Posted 21/12/2024
Organisations are increasingly moving to Entra Joined devices in the Microsoft 365 space, and for good reason. Microsoft has emphasised that the primary weakness in their security chain is the client’s on-premises infrastructure. Unlike the cloud, Microsoft has no control over the patching cadence and software versions in on-premises environments. This means organisations struggle to keep their local infrastructure patched to the highest standards quickly enough across their entire estate. In addition, many of the advanced security features available in the cloud are not available for on-premises systems.
Migrating Windows workstations to Entra Joined aligns with modern IT strategies, providing robust security, simplified management, improved user experience, and cost efficiency. This transition supports broader digital transformation initiatives by leveraging cloud-first strategies and positions your organisation for future technological advancements and shifts towards modern IT infrastructure.
By adopting Entra Joined devices, your organisation will always have access to the latest features and enhancements from Microsoft as they are released, ensuring that your systems are up to date with cutting-edge technology.
Cloud-based scalability allows you to easily manage and implement policies across a global workforce without the limitations of on-premises infrastructure. This approach also simplifies licensing, offering more straightforward and cost-effective models. Also, by reducing the need for maintaining and upgrading on-premises servers and infrastructure, you can significantly lower your overall infrastructure costs.
Overall, transitioning to Entra Joined devices provides a comprehensive solution that enhances security, simplifies management, and improves the user experience, while also delivering substantial cost savings and positioning your organization for continued growth and innovation.
If your devices are Cloud only, then users are directly logging in at the device with their Entra credentials. The comprehensive identity security that Entra provides immediately becomes the default logon experience.
The advancements in the Microsoft 365 Cloud ecosystem are significant, especially for those utilizing the Microsoft 365 Enterprise SKUs. The Microsoft Purview and Defender Suite are particularly feature-rich and comprehensive, offering a level of functionality that far surpasses what is available in on-premises environments. Each month, cloud users benefit from updates and new features that continuously enhance security and management capabilities, providing an ever-evolving suite of tools that on-premises solutions simply cannot match.
Autopilot offers a much simpler configuration and solution for Entra Joined devices compared to Hybrid Join and the Intune connector. Using Autopilot for a fresh start with cloud-only devices streamlines the process and is becoming the standard for organisations, significantly reducing the IT support burden.
Microsoft have already stated that older versions of Microsoft Exchange will be downgraded and throttled when routing Exchange Online.
As we continue to enhance the security of our cloud, we are going to address the problem of email sent to Exchange Online from unsupported and unpatched Exchange servers. There are many risks associated with running unsupported or unpatched software, but by far the biggest risk is security. Once a version of Exchange Server is no longer supported, it no longer receives security updates. Thus, any vulnerabilities discovered after support has ended don’t get fixed.
Microsoft Exchange On-Premises Servers and Active Directory are inevitably going away. It’s only a matter of time before all on-premises services will be downgraded to second class citizens.
Exiting from on-premises Active Directory is a significant and complex undertaking. The process involves a substantial amount of work and cannot be accomplished quickly, largely due to the presence of legacy applications and other dependencies like authentication methods that make a complete and rapid transition challenging. This transition will likely take organisations several years to complete.
The first step was migrating user accounts to Entra ID. The next step in this journey should be transitioning workstations to become Entra Joined devices. This gradual, phased approach will help ensure a smooth and successful exit from Active Directory.
Eliminate On-Premises Servers: Reduce the need for maintaining and upgrading on-premises servers and infrastructure.
Because users are authenticating to Entra and log in and there are no more devices in your Active Directory, a significant amount of authentication load is taken off the -n-premises AD Domain Controllers meaning you can reduce your Active Directory footprint.
Intune enrolled devices can be in receipt of Intune Device Compliance policies, and Configuration policies rather than Active Directory GPOs. GPOs no longer need to be maintained. Intune can now import and rationalize your ADMX for feature parity in a lot of cases.
With the proliferation and uptake of OneDrive for Business, SharePoint Online and Microsoft Teams, a huge swathe of your corporate data is now Cloud-based. Due to this, your need for file servers has most likely significantly diminished over time.
The advent of Cloud Print via Universal Print, and other 3rd party Cloud print solutions effectively means you can decommission File & Print Servers.
This leaves legacy applications behind. If these are fronted by an Azure Application Gateway, then again, the authentication is handled by Entra until such time as these are migrated or sunset in the environment.
Application push and pull deployment comes directly from Intune as well as Device Compliance and Configuration. On-premises software deployment and management tools like SCCM can be decommissioned.
Entra (Azure AD) Hybrid Join was never meant to be the long term solution. Microsoft have not invested time and effort into this solution. It was only intended to be a tactical middle ground until clients could get to Cloud Only Entra Joined devices.
Manually taking a device from Entra Hybrid Joined to Entra Joined is not for the faint hearted. Here are your options:
The management overhead swapping out devices is not trivial from the Asset Management Database Updating through to the reconfiguration required by the end user of their applications and preferences.
This is costly and time consuming for the organisation and the end user. Their device is unavailable for a significant amount of time and at the end of the process they still need to set-up and the configure the device to their way of working as well as Outlook, Teams, OneDrive etc.
A significant investment in detailed documentation for users to follow is necessary. Less “IT savvy” users may struggle and potentially give up, requiring IT support intervention. It’s unlikely that users can independently disjoin a device from the domain. Even though they use the same UPN, their logon corresponds to a different GUID/ObjectID, resulting in a blank “fresh start” Windows profile at first login.
This means they will need to reconfigure their device, including all application preferences and configurations, to match their personal working style. Wi-Fi connections, VPN clients all must be reconfigured. Setting up Outlook and OneDrive for Business alone will increase load on the network to re-download all that data.
This process would take many man hours per device. This would almost certainly become a critical and costly IT project requiring many resources across a long timeline. When this process per device is multiplied across the whole of the organisation’s estate, the total costs will very quickly mound up into the tens of thousands or more.
Any of the manual steps above come with an inherent risk of data loss. Fresh start or new devices come with potential data loss for any data that was not backed up from that device. Manual steps place even more risk on the device simply become unusable. A bricked device will be extremely frustrating of worse for an end user.
The PowerSyncPro Migration Agent software allows you to automate the entire migration process securely with zero end-user interaction, complete with batching and reporting capabilities.
With PowerSyncPro Migration Agent you can disjoin devices from your on-premises Active Directory or Entra Hybrid Join and transition them to Entra Joined status in under 30 minutes.
A lightweight agent is installed on the Windows devices running securely as a Windows Service running as system.
No local admin account is required.
The PowerSyncPro Migration Agent enables your organisation to schedule migrations in batches that align with your business operations timetable.
Want to see it for yourself? Contact us for a demonstration of the powerful PowerSyncPro solution.
Migrations can even be configured to be self-service user-driven via an “opt-in / available from” schedule or mandated on a specific date.
If your organisation migration use case has some specific bespoke requirements, these additional custom actions can be added in addition to the Migration Agent Runbook and Steps.
PowerSyncPro Migration Agent can take existing Entra Hybrid Joined devices and convert them to Entra Joined cloud only devices. The agent will then Intune Enrol them with minimal user disruption, if required.
It will also support:
Every step along the way as the devices process the runbooks assigned to them to execute the steps required, those events are reported to the Windows Application Event Log and rolled up to the PowerSyncPro Control Server Agent Logs.
Migration Engineers and Stakeholders can view the Runbook progress, Agent logs and see the overall status via the Migration Dashboard.
PowerSyncPro has successfully migrated tens of thousands of devices between Microsoft 365 tenants and converted, switched or transitioned Windows Workstations to Entra Joined Cloud Only.