Hybrid to full cloud

Posted by sanded11@reddit | sysadmin | View on Reddit | 10 comments

Hello,

As the title suggests my company wants to make the move to full cloud. The caveat? We have on-Prem resources that they want to keep utilizing.

I’ve done a couple things. Devices are on intune hybrid joined. It’s annoying cause I know a lot can be automated. There was no sccm here so had to build intune from ground up. User, group management still on-Prem but we have AD connector for syncing for the most part. Groups, distribution groups I try to make O365 only. Security groups of course are on-Prem. It’s all over the place. I’ve only looked/researched today only on where I can start with all this. Has anyone here done the project before? Where to start? Best practices? Any articles you’ve referenced would be great to.

I’m still doing my own research but I know this is massive and I am on of 3 for my company so I’m trying to get all the guidance I can.

Thank you in advance! And ask questions if I’m missing information that you need.

[-]

iAmCloudSecGuru@reddit

Been there. Done that. Here’s how to solve this problem in a structured, actionable way:

Step-by-Step Plan to Transition from Hybrid to Full Cloud

1. Inventory & Assess

Document:
Current on-prem infrastructure (AD, file servers, applications, print servers, etc.).
All Azure AD Connect settings and sync rules.
Existing hybrid Intune join device configuration.
Any dependencies on on-prem security groups, GPOs, file shares, etc.

2. Identity Modernization

Goal: Move away from Hybrid AD Join to Azure AD Join.
Actions:
Start transitioning users/devices to Azure AD Join (new devices first).
Ensure SSO and Conditional Access are working correctly in Azure.
If you still need some on-prem resources (e.g., legacy apps), use Azure AD Kerberos for authentication or Hybrid Cloud Print for print.

3. Group and Policy Management

Goal: Shift group/policy control from on-prem AD to cloud.
Actions:
Rebuild security groups in Azure AD and assign them via Intune and M365.
Replace GPOs with Intune Configuration Profiles + Settings Catalog + Administrative Templates.

[-]

iAmCloudSecGuru@reddit

4. Device Management

Goal: Fully modern Intune-based management.
Actions:
Convert hybrid-joined devices to Azure AD Join.
Use Autopilot for new device provisioning.
Ensure compliance policies, apps, and configurations are in place in Intune.

5. Exchange, SharePoint, and File Services

Goal: Decommission on-prem Exchange/File servers.
Actions:
Migrate mailboxes to Exchange Online (if not already done).
Repoint distribution groups and shared mailboxes to M365-native groups.
Migrate file shares to SharePoint Online, OneDrive, or Azure Files (depending on use case).

6. Decommission Legacy Systems

Gradually:
Decommission on-prem domain controllers once Azure AD + Entra ID protection can fully handle auth needs.
Remove AD Connect if no apps need LDAP or AD auth.

Best Practices

Start small — pilot migrations with test users and machines.
Use Microsoft tools like:
Azure Migrate
Cloud Adoption Framework
Intune Troubleshooting Portal
Document and train helpdesk/support staff on post-migration workflows.

[-]

iAmCloudSecGuru@reddit

Helpful Articles & Tools

Common Gotchas

Legacy apps requiring on-prem auth (can often be refactored or use Azure AD Application Proxy).
Print servers and legacy file shares — replace with Universal Print or SharePoint/OneDrive.
Users losing mapped drives or GPO-driven settings — be sure to cover in change management/training.

[-]

sanded11@reddit (OP)

Incredible layout. This is huge and I can adapt this to our environment. Will definitely work this to show my team. You are a rockstar sir and I thank you a million.

[-]

Due_Programmer_1258@reddit

Careful - this looks very much like ChatGPT output

[-]

Borgquite@reddit

If you still have some on-premises DLs or mail-enabled security groups, here’s a great script to migrate them

https://timmcmic.wordpress.com/2023/01/08/office-365-distribution-list-migration-version-2-0/

[-]

cpz_77@reddit

Haven’t had to do this myself yet - the question comes up in discussion every so often but realistically we’re still at least 3-5 years away from not needing on prem AD (minimum). From the angles we have discussed though , one thing I might suggest is do it in stages. Don’t try to cram it all into a single window, there’s way too many pieces involved.

I’d also suggest don’t be afraid to tell leadership “I don’t think we are at that point yet” if that turns out to be the case. Of course if they want to force it anyway they will, but make sure they are very aware of all the trade offs - time investment, possible changes in workflow or lost functionality etc. And don’t forget cost (depending on what new services you may end up utilizing to replace on prem functionality). That way if they force it through and are unhappy with the results (because of limitations you have no control over) they can’t say you didn’t warn them.

[-]

sanded11@reddit (OP)

Definitely going to keep this in the back of my head as I move forward with the project. I have a good relationship with some of the higher leadership so I’m hoping they would be receptive to push back if it is needed.

[-]

Odd-Sun7447@reddit

Move a pair of actual DCs into Azure.

Azure Active Directory Domain Services sucks donkey balls, and EntraID just isnt fully baked, even after like 15 years.

[-]

orion3311@reddit

Get to a point where you dont depend on AD for groups. Utilize dynamic groups as much as you can in Entra. Keep AD groups for AD resources only.