Introduction
It is sometimes necessary to determine if a laptop is registered or joined to an Azure AD domain.
Also, during a Microsoft 365 tenant to tenant migration, you may want to reset these settings either manually or in an automated way in order to ease the use of the laptop in the new tenant, after your users have been migrated.
What is the advantage of Azure AD join?
On devices joined to Azure AD, you get an integrated experience accessing any cloud or on-premises resources. Once you sign in to a Windows machine that’s joined to Azure AD, you get single sign-on to all applications without any additional sign-in prompts. This is the reason why you may want to be be able to join the computer to the new Azure AD after a migration so that your user keep having a tansparent experience.
This article shows you where the laptop is storing this information, how to find the information an how to reset these settings.
Before starting, you may ask yourself: what is the difference between Azure AD Registered, Azure AD joined and Hybrid Azure AD joined?
Azure AD Registered : The goal of Azure AD registered – also known as Workplace joined – devices is to provide your users with support for bring your own device (BYOD) or mobile device scenarios. In these scenarios, a user can access your organization’s resources using a personal device. See Azure AD Registered Devices
Azure AD Joined : For Corporate and Managed Devices, enabling access to both cloud and on-premises apps and resources. Azure AD joined devices are signed in to using an organizational Azure AD account. See Azure AD Joined Devices
Hybrid Azure AD joined: Organizations with existing Active Directory implementations can benefit from some of the functionality provided by Azure Active Directory (Azure AD) by implementing hybrid Azure AD joined devices. These devices are joined to your on-premises Active Directory and registered with Azure Active Directory. See Hybrid Azure AD Joined Devices
How to determine if a user account is registered to Azure AD? ( Azure AD Registered)
The information is stored in the registry, in HKeyCurrentUser under:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\WorkplaceJoin
How to determine if a computer is joined to Azure AD? (Azure AD Joined)
The information is stored in the registry, in HKeyLocalMachine under:
HKLM\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\JoinInfo
Tool to check if computer is joined or registered
Alternatively, you can use the microsoft command line tool to determine if a computer is joined or registered to An AzureAD.
The command line is : dsregcmd.exe /status
How do I unjoin or unregister a device?
While performing a tenant to tenant migration, you may want to reset these information so that the laptop can be joined to the new tenant. There are several ways to do this.
1. Manual Action
For Azure AD registered Windows 10/11 devices, take the following steps: Go to Settings > Accounts > Access Work or School. Select the account and select Disconnect
2. Using Intune
If your computer is enrolled in Intune, you can retire or delete the computer from the intune portal.
For this, navigate to https://intune.microsoft.com
3. Non managed laptops
If you have a large number of laptops not managed by Intune, it”s still possible to automate this task.
All you have to do is to delete the registry keys described at the beginning of the article.
You can also use the Cloudiway local agent to perform this task : see Intune migration module.
A local agent deployed on the laptop will take care of the unregistration and allow the user to register to the new tenant once he is migrated.
