PowerSyncPro Logo
Engineer plugging cables into a server while looking at a laptop.

Switch to Microsoft Entra Joined Devices

Posted 21/11/2024

The push to move to cloud-only devices

Organisations are increasingly moving to Entra Joined devices in the Microsoft 365 space, and for good reason. Microsoft has emphasised that the primary weakness in their security chain is the client’s on-premises infrastructure. Unlike the cloud, Microsoft has no control over the patching cadence and software versions in on-premises environments. This means organisations struggle to keep their local infrastructure patched to the highest standards quickly enough across their entire estate. In addition, many of the advanced security features available in the cloud are not available for on-premises systems. 

Benefits of cloud-only devices

Migrating Windows workstations to Entra Joined aligns with modern IT strategies, providing robust security, simplified management, improved user experience, and cost efficiency. This transition supports broader digital transformation initiatives by leveraging cloud-first strategies and positions your organisation for future technological advancements and shifts towards modern IT infrastructure.

By adopting Entra Joined devices, your organisation will always have access to the latest features and enhancements from Microsoft as they are released, ensuring that your systems are up to date with cutting-edge technology.

Cloud-based scalability allows you to easily manage and implement policies across a global workforce without the limitations of on-premises infrastructure. This approach also simplifies licensing, offering more straightforward and cost-effective models. Also, by reducing the need for maintaining and upgrading on-premises servers and infrastructure, you can significantly lower your overall infrastructure costs.

Overall, transitioning to Entra Joined devices provides a comprehensive solution that enhances security, simplifies management, and improves the user experience, while also delivering substantial cost savings and positioning your organization for continued growth and innovation.

Increased device security

If your devices are Cloud only, then users are directly logging in at the device with their Entra credentials. The comprehensive identity security that Entra provides immediately becomes the default logon experience. 

Microsoft Purview and Microsoft Defender

The advancements in the Microsoft 365 Cloud ecosystem are significant, especially for those utilizing the Microsoft 365 Enterprise SKUs. The Microsoft Purview and Defender Suite are particularly feature-rich and comprehensive, offering a level of functionality that far surpasses what is available in on-premises environments. Each month, cloud users benefit from updates and new features that continuously enhance security and management capabilities, providing an ever-evolving suite of tools that on-premises solutions simply cannot match.

A side by side view of Microsoft Purview versus Microsoft Defender interface

Autopilot

Autopilot offers a much simpler configuration and solution for Entra Joined devices compared to Hybrid Join and the Intune connector. Using Autopilot for a fresh start with cloud-only devices streamlines the process and is becoming the standard for organisations, significantly reducing the IT support burden.

The end of on-premises servers

Microsoft have already stated that older versions of Microsoft Exchange will be downgraded and throttled when routing Exchange Online.

As we continue to enhance the security of our cloud, we are going to address the problem of email sent to Exchange Online from unsupported and unpatched Exchange servers. There are many risks associated with running unsupported or unpatched software, but by far the biggest risk is security. Once a version of Exchange Server is no longer supported, it no longer receives security updates. Thus, any vulnerabilities discovered after support has ended don’t get fixed.

Microsoft Exchange On-Premises Servers and Active Directory are inevitably going away. It’s only a matter of time before all on-premises services will be downgraded to second class citizens.

Moving away from on-premises Active Directory

Exiting from on-premises Active Directory is a significant and complex undertaking. The process involves a substantial amount of work and cannot be accomplished quickly, largely due to the presence of legacy applications and other dependencies like authentication methods that make a complete and rapid transition challenging.  This transition will likely take organisations several years to complete.

The first step was migrating user accounts to Entra ID. The next step in this journey should be transitioning workstations to become Entra Joined devices. This gradual, phased approach will help ensure a smooth and successful exit from Active Directory.

The wins

Eliminate On-Premises Servers: Reduce the need for maintaining and upgrading on-premises servers and infrastructure.

Reduced domain controllers

Because users are authenticating to Entra and log in and there are no more devices in your Active Directory, a significant amount of authentication load is taken off the -n-premises AD Domain Controllers meaning you can reduce your Active Directory footprint.

Group policy objects and intune policies

Intune enrolled devices can be in receipt of Intune Device Compliance policies, and Configuration policies rather than Active Directory GPOs. GPOs no longer need to be maintained. Intune can now import and rationalize your ADMX for feature parity in a lot of cases.

Reduce your file servers

With the proliferation and uptake of OneDrive for Business, SharePoint Online and Microsoft Teams, a huge swathe of your corporate data is now Cloud-based. Due to this, your need for file servers has most likely significantly diminished over time.

Printing and applications

The advent of Cloud Print via Universal Print, and other 3rd party Cloud print solutions effectively means you can decommission File & Print Servers.

This leaves legacy applications behind. If these are fronted by an Azure Application Gateway, then again, the authentication is handled by Entra until such time as these are migrated or sunset in the environment.

Software deployment and device management

Application push and pull deployment comes directly from Intune as well as Device Compliance and Configuration. On-premises software deployment and management tools like SCCM can be decommissioned.

Switching to cloud managed devices manually

Entra (Azure AD) Hybrid Join was never meant to be the long term solution. Microsoft have not invested time and effort into this solution. It was only intended to be a tactical middle ground until clients could get to Cloud Only Entra Joined devices. 

Manually taking a device from Entra Hybrid Joined to Entra Joined is not for the faint hearted. Here are your options:

  • Complete device swap out
  • Fresh start or reimaging devices
  • User managed manual steps

Complete device swap out

The management overhead swapping out devices is not trivial from the Asset Management Database Updating through to the reconfiguration required by the end user of their applications and preferences.

Fresh start or reimaging devices

This is costly and time consuming for the organisation and the end user. Their device is unavailable for a significant amount of time and at the end of the process they still need to set-up and the configure the device to their way of working as well as Outlook, Teams, OneDrive etc.

Detailed documentation and user challenges

A significant investment in detailed documentation for users to follow is necessary. Less “IT savvy” users may struggle and potentially give up, requiring IT support intervention. It’s unlikely that users can independently disjoin a device from the domain. Even though they use the same UPN, their logon corresponds to a different GUID/ObjectID, resulting in a blank “fresh start” Windows profile at first login.

This means they will need to reconfigure their device, including all application preferences and configurations, to match their personal working style.  Wi-Fi connections, VPN clients all must be reconfigured.  Setting up Outlook and OneDrive for Business alone will increase load on the network to re-download all that data.

The verdict: risky, costly and time-consuming

This process would take many man hours per device. This would almost certainly become a critical and costly IT project requiring many resources across a long timeline. When this process per device is multiplied across the whole of the organisation’s estate, the total costs will very quickly mound up into the tens of thousands or more.

Any of the manual steps above come with an inherent risk of data loss. Fresh start or new devices come with potential data loss for any data that was not backed up from that device. Manual steps place even more risk on the device simply become unusable. A bricked device will be extremely frustrating of worse for an end user.

The solution: introducing PowerSyncPro Migration Agent

The PowerSyncPro Migration Agent software allows you to automate the entire migration process securely with zero end-user interaction, complete with batching and reporting capabilities.

With PowerSyncPro Migration Agent you can disjoin devices from your on-premises Active Directory or Entra Hybrid Join and transition them to Entra Joined status in under 30 minutes.

Streamline and secure cloud migration

A lightweight agent is installed on the Windows devices running securely as a Windows Service running as system.

No local admin account is required.

Batching and scheduling

The PowerSyncPro Migration Agent enables your organisation to schedule migrations in batches that align with your business operations timetable.

Book your demo today

 Want to see it for yourself? Contact us for a demonstration of the powerful PowerSyncPro solution.

Self service

Migrations can even be configured to be self-service user-driven via an “opt-in / available from” schedule or mandated on a specific date.

Pre and post migration commands

If your organisation migration use case has some specific bespoke requirements, these additional custom actions can be added in addition to the Migration Agent Runbook and Steps.

Migration Agent features and functionality

PowerSyncPro Migration Agent can take existing Entra Hybrid Joined devices and convert them to Entra Joined cloud only devices. The agent will then Intune Enrol them with minimal user disruption, if required. 

It will also support: 

  • Windows user profiles – PowerSyncPro Migration Agent will re-permission the Windows User profiles on the device so that the end-user experience is seamless post migration.
  • Applications – because your device is converting to Entra Joined, the credentials that connected to Outlook, OneDrive, OneNote, Edge, Teams etc will remain exactly the same. There is no need to start the applications fresh. They will simply load as previously.
  • System settings – device configurations such as Wi-Fi configurations and VPN connections are preserved, saving time and effort.
  • BitLocker – the whole disk encryption is preserved. BitLocker will not need to be re-run.
  • Return to Operations (RTO) – because their profile is retained, there is no need for end users to re-configure and set up their device to their style and preference.  Users will simply pick up where they left off with their device and applications.
  • No data loss – because the device is the same device and the same Windows Profile, all data is retained on the device ensuring no data loss.

Monitoring and reporting

Every step along the way as the devices process the runbooks assigned to them to execute the steps required, those events are reported to the Windows Application Event Log and rolled up to the PowerSyncPro Control Server Agent Logs.

Migration Engineers and Stakeholders can view the Runbook progress, Agent logs and see the overall status via the Migration Dashboard.

Proven solution and track record

PowerSyncPro has successfully migrated tens of thousands of devices between Microsoft 365 tenants and converted, switched or transitioned Windows Workstations to Entra Joined Cloud Only.