft

Thank you for the reply. the machines are Workplace Joined. So i would need to run that script in the article? Will the user's lose their profile?
Siva-kumar-selvaraj 15,721 Reputation points Volunteer Moderator

2021-08-10T17:01:31.52+00:00

Yes, you can either run WPJCleanUp.cmd or manually remove Workplace Joined from "Access Work or School" setting on the device. Once disconnected and removed from domain join then user would still have access to local profile but not domain profile.

------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well .
DerekR 26 Reputation points

2021-08-11T13:51:04.75+00:00

@sikumars-msft what about changing users to cloud only?
Siva-kumar-selvaraj 15,721 Reputation points Volunteer Moderator

2021-08-18T12:56:06.917+00:00

Yes, you can have cloud only users to join and Sign-in devices with Azure AD .
DerekR 26 Reputation points

2021-08-18T13:04:08.473+00:00

So do i just need to disable ad-sync so the user's start authenticating to cloud only?
Siva-kumar-selvaraj 15,721 Reputation points Volunteer Moderator

2021-08-18T17:24:43.77+00:00

You are right. Here is reference for "Turn off directory synchronization". Please be aware that disable ad-sync is tenant wide changes whereas all synchronized users will be converted to cloud-only.
DerekR 26 Reputation points

2021-08-18T19:36:40.847+00:00

is it possible to just test for some users?
Siva-kumar-selvaraj 15,721 Reputation points Volunteer Moderator

2021-08-19T22:20:44.3+00:00

Not possible, but in this case you can directly create those users identity in cloud directly rather than disabling Ad-sync for your organization.
Russell Johnson 6 Reputation points

2022-11-22T22:57:16.98+00:00

Would moving the hybrid joined device to an un-synched OU be enough like controlled validation to allow us to remove it from AD and AAD so it can be re-joined to AAD only?
Dago Garcia 0 Reputation points

2023-03-07T20:55:43.7266667+00:00
Hi Siva,

Currently we have a Hybrid Azure AD Join deployment and after doing the steps you provided and also after following the steps in the Microsoft articles the devices are getting deleted from Azure AD. I did the following:

Cleared the SCP values with the help of the ADSI Edit tool.

From the Hybrid Azure AD Join device, I ran with Admin rights from CMD : dsregcmd /debug /leave

I deleted the Computer from the Local AD (From the Synced OU in Azure AD Connect)

Forced a Sync from Azure AD Connect

The result after doing all of this is that the device gets deleted from Azure AD, what am I missing here?

Any help or guidance will be highly appreciated.

Dago
Jerry Jurkiewicz 6 Reputation points

2023-05-19T21:44:26.0533333+00:00

Hi Russel,

I've read that moving device out of a syncing OU will is not the proper way of removing HAADJ state. This will not work.
Jacob Lehnert 0 Reputation points

2023-06-10T17:11:55.3133333+00:00

@Dago Garcia Were you able to resolve the issue you mentioned with the devices being deleted from Azure AD after following the steps to migrate from Hybrid Joined to AAD Joined? I ask as I am prepping to do the same where the devices are currently Hybrid Joined/Intune enrolled and will be moving to AAD Join only.
Arren Bul-an 25 Reputation points

2025-10-20T07:39:33.2233333+00:00

the current state is AzureADJoined 'YES' and DomainJoined 'YES'

Now, I'd like to moving all devices to Entra Only. We have two entries per device in Azure 'Hybrid and Entra Joined'

Is there are other ways to migrate the PC from hybrid AD join to Azure AD join without having to reset/remove from on prem AD and rejoin again I would be very grateful if someone has some insights.

Share via

Migration from Hybrid to AAD

0 additional answers

Your answer