OnPremise-Hybrid To OnPremise-Hybrid Scenario. How to handle Azure AD Join/register cutover ?

Hi All

I looked around the documentations and in the forum, but i've not really found a clear answer to my question.

I have to manage for a company, a carve out... Company SOURCE splits in two parts, so Company TARGET will have to migrate some selected objects from the SOURCE company.

The source is an Hybrid AD-365 environment, the Target is also a brand new hybrid AD-365. Each environment has is own Azure AD connect server, syncing his objects to his tenant.

We decided to use ON DEMAND MIGRATION with AD Migration licenses and other addons, for this project.

I have a working On Demand dirsync between both ADs, i have a workflow that syncs with SIDHistory the selected objects to the TARGET AD Domain, and those objects are successfully synced to TARGET 365.

On demand is currently "migrating" 365 DATA (mails, sharepoint, teams, onedrive), and so far so good.

The plan is to :

- migrate computers / users to the new AD, and instruct them to use their target ad account to login

- Then migrate / switchover their 365 accounts to the new tenant and in parallel migrate the AD integrated apps (or other apps) form source to target. Using the sidhistory until all is migrated will keep them a good access to non migrated applications.

I'm currently trying to pilot the "AD Computers (and users)" migration. Computers are Hybrid AZURE AD Joined and register in the SOURCE. intune is in use in source

The customer plans to use Intune also in Target

I'm able to "cutover" AD Computers to my TARGET AD, and instruct users to logon with TARGET ACCOUNT, successfully. Once there, i'm asked to "register again" 365, in order to be able to use my 365 Account that is still in the SOURCE Tenant at this time. SO users register again with ther source account, and the computer is still hybrid-joined and registered to the SOURCE 365 tenant, while in the TARGET AD Domain (knowing that the AD Computer account is replicated from Target AD to Target 365 AD..)

So now THE PROBLEM I am facing

I didn't figure out yet how to be able to CUTOVER the AD COMPUTER, HYBRID AZURE AD JOIN THE COMPUTER to the Target AZURE AD, and instruct the users to continue using their SOURCE 365 Account for accessing their data.

I tried to use the On demand ad migration agent "Azure ad join cutover" part, but the tests i made always ended up with the computer ONLY AZURE AD JOINED. (not anymore joined in the OnPremise AD...).

Not sure what i should do here.

Is that something i can do with quest ? (With an azure ad join task)

Is that an instrcution i have to give to the users once "Local AD cutover", when they first sign in ?

Maybe in that context th gloabl plan would be easier migrate first 365 users to Target, and only after that the computers and the local applications ? 

I didn't find any white paper describing this context. The doc just says Hybrid to Hybrid is possible :)

So if anyone has done that kind of migration and can take some minutes to globally describe the steps, that would be great !!

Thanks a lot

  • I would very much like more info here too, the doco is vague here - ad to ad no probs, but how to get them working hybrid to hybrid and not end up in the wrong state, confusing.

  • Hi Sacker and Heath, first check the current Migration Profile settings you have configured for the device cutover. Select Profiles from the menu in the upper left corner of the ODMAD interface, click Edit on the profile you are using, click Next to view the Azure AD Device Options, and ensure you have selected "Perform Hybrid Azure AD Leave & Join".  

    When this option is enabled, ODMAD will run a dsregcmd /leave command at the same time the device is unjoined from the source domain (which removes its Hybrid entry from the source Azure environment), and ODMAD will run a dsregcmd /join command after the device is joined to the target domain (which forces the Hybrid join in the target in case the automated Hybrid join via your Azure AD Connect is not configured). Note that this just impacts the Hybrid-joined status in Azure and does not modify Intune enrollment, so you may want to create a task in your migration runbook to also remove the device from the source Intune during device cutover.

    Your users should still be able to use their source M365 accounts for their desktop applications even though their devices are now Hybrid joined to the target; this is a common configuration during phased migrations. When users open their desktop apps and authenticate with their source accounts, they may be prompted to allow the organization to manage the device, and we suggest having them uncheck that box and have them click "No, sign into this app only" .