Overview
Everything you need in place before running your first migration - licensing, supported device states, network access, identity configuration, Microsoft Graph permissions, application registration in Microsoft Entra ID, and pilot readiness.
This page defines the technical, identity, network, security, and operational prerequisites that must be completed before running Opsole Migrate on production devices.
Do not begin production migration until every required prerequisite has been validated on representative pilot devices.
With Opsole Migrate, you can:
- Migrate devices from Active Directory Joined to Microsoft Entra ID Joined
- Convert Hybrid Microsoft Entra ID Joined devices to cloud-only Microsoft Entra ID Joined
- Perform Tenant-to-Tenant device migrations for mergers, acquisitions, divestitures, and tenant consolidation
All without:
- Reimaging or wiping devices
- Losing user profiles, configurations, or local data
- Requiring users to rebuild their Windows environment after migration
Five-minute Checklist
The full detail for each item appears later in the page.
- Microsoft Intune and Microsoft Entra ID P1+ licenses are assigned and active.
- Target devices are in a supported state and meet hardware, OS, profile, and recovery requirements.
- Intune automatic enrollment is configured and the MDM authority is Intune.
- The Opsole Migrate app registration exists, Graph permissions are consented, and validation returns PASS.
- The provisioning package plan accounts for the 180-day token limit and secure handling of the package.
- Network, proxy, DNS, and TLS connectivity have been validated from a representative device.
- Conditional Access and MFA policies have been reviewed and scoped exclusions are documented.
- EDR, antivirus, WDAC, AppLocker, and application-control allow-listing has been configured and verified.
- BitLocker, LAPS, local administrator access, and recovery procedures are confirmed.
- Pilot devices, pilot success criteria, service desk readiness, and rollback ownership are agreed.
- Known operational behaviors, including ConfigMgr client removal where applicable, are approved in change management.
Do Not Proceed If
Do not start migration on production devices if any of the following are true:
- The provisioning package has not been validated on a test device.
- The Entra app registration validation does not return PASS.
- Required Microsoft Graph permissions are missing or admin consent has not been granted.
- Conditional Access or MFA blocks device registration or provisioning package execution.
- EDR, antivirus, WDAC, AppLocker, or application-control exclusions have not been tested.
- The device cannot reach Microsoft and Opsole endpoints over HTTPS 443.
- The user profile is temporary, corrupted, roaming, mandatory, or container-based.
- Representative pilot testing has not been completed to identify services, scheduled tasks, backup agents, monitoring tools, or security tools that may load the user profile before the profile migration phase completes.
- BitLocker recovery access and local administrator recovery access are not confirmed.
- Service desk, recovery, and escalation procedures are not agreed.
Prerequisite Scope by Migration Scenario
| Requirement | AD / Hybrid to Entra | Tenant-to-Tenant |
|---|---|---|
| Microsoft Intune licensing | Current tenant | Source and target tenants |
| Microsoft Entra ID P1/P2 | Current tenant | Source and target tenants |
| Entra app registration | Current tenant | Source and target tenants |
| Provisioning package | Current or target Entra tenant used for post-migration join | Target tenant |
| AD disjoin account | Required for AD or Hybrid devices | Required only if source device is AD or Hybrid joined |
| Intune automatic enrollment | Current or target tenant used for post-migration enrollment | Target tenant |
| Conditional Access review | Current or target tenant used for post-migration join and enrollment | Source and target tenants |
| Microsoft Graph permissions | Current tenant | Source and target tenants |
| EDR/AV exclusions | Target devices | Target devices |
| Pilot validation | Representative AD or Hybrid devices | Representative source and target tenant devices |
Estimated Time
| Activity | Typical effort |
|---|---|
| Reading and scoping this page | 30-45 min |
| Application registration in Microsoft Entra ID | 15 min |
| Validation of the application registration | 5 min |
| Provisioning package creation and validation | 30-60 min |
| EDR / antivirus allow-listing | 1 hr to several days, depending on security process |
| Controlled pilot of 10-25 devices | 1-2 weeks |
Responsibility Matrix
Migration prerequisites span several customer teams. The matrix below makes ownership explicit so the right person sees the right section.
| Area | Owner |
|---|---|
| Microsoft licensing | Identity / M365 admin |
| Device readiness and OS health | Endpoint / desktop engineering |
| Outbound HTTPS, proxy, TLS inspection, and DNS | Network / infrastructure |
| Microsoft Entra, Intune, and Conditional Access configuration | Identity / security |
| Microsoft Graph application registration | Identity admin / application administrator |
| Active Directory disjoin account | Active Directory admin |
| EDR, antivirus, WDAC, AppLocker, and application-control allow-listing | Security operations |
| Provisioning package generation, storage, validation, and rotation | Endpoint engineering |
| End-user communication, change management, and service desk briefing | Change management / service desk |
| Recovery procedure and rollback ownership | Project lead / endpoint engineering |
| Pilot execution, success criteria, and exit decision | Project lead / endpoint engineering |
| Opsole portal configuration, validation support, and product issues | Opsole team |
1. Prerequisites for Using Opsole Migrate
Before deploying Opsole Migrate, ensure that the following prerequisites are met for all migration scenarios. This includes AD-to-Entra, Hybrid-to-Entra, and Tenant-to-Tenant migrations. These requirements must be satisfied in the appropriate source and destination tenants to provide a secure and reliable migration experience.
1.1 Microsoft Licensing Requirements
Each user and device involved in the migration process must have the required Microsoft licenses assigned.
Required licenses:
- Microsoft Intune
- Standalone license or included in Microsoft 365 E3/E5
- Microsoft Entra ID P1 or P2
- Standalone license or included in Microsoft 365 E3/E5
- Windows 10/11 supported edition
- OEM, volume licensing, or Microsoft 365 entitlement
- Pro, Enterprise, or Education editions only. Windows Home is not supported.
Tenant-to-Tenant note: Licenses must exist in both the source tenant and the target tenant so devices remain compliant during transition and can enroll after Microsoft Entra ID Join.
Licenses must be active and assigned before migration.
1.2 Supported Device Management States
Opsole Migrate supports devices in the following starting states:
- Active Directory Domain Joined
- Hybrid Microsoft Entra ID Joined
- Microsoft Entra ID Joined for Tenant-to-Tenant scenarios
- Fully Microsoft Intune managed
The following are not supported and must be remediated before migration:
- Devices joined only to a workgroup
- AD-joined devices whose users are not synchronized to Microsoft Entra ID
- Windows Home edition
- Roaming user profiles, mandatory profiles, temporary profiles, corrupted profiles, and profile-container technologies such as FSLogix, Citrix UPM, and VDI
- Devices managed by third-party non-Microsoft MDM platforms without a separate planning conversation with Opsole
For the full list of behaviors and edge cases, see Known Behaviors & Considerations.
1.3 Client Device Technical Requirements
All client devices must meet the following minimum hardware, software, and state requirements.
| Specification | Minimum requirement |
|---|---|
| OS version | Windows 10 or Windows 11 |
| Windows edition | Pro, Enterprise, or Education. Windows Home is not supported. |
| RAM | 8 GB |
| Storage | 100 GB |
| Processor | 64-bit CPU with 2+ cores; 4 cores recommended |
| TPM | TPM 2.0 or higher |
| Connectivity | Stable internet connection |
| Disk health | Device must have a healthy system volume with sufficient free space for migration operations and logs. |
| User profile health | Profile must be local, healthy, and not temporary or corrupted. |
| Local admin / SYSTEM execution | Migration components must be allowed to run elevated and under SYSTEM. |
| BitLocker state | BitLocker must be healthy; recovery key handling must be validated if enabled. |
Devices not meeting these minimum specifications may experience performance degradation, compatibility issues, or migration failure.
1.4 Network Requirements
To enable a smooth and uninterrupted migration experience, the network used by devices must meet the following requirements:
-
Support outbound HTTPS port 443
-
Allow system-level outbound HTTPS without prompting the user for proxy authentication
-
Avoid proxy configurations that require interactive user authentication
-
Avoid captive-portal networks during migration; hotel, airport, and guest Wi-Fi captive portals cannot complete non-interactive OAuth and provisioning flows
-
Allow DNS resolution for Microsoft and Opsole service endpoints
-
Allow device registration and join from the device's current network location
-
Allow outbound access to the following Microsoft and Opsole service endpoints:
https://*.microsoft.comhttps://*.msazure.cnhttps://*.microsoftonline.comhttps://*.microsoftonline-p.comhttps://*.microsoftonline.ushttps://*.microsoftonline.dehttps://*.microsoftonline.cnhttps://*.amazonaws.comhttps://*.opsole.com
Network Connectivity Validation
Before starting migration activities, verify that client devices can successfully reach required Microsoft and Opsole service endpoints.
Run the following commands on a client device using PowerShell:
Test-NetConnection graph.microsoft.com -Port 443
Test-NetConnection login.microsoftonline.com -Port 443
Test-NetConnection migrate-adminus.opsole.com -Port 443
Test-NetConnection amigrate-admineu.opsole.com -Port 443Confirm that each command returns:
TcpTestSucceeded : TrueAbout hosting and regions: Opsole backend services are hosted on AWS. Regional hosting options, where available, are confirmed during onboarding and documented in the customer's security pack. If your egress proxy filters by destination IP rather than FQDN, request the current IP ranges from Opsole Support.
1.5 Access and Configuration Requirements
To successfully deploy and manage AD-to-Entra, Hybrid-to-Entra, and Tenant-to-Tenant migrations, access and configuration must be in place across Microsoft Entra ID, Active Directory where applicable, and Microsoft Intune.
Microsoft Entra ID Administrative Roles
An administrator with sufficient Microsoft Entra privileges is required to register the application, create the client secret, assign Microsoft Graph application permissions, and grant admin consent.
Common roles involved include:
- Global Administrator
- Privileged Role Administrator
- Cloud Application Administrator or Application Administrator
Your organization may require separate approval for granting tenant-wide application permissions.
Active Directory Access Requirements
An account with delegated permissions to disjoin devices from Active Directory is required when migrating AD-joined or Hybrid-joined devices.
The minimum delegated permissions on the OU containing the target computer objects are:
- Delete on Computer objects
- Read all properties on Computer objects
The detailed account creation and validation procedure is covered in AD Disjoin Account Preparation.
Microsoft Entra ID and Intune Configuration Requirements
The following table lists the Microsoft Entra ID and Intune configuration requirements for device migration using Opsole Migrate.
- For AD-to-Entra and Hybrid-to-Entra migrations, apply these settings in the tenant the device will join after migration.
- For Tenant-to-Tenant migrations, apply these settings in the target destination tenant, and review source-tenant policies that may affect cleanup or API operations.
| Setting | Recommended |
|---|---|
| Automatic Enrollment (User Scope) | All or a scoped group containing the target users |
| MDM authority | Microsoft Intune |
| Allow users to join devices to Microsoft Entra ID | Enabled or scoped to the package/provisioning account |
| Require MFA for join/register devices | No |
| Enrollment restrictions | Windows platform must be allowed |
| Device-limit restrictions | Confirm the per-user device limit will not block enrollment of migrated devices |
| Enrollment Status Page (ESP) | Review targeted ESP behavior before production migration |
| Conditional Access policies | Exclude the bulk enrollment / package account where required |
| Microsoft Defender for Endpoint onboarding | If MDE is in use, confirm post-migration enrollment will re-onboard the device cleanly |
Misconfiguration of these settings can prevent devices from joining or enrolling during AD-to-Entra, Hybrid-to-Entra, or Tenant-to-Tenant migrations.
Conditional Access and MFA Requirements
Automated device join and provisioning package execution use non-interactive flows. Policies that require interactive MFA, compliant device state, trusted network location, or hybrid-joined state can block migration.
Review and scope exclusions for:
- Bulk enrollment / package account
- Device registration and join
- Microsoft Graph application authentication
- Target tenant enrollment
- Cross-tenant access restrictions, where applicable
Review every Conditional Access policy that enforces any of the following:
- MFA for device registration or join
- Compliant device requirement
- Hybrid-joined device requirement
- Trusted-location requirement
- Approved-client-app requirement
- Sign-in or user risk controls
- Blocking legacy or unknown platforms
- Cross-tenant restrictions
All exclusions should be time-bound, documented, and removed after the migration window.
1.6 Required Microsoft Graph API Permissions
The Opsole Migrate application requires Microsoft Graph application permissions to perform device management, user lookup, identity correlation, Intune cleanup, recovery, and post-migration assignment operations.
- For AD-to-Entra and Hybrid-to-Entra migrations, configure these permissions in the tenant where the migration operations are performed.
- For Tenant-to-Tenant migrations, configure the permissions in both the source and target tenants.
Only grant permissions required for the enabled migration features. Feature-dependent permissions are required only when the corresponding capability is enabled, such as LAPS retrieval, group restoration, or configuration profile handling.
| Permission | Type | Scope | Used for |
|---|---|---|---|
User.Read.All | Application | Required | Read user attributes for identity correlation. |
Device.ReadWrite.All | Application | Required | Update device attributes and clean up source-tenant device objects. |
Directory.Read.All | Application | Required | Read directory objects for migration mapping. |
DeviceManagementManagedDevices.ReadWrite.All | Application | Required | Clean up Intune device records and restore the primary user assignment. |
DeviceManagementServiceConfig.ReadWrite.All | Application | Required | Read Intune service configuration used by validation. |
DeviceManagementConfiguration.ReadWrite.All | Application | Feature-dependent | Read Intune configuration profiles and apply post-migration policies when that feature is enabled. |
GroupMember.ReadWrite.All | Application | Feature-dependent | Restore cloud group memberships after migration. |
DeviceLocalCredential.Read.All | Application | Feature-dependent | Retrieve LAPS credentials for migration. |
DeviceLocalCredential.ReadBasic.All | Application | Feature-dependent | Retrieve LAPS credential metadata. |
These permissions require Admin Consent during the application registration process in Microsoft Entra ID.
1.7 Tooling on Your Administrative Workstation
The following tool is required to support provisioning package creation and validation:
- Windows Configuration Designer (WCD) Used to create Windows bulk enrollment provisioning packages.
Administrative portal access requires a modern browser, internet access, and permission to access the Opsole Migrate portal and Microsoft admin portals used during setup.
For Tenant-to-Tenant migrations, ensure the provisioning package is created using the target tenant configuration.
Download Windows Configuration Designer from the Microsoft Store.
The migration depends on a Windows bulk enrollment provisioning package (.ppkg) generated against the Microsoft Entra tenant the device will join. The package itself is created later in Provisioning Package Configuration, but the constraints below must be planned now.
The provisioning package should be treated like a credential because it contains a bulk enrollment token. Access must be restricted to migration administrators only.
Validate the package before uploading it to the Opsole Migrate portal by applying it to a non-production standalone Windows device and confirming AzureAdJoined : YES using dsregcmd /status.
| Constraint | Detail |
|---|---|
| Token validity | Microsoft sets a maximum 180-day validity on the bulk enrollment token embedded in the PPKG. Plan migration waves to finish well within that window. |
| MFA support | The bulk enrollment flow does not support MFA. This is a Microsoft platform limitation, not an Opsole limitation. |
| Tenant correctness | For Tenant-to-Tenant, the PPKG must be generated against the target tenant. Generating it against the source tenant is a common silent failure. |
| Storage and handling | Treat the PPKG as a sensitive credential. Store it in a secrets vault or access-controlled storage. Do not email it or commit it to source control. |
| Revocation | If the PPKG is leaked, lost, or no longer needed, revoke it by deleting the corresponding package_{GUID} user object in Microsoft Entra ID. |
| Rotation | If the migration runs across the 180-day boundary, generate a new PPKG, upload it to the Opsole Migrate portal, and revoke the previous package account. |
| Reuse | Never reuse a PPKG across different customers, tenants, or unrelated migration projects. |
| Pilot | Validate every new PPKG against a non-production device before using it in a production wave. |
1.8 Application and User Experience Readiness
Before production rollout, validate business-critical applications through pilot migrations on representative devices.
Review and test:
- Microsoft 365 Apps sign-in behavior after migration
- Outlook profile behavior and additional mailbox access
- OneDrive sync behavior and known folder redirection state
- Microsoft Teams sign-in and cache behavior
- Browser profiles, saved passwords, and sync behavior
- VPN clients that depend on certificates, device compliance, domain trust, or machine identity
- Third-party security, backup, monitoring, and remote support agents
- Windows services running under user or domain accounts
- Scheduled tasks configured with saved user credentials
Applications that bind configuration, licensing, certificates, cached credentials, or tokens to the old domain or tenant identity may require reauthentication or reconfiguration after migration.
During pilot validation, check whether any background process loads the user's profile before the protected profile migration phase completes. Common sources include services running under the user account, startup scheduled tasks, backup tools, monitoring agents, endpoint security tools, and remote support agents. Use Opsole Migrate pre-check results, Windows Event Viewer, service configuration, scheduled task configuration, and local profile status checks to identify and remediate these conditions before production rollout.
1.9 Recovery Access Requirements
Before migration, confirm that support teams have a recovery path if a device becomes inaccessible.
| Recovery item | Requirement |
|---|---|
| Local administrator access | A working local administrator or LAPS recovery path must be available. |
| BitLocker recovery | Recovery keys must be available through the approved recovery location. |
| Patch recovery workflow | Support teams must know when and how to use Patch.exe from C:\ProgramData\OpsoleMigrate\runtime. |
| Service desk escalation | Failed or stuck migration devices must have a documented escalation path. |
1.10 People and Process Readiness
Migration prerequisites are not only technical. The following must be ready before any user device migrates.
| Area | Requirement |
|---|---|
| End-user communication | Users must be told the migration window, that they will see automated reboots, that they must not log in while the migration banner is shown, and where to get help. |
| Migration mode | Decide whether migration is user-initiated, IT-scheduled silent, or enforced, and document the support implications. |
| Device state during migration | Devices should be on power and on a stable network. Users should save and close work before migration starts. |
| Service desk readiness | First-line support must know the banner, the automated reboots, the post-migration sign-in prompt, and the agreed escalation path for failures. |
| Recovery / rollback | The support team must know the approved recovery procedure for a stuck device, including the Patch.exe flows in the Troubleshooting Guide. |
| Change-management record | Record every temporary exclusion, including Conditional Access, MFA-for-device-registration exceptions, and EDR allow-listing, with an owner and removal date. |
| Source object cleanup timing | Do not manually delete source AD, Entra, Intune, or Autopilot records until the Opsole workflow and validation steps are complete, unless the action is part of the approved migration procedure. |
Pilot Exit Criteria
Do not proceed to broad deployment until pilot devices meet the agreed success criteria:
- Device is Microsoft Entra ID joined
- Device is enrolled in Intune
- User can sign in with Entra ID credentials
- Existing profile, files, settings, and application state are available
- BitLocker and LAPS recovery paths are confirmed, where enabled
- Primary user, group restoration, and post-migration assignments are validated
- Business-critical applications, VPN, Microsoft 365 Apps, OneDrive, Outlook, Teams, and browser sign-in behavior are validated
- No EDR/AV blocks are observed
- Migration status and logs are visible in the portal
1.11 Configure Security Software Exclusions
Opsole Migrate performs system-level operations - domain unjoin, scheduled-task creation, registry edits, BitLocker queries, provisioning package execution, profile reassociation, and post-migration cleanup - that endpoint security tooling will inspect closely. Without explicit allow-listing, it is common for an EDR, antivirus, WDAC, AppLocker, or hardening policy to block, quarantine, or delete components mid-migration.
The exclusions must be deployed and verified on representative devices that reflect production conditions.
What to Allow-list
Apply all three exclusions below.
Code-signing Certificate Trust
Trust the Opsole code-signing certificate so that all signed components are recognized as legitimate without behavioral-analysis triggers.
- Subject:
CN=Opsole Ltd, O=Opsole Ltd, ... - Issuer, SHA-256 thumbprint, and validity: provided in the certificate-trust pack delivered to your security team during onboarding. If you have not received it, contact Opsole Support.
File-system Path Exclusions
Exclude the Opsole Migrate runtime directories from real-time analysis and on-write scanning:
C:\Program Files\Opsole\OpsoleMigrate\C:\ProgramData\OpsoleMigrate\C:\ProgramData\OpsoleMigrate\runtime\C:\ProgramData\OpsoleMigrate\logs\
Process and Behavior Allowances
Security tools must allow Opsole Migrate components to:
- Create and run scheduled tasks
- Execute under the SYSTEM account
- Write migration state to
HKLM\SOFTWARE\Opsole\OpsoleMigrate - Query BitLocker, WMI, profile, and device join state
- Run provisioning package operations
- Create and update runtime logs
- Execute
OpsoleMigrate.exe,InterMigrate.exe,PostMigrate.exe, andPatch.exe
Also confirm that:
- Application-control, WDAC, and AppLocker policies allow Opsole-signed binaries to execute.
- Controlled folder access in Microsoft Defender does not block writes to the runtime and logs paths above.
- EDR isolation actions are paused for the migration window. Automated isolation during Phase 2 can leave the device stuck.
Verification Gate
Do not proceed until all of the following are true:
- Security tooling has the Opsole allow-list applied.
- Representative pilot devices have received the exclusion policy.
- Scheduled task creation and SYSTEM-context execution are verified.
- No Opsole Migrate runtime files are quarantined during pilot validation.
Next Steps
- Continue to Entra Application Registration
How is this guide?
How OpsoleMigrate Works
This section covers the **hands-on setup and execution** steps: creating the provisioning package with WCD, preparing the AD disjoin account, and configuring the Opsole Migrate portal (including domain, BitLocker, attributes, and provisioning package upload).
Entra Application Registration
Register the Opsole Migrate application in Microsoft Entra ID, grant Microsoft Graph permissions, create a client secret, and validate authentication.