Following our recent webinar, “A Practical Playbook to Migrate Users & Devices from Local AD to Entra ID” we received a strong set of practical, real-world questions from IT teams and MSPs.
This follow-up blog addresses those questions directly, with a focus on how MigrationWiz + Directory Sync, and Migration Agent (both powered by PowerSyncPro) work together in real environments.
1. Can this help after a security breach of on-prem AD?
Yes, with the right approach.
If your on-prem AD is compromised, Directory Sync can help you:
- Rebuild and re-establish trusted identities in Entra ID
- Avoid blindly replicating potentially compromised attributes
- Apply controlled matching and filtering during synchronization
However, this is not a “lift-and-shift” scenario. You should:
- Audit identities before syncing
- Use selective attribute flows
- Treat Entra ID as a clean target state, not a mirror of a compromised directory
2. Can I migrate standalone (non-domain) PCs into Entra ID?
Yes.
Migration Agent can:
- Join unmanaged or workgroup devices to Entra ID
- Create and map user profiles
- Standardize endpoints into a managed state
This is a common use case for organizations modernizing unmanaged environments.
3. Can I migrate devices only in a hybrid environment?
Yes.
If identities already exist in Entra ID:
- You can use Migration Agent to move devices independently
- This is often done before decommissioning Azure AD Connect
It’s a practical way to transition from hybrid to cloud-only in phases.
4. Why not just use PowerShell for user creation?
PowerShell works for simple scenarios.
But at scale, it breaks down:
- No built-in coexistence
- No synchronization or drift control
- No attribute mapping logic
- No automation across lifecycle changes
Directory Sync adds:
- Matching and deduplication logic
- Attribute transformation and governance
- Continuous synchronization—not one-time scripts
This is about operational consistency, not just initial provisioning.
5. When does automation make sense vs manual work?
There is absolutely a threshold.
- Small environments (1–5 users) → manual may be faster
- Anything beyond that → automation quickly wins
Once you factor:
- Devices
- Profiles
- Identity alignment
- Ongoing sync
Manual approaches become inefficient and risky.
6. What about apps, ERP/CRM systems, shares, and printers?
This is one of the most important considerations.
After moving to Entra ID:
- Legacy apps may still rely on on-prem authentication
- File shares and printers tied to GPOs will not automatically remap
Options include:
- Maintaining hybrid access temporarily
- Using solutions like SSO bridges or identity federation
- Re-mapping resources via modern management tools (e.g., Intune scripts)
Key point: Device migration is one step application dependency planning is critical.
7. ERP/CRM concerns delaying migration?
This is common and valid.
Before migrating:
- Validate authentication method (AD vs modern auth)
- Test access from Entra-joined devices
- Identify dependencies on domain join or Kerberos
In many cases, a phased or hybrid approach is required until apps are modernized.
8. How is Folder Redirection handled?
Folder Redirection should be addressed before device migration:
- Migrate data to OneDrive or SharePoint
- Remove or transition GPO-based redirection policies
- Ensure data is accessible in the cloud-first model
Do not carry legacy redirection into Entra-native environments.
9. Is there a rollback option?
Rollback is not a single-click operation, but you can:
- Revert device join state
- Restore user access to the original profile (if preserved)
- Re-run migration workflows
Best practice:
- Test with pilot groups
- Validate before broad rollout
10. Can I use Migration Agent without Directory Sync?
Yes.
Migration Agent can:
- Migrate devices independently
- Be used in environments where identity is already aligned
However, Directory Sync is recommended when:
- You need coexistence
- You’re migrating identities alongside devices
11. What happens to the old user profile?
Migration Agent:
- Converts and maps the existing profile to the new Entra ID user
This avoids:
- Profile loss
- Reconfiguration
- User disruption
Old profiles can be removed later if needed for disk space optimization.
12. Does it handle Outlook reconfiguration?
Yes.
Migration Agent includes:
- Outlook profile handling
- Reconnection to the new tenant
This provides similar outcomes to tools like DeploymentPro.
13. Does the user need to be logged in?
Not necessarily. Devices can still migrate successfully as long as they have internet access, even if the user is not actively logged in during the migration process. However, users who are not logged in will not see the in-progress migration prompts or dialogs during execution.
For the smoothest experience:
- Profile migration and context-aware changes benefit from user session presence
- Some automation can be staged ahead of time, while execution is typically best aligned with user login
- Migration Agent can still complete workstation migration tasks remotely without requiring hands-on technician involvement
Final Takeaway
What these questions highlight is a broader shift:
Migrations are no longer just about moving data. They require coordination across:
- Data (MigrationWiz)
- Identity (Directory Sync, powered by PowerSyncPro)
- Devices (Migration Agent, powered by PowerSyncPro)
That’s the value of the New Migration Stack—bringing these layers together into a repeatable, scalable process.
What’s Next
If you’re planning a migration:
- Start with a pilot group
- Map application dependencies early
- Align identity, data, and devices not just one layer
And most importantly, design for automation and scale from the beginning.