Overview
In this scenario, third party tooling was utilised to conduct an on-premises Active Directory (AD) migration from one AD forest (source) to another (target). While the project was primarily concerned with traditional on-premises AD, there were elements of Microsoft Entra that needed to be considered.
A single Entra Tenant was hosting the domain controllers and related infrastructure (in Azure). User devices were hybrid joined, meaning they were joined to the source AD domain and registered with Entra ID. In addition, the devices were also enrolled into Microsoft Intune and subject to strict conditional access policies (checking for device compliance).
To ensure a clean migration of devices from the source to target AD, the device migration process involved the following high level steps:
- Remove device from Intune.
- Move the AD computer object from source to target.
- Hybrid join “new” device with Entra ID.
- Re-enroll device into Intune.
Problem
During the domain migration activities, users encountered device compliance errors following their move from source to target. This caused major disruptions due to a conditional access policy blocking access to key services.
Devices appeared as non-compliant despite having been successfully migrated.
Solution
In the device compliance Intune policy, the schedule was set to immediately. This meant when devices were migrated and users were logging in for the first time, the compliance evaluation checks were delayed (often hours), thus marking the device as compliant. Even though the schedule in the policy was set to immediately, the compliance evaluation checks were not taking place straight away.
Once the devices are migrated to the target domain, the following steps need to be completed:
- Enroll device into Intune MDM.
- Hybrid Join device with Entra ID.
Then a manual sync to Intune can be triggered from the device, using the below PowerShell command:
Start-Process -FilePath "C:\Program Files (x86)\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe" -ArgumentList "intunemanagementextension://syncapp"
Finally, you need to force the device to be evaluated against the compliance policy (rather than wait for this to occur automatically which is an unacceptable delay for users):
Start-Process -FilePath "C:\Program Files (x86)\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe" `
-ArgumentList "intunemanagementextension://synccompliance"
Once done, the device will be marked as compliant.