Hey everyone! I'm working on a project to help a small company transition from their current setup to using Intune and Entra ID. Right now, they're relying on a single cloud-based Windows Server with AAD sync. I'm planning to break that sync and convert the accounts to cloud-only. I'll also backup the AD database in case anything goes wrong, power off the server, and delete the related Azure resources. They've got new EUC devices and will be fully moving to cloud management and Microsoft solutions like encryption and AV. Aside from establishing baseline Intune policies and an Autopilot profile, are there any other considerations I should keep in mind?
5 Answers
Keep in mind any services that depend on the old on-prem AD—like print servers or internal apps needing integrated Windows authentication. Migrate those to cloud-based solutions or make sure they're addressed in your new setup.
Great question! Have you thought about how to handle your existing GPOs or policies? They don’t easily transfer to Intune, so setting them up from scratch may save you a lot of headaches. I recommend creating a solid baseline configuration and setting up Autopilot with test devices hooked to AAD. Also, be aware that migrating applications to Intune can be a bit tricky, especially if there are tons of them. What’s your update strategy? Will you manage versions manually or go with auto updates through Winget for most apps?
Make sure you consider any file shares and how those will be replaced—do you plan to migrate them to SharePoint? Also, think about authentication for devices and any app integrations still using AD groups. And don’t forget about how you’re managing WiFi authentication, since that could complicate things.
Quick question myself: how do you ensure users are solely in Entra after unsyncing from AD? Last time I turned off the sync, the accounts got disabled in M365. Is that supposed to happen?
I'd suggest holding off on deleting the server for at least 30 days after powering it down. Just play it safe. Also, double-check that the machines are completely Entra-joined, not hybrid, to avoid any issues later.
No, it shouldn't. Just stop the sync and disable it on the tenant side. If users got disabled, that’s not typical. You’d want them to stay enabled even if the sync goes down.