Following our recent webinar, “A Practical Playbook to Migrate Users & Devices from Local AD to Entra ID” we received a strong set of practical, real-world questions from IT teams and MSPs.
This follow-up blog addresses those questions directly, with a focus on how MigrationWiz + Directory Sync, and Migration Agent (both powered by PowerSyncPro) work together in real environments.
1. Can this help after a security breach of on-prem AD?
Yes, with the right approach.
If your on-prem AD is compromised, Directory Sync can help you:
- Rebuild and re-establish trusted identities in Entra ID
- Avoid blindly replicating potentially compromised attributes
- Apply controlled matching and filtering during synchronization
However, this is not a “lift-and-shift” scenario. You should:
- Audit identities before syncing
- Use selective attribute flows
- Treat Entra ID as a clean target state, not a mirror of a compromised directory
2. Can I migrate standalone (non-domain) PCs into Entra ID?
Yes.
Migration Agent can:
- Join unmanaged or workgroup devices to Entra ID
- Create and map user profiles
- Standardize endpoints into a managed state
This is a common use case for organizations modernizing unmanaged environments.
3. Can I migrate devices only in a hybrid environment?
Yes.
If identities already exist in Entra ID:
- You can use Migration Agent to move devices independently
- This is often done before decommissioning Azure AD Connect
It’s a practical way to transition from hybrid to cloud-only in phases.
4. Why not just use PowerShell for user creation?
PowerShell works for simple scenarios.
But at scale, it breaks down:
- No built-in coexistence
- No synchronization or drift control
- No attribute mapping logic
- No automation across lifecycle changes
Directory Sync adds:
- Matching and deduplication logic
- Attribute transformation and governance
- Continuous synchronization—not one-time scripts
This is about operational consistency, not just initial provisioning.
5. When does automation make sense vs manual work?
There is absolutely a threshold.
- Small environments (1–5 users) → manual may be faster
- Anything beyond that → automation quickly wins
Once you factor:
- Devices
- Profiles
- Identity alignment
- Ongoing sync
Manual approaches become inefficient and risky.
6. What about apps, ERP/CRM systems, shares, and printers?
This is one of the most important considerations.
After moving to Entra ID:
- Legacy apps may still rely on on-prem authentication
- File shares and printers tied to GPOs will not automatically remap
Options include:
- Maintaining hybrid access temporarily
- Using solutions like SSO bridges or identity federation
- Re-mapping resources via modern management tools (e.g., Intune scripts)
Key point: Device migration is one step application dependency planning is critical.
7. ERP/CRM concerns delaying migration?
This is common and valid.
Before migrating:
- Validate authentication method (AD vs modern auth)
- Test access from Entra-joined devices
- Identify dependencies on domain join or Kerberos
In many cases, a phased or hybrid approach is required until apps are modernized.
8. How is Folder Redirection handled?
Folder Redirection should be addressed before device migration:
- Migrate data to OneDrive or SharePoint
- Remove or transition GPO-based redirection policies
- Ensure data is accessible in the cloud-first model
Do not carry legacy redirection into Entra-native environments.
9. Is there a rollback option?
Rollback is not a single-click operation, but you can:
- Revert device join state
- Restore user access to the original profile (if preserved)
- Re-run migration workflows
Best practice:
- Test with pilot groups
- Validate before broad rollout
10. Can I use Migration Agent without Directory Sync?
Yes.
Migration Agent can:
- Migrate devices independently
- Be used in environments where identity is already aligned
However, Directory Sync is recommended when:
- You need coexistence
- You’re migrating identities alongside devices
11. What happens to the old user profile?
Migration Agent:
- Converts and maps the existing profile to the new Entra ID user
This avoids:
- Profile loss
- Reconfiguration
- User disruption
Old profiles can be removed later if needed for disk space optimization.
12. Does it handle Outlook reconfiguration?
Yes.
Migration Agent includes:
- Outlook profile handling
- Reconnection to the new tenant
This provides similar outcomes to tools like DeploymentPro.
13. Does the user need to be logged in?
Typically, yes, for the cleanest experience.
- Profile migration and context-aware changes benefit from user session presence
- Some automation can be staged, but execution is best aligned with user login
Final Takeaway
What these questions highlight is a broader shift:
Migrations are no longer just about moving data. They require coordination across:
- Data (MigrationWiz)
- Identity (Directory Sync, powered by PowerSyncPro)
- Devices (Migration Agent, powered by PowerSyncPro)
That’s the value of the New Migration Stack—bringing these layers together into a repeatable, scalable process.
What’s Next
If you’re planning a migration:
- Start with a pilot group
- Map application dependencies early
- Align identity, data, and devices not just one layer
And most importantly, design for automation and scale from the beginning.