Migrating Devices from On-Premises Active Directory to Microsoft Intune

Thousands of organisations are still managing Windows devices the traditional way: domain-joined to on-premises Active Directory, controlled by Group Policy Objects, requiring VPN for remote management. This model was designed for a world where everyone worked in the office. For most businesses today, it creates friction, security gaps, and unnecessary infrastructure overhead.

Microsoft Intune, combined with Microsoft Entra ID (formerly Azure Active Directory), gives you a cloud-native alternative. Devices are managed over the internet with no VPN required, policies are applied in real time, and Windows Autopilot enables zero-touch provisioning direct from the manufacturer. The question is not whether to migrate, but how.

Understanding your starting point. Before planning your migration, you need to know the current join state of your devices. There are three states you will commonly encounter. On-premises AD joined only: traditional domain join, managed by Group Policy, no cloud management. Hybrid Entra joined: joined to both on-premises AD and Entra ID simultaneously, a common transitional state. Entra joined (cloud-only): the target state for modern management, no dependency on on-premises AD.

The two migration paths. Path one is hybrid join as a stepping stone. If you are running Microsoft Configuration Manager (SCCM), you can enable co-management, where devices are managed by both ConfigMgr and Intune simultaneously. This allows you to gradually shift workloads to Intune (compliance policies, resource access, Windows Update) while keeping Group Policy for settings Intune does not yet cover. This is the lower-risk path for organisations with complex ConfigMgr deployments. Path two is direct migration to Entra join. For organisations that want a clean break from on-premises dependency, the preferred approach is to wipe and reprovision devices as Entra joined using Windows Autopilot. The device is reset, the user signs in with their Microsoft 365 credentials, and Autopilot takes care of everything: app installation, policy application, and company configuration. No IT engineer needs to touch the machine.

Prerequisites before you start. You will need Intune licences for all users (included in Microsoft 365 Business Premium, EMS E3, or E5). If using hybrid join, you need Entra Connect (formerly Azure AD Connect) synchronising your on-premises AD with Entra ID. MDM authority must be set to Intune in your tenant. You should also review your Group Policy Objects and map them to Intune configuration profiles before cutting over. Microsoft provides the Group Policy Analytics tool within Intune to do this automatically.

Handling user data and applications. The biggest concern during device migration is user data. For devices being wiped and reprovisioned, ensure OneDrive Known Folder Move is configured so Desktop, Documents, and Pictures sync to OneDrive before the migration. Application deployment should be configured in Intune before migration day, so apps are ready to install automatically when the device enrols. Use the Company Portal or required app assignments to push critical software silently.

What to do on migration day. For a wipe-and-reprovision approach: back up any local data not covered by OneDrive, remove the device from the source AD (or disable the computer object), perform a Windows Reset keeping nothing, allow Autopilot to run on first boot, and verify policy compliance in the Intune admin centre once setup is complete. For hybrid join migration, work with your IT team to shift co-management workloads to Intune incrementally over a pilot period before full cutover.

Cloud Centrify has guided dozens of organisations through this migration. We assess your current environment, map Group Policy to Intune policies, configure Autopilot profiles, and manage the rollout with minimal user disruption. If you are ready to move to modern management, contact us for a free endpoint assessment.