Scenario: Migrating to Entra Join

This scenario applies when existing machines — currently domain-joined or Entra Hybrid Joined — need to move to full Entra Join without wiping user profiles. Greenfield deployments (new hardware, new profiles) do not need this; go directly to Entra Join (The Cloud-Only Path).

Prerequisite

Complete the Entra Join prerequisites (DNS records and MDM User Scope) in Entra Join (The Cloud-Only Path) before running the migration on any machine.

The Profile Identity Problem

When a machine transitions from Domain or Hybrid Join to full Entra Join, Windows treats the cloud identity as a completely new owner. The operating system no longer recognizes CONTOSO\user as the same person as user@contoso.com — they have different SIDs. The result is that the user receives a fresh profile on their first cloud login: application settings, local Documents, desktop icons, and registry-stored preferences do not carry over automatically.

For a hardware refresh this is acceptable — users expect a clean start. For an in-place migration of an existing machine, it is a support burden. ForensiT User Profile Wizard is the industry standard tool for mapping the old SID to the new one so the existing profile follows the user through the transition.

Migration with ForensiT User Profile Wizard

1. Install ForensiT User Profile Wizard as a local admin
2. Run the ForensiT User Profile Wizard Deployment Kit
3. Step 2 of 13: Create a new migration project: EntraMigration
4. Step 3 of 13: Enter name of new domain: contoso.com and select Azure AD
5. Migrate to Azure AD (select Azure AD as the target directory type)
6. Generate the ForensiTAzureID.xml
   • Set-ExecutionPolicy -Scope LocalMachine RemoteSigned
   • C:\Program Files (x86)\ForensiT\User Profile Wizard Corporate\Deployment Kit\bin\Save-AzureADUser
7. Create a Provisioning Package (this is how User Profile Wizard joins machines to Entra)
   • Install Windows Assessment and Deployment Kit
   • Launch Start → All → W → Windows Kits → Windows Imaging and Configuration Designer
     • Project: EntraJoin
     • Follow instructions to NOT change machine names
8. Export Provisioning Package
   • C:\Users\<username>\Documents\Windows Imaging and Configuration Designer (WICD)\EntraJoin\EntraJoin.ppkg
9. Configure User Profile Wizard to migrate profiles to Azure AD
10. Step 3 of 13:
    • Enter name of new domain: contoso.com
    • Select Azure AD
    • Azure ID file path: C:\Program Files (x86)\ForensiT\User Profile Wizard Corporate\Deployment Kit\bin\ForensiTAzureID.xml
    • Provisioning Package: C:\Users\<username>\Documents\Windows Imaging and Configuration Designer (WICD)\EntraJoin\EntraJoin.ppkg
11. Step 6 of 13:
    • Existing domain: CONTOSO
    • Migrating from existing Azure AD tenant: No
12. Step 8 of 13:
    • Check Use lookup file to get new account names, create lookup file, and set path
      • Generally AD usernames are just everything before @ in the Entra UPN
      • C:\Users\<username>\Documents\ForensiTUserLookup.csv
    • Clear the Skip migration if user is not found in lookup file checkbox
    • Clear the Rename Profile Folder checkbox due to compatibility concerns
13. Step 10 of 13: Enter local administrator account to run user profile wizard
14. Step 11 of 13: Let the default script run to execute the migration
15. Step 12 of 13: No need for any other per-user script to run
16. Create single deployment file:
    • C:\ProgramData\ForensiT\User Profile Wizard Corporate\Deployment Files\EntraJoin\Migrate-ToEntra.exe
17. Quit any applications that may interfere with the profile migration, such as VPN clients or endpoint security agents.
18. Run the migration.