Everything you need in place before running your first migration - licensing, supported device states, network access, identity configuration, Microsoft Graph permissions, application registration in Microsoft Entra ID, and pilot readiness.

This page defines the technical, identity, network, security, and operational prerequisites that must be completed before running Opsole Migrate on production devices.

Do not begin production migration until every required prerequisite has been validated on representative pilot devices.

With Opsole Migrate, you can:

Migrate devices from Active Directory Joined to Microsoft Entra ID Joined
Convert Hybrid Microsoft Entra ID Joined devices to cloud-only Microsoft Entra ID Joined
Perform Tenant-to-Tenant device migrations for mergers, acquisitions, divestitures, and tenant consolidation

All without:

Reimaging or wiping devices
Losing user profiles, configurations, or local data
Requiring users to rebuild their Windows environment after migration

1. Opsole Migrate Pre-Migration Readiness

Before deploying Opsole Migrate, ensure that the following prerequisites are met for all migration scenarios — whether AD-to-Entra, Hybrid-to-Entra, and Tenant-to-Tenant migrations. These requirements must be satisfied in the appropriate source and destination tenants to provide a secure and reliable migration experience.

1.1 Licensing Requirements

Each user and device involved in the migration process must have the required Microsoft licenses assigned.

Required licenses	Licenses Plan
Microsoft Intune	Intune Plan 1/Suite or Microsoft 365 E3 / E5 / E7 / Business Premium
Microsoft Entra ID	Entra ID P1/P2 or Microsoft 365 E3 / E5 / E7 / Business Premium
Windows 10/11 supported edition	Pro, Enterprise, or Education editions

Tenant-to-Tenant note: Licenses must exist in both the source tenant and the target tenant so devices remain compliant during transition and can enroll after Microsoft Entra ID Join.

Licenses must be active and assigned before migration.

1.2 Supported Device Management States

Opsole Migrate supports devices in the following starting states:

Supported	Not Supported
Active Directory Domain Joined Hybrid Microsoft Entra ID Joined Microsoft Entra ID Joined for Tenant-to-Tenant scenarios Fully Microsoft Intune managed	Devices joined only to a workgroup AD-joined devices whose users are not synchronized to Microsoft Entra ID Windows Home edition Roaming user profiles, mandatory profiles, temporary profiles, corrupted profiles, and profile-container technologies such as FSLogix, Citrix UPM, and VDI Devices managed by third-party non-Microsoft MDM platforms without a separate planning conversation with Opsole

1.3 Environment Dependencies

Opsole Migrate depends on the successful operation of Microsoft Windows 10/11, Microsoft Entra ID, Microsoft Intune, provisioning packages, network connectivity, endpoint security controls, and overall customer environment readiness to complete the migration process successfully. If conditions prevent required operations from completing successfully, migration cannot continue until those conditions are resolved within the environment.

Opsole Support provides assistance with product-related issues, migration behavior, migration log analysis, and identification of conditions affecting the migration process. Environmental and infrastructure conditions affecting Microsoft Entra join, Windows profile access, networking, endpoint security, operating system behavior, or other customer-managed dependencies must be resolved within the customer environment before migration can continue.

1.4 Client Device Technical Requirements

All client devices must meet the following minimum hardware, software, and state requirements.

Specification	Minimum requirement
OS version	Windows 10 or Windows 11
Windows edition	Pro, Enterprise, or Education. Windows Home is not supported.
RAM	8 GB
Storage	100 GB
Processor	64-bit CPU with 2+ cores; 4 cores recommended
TPM	TPM 2.0 or higher
Connectivity	Stable internet connection
Disk health	Device must have a healthy system volume with sufficient free space for migration operations and logs.
User profile health	Profile must be local, healthy, and not temporary or corrupted.
Local admin / SYSTEM execution	Migration components must be allowed to run elevated and under SYSTEM.
BitLocker state	BitLocker must be healthy; recovery key handling must be validated if enabled.

Devices not meeting these minimum specifications may experience performance degradation, compatibility issues, or migration failure.

1.4 Network Requirements

To enable a smooth and uninterrupted migration experience, the network used by devices must meet the following requirements:

Support outbound HTTPS port 443
Allow system-level outbound HTTPS without prompting the user for proxy authentication
Avoid proxy configurations that require interactive user authentication
Avoid captive-portal networks during migration; hotel, airport, and guest Wi-Fi captive portals cannot complete non-interactive OAuth and provisioning flows
Allow DNS resolution for Microsoft and Opsole service endpoints
Allow device registration and join from the device's current network location
Allow outbound access to the following Microsoft and Opsole service endpoints:
- https://*.microsoft.com
- https://*.msazure.cn
- https://*.microsoftonline.com
- https://*.microsoftonline-p.com
- https://*.microsoftonline.us
- https://*.microsoftonline.de
- https://*.microsoftonline.cn
- https://*.amazonaws.com
- https://*.opsole.com

Network Connectivity Validation

Before starting migration activities, verify that client devices can successfully reach required Microsoft and Opsole service endpoints.

Run the following commands on a client device using PowerShell:

Test-NetConnection graph.microsoft.com -Port 443
Test-NetConnection login.microsoftonline.com -Port 443
Test-NetConnection migrate-adminus.opsole.com -Port 443
Test-NetConnection amigrate-admineu.opsole.com -Port 443

Confirm that each command returns:

TcpTestSucceeded : True

About hosting and regions: Opsole backend services are hosted on AWS. Regional hosting options, where available, are confirmed during onboarding and documented in the customer's security pack. If your egress proxy filters by destination IP rather than FQDN, request the current IP ranges from Opsole Support.

1.5 Identity & Access Readiness

To successfully deploy and manage AD-to-Entra, Hybrid-to-Entra, and Tenant-to-Tenant migrations, access and configuration must be in place across Microsoft Entra ID, Active Directory where applicable, and Microsoft Intune.

Microsoft Entra ID Administrative Roles

An administrator with sufficient Microsoft Entra privileges is required to register the application, create the client secret, assign Microsoft Graph application permissions, and grant admin consent.

Common roles involved include:

Global Administrator
Privileged Role Administrator
Cloud Application Administrator or Application Administrator

Your organization may require separate approval for granting tenant-wide application permissions.

Active Directory Access Requirements

An account with delegated permissions to disjoin devices from Active Directory is required when migrating AD-joined or Hybrid-joined devices.

The minimum delegated permissions on the OU containing the target computer objects are:

Delete on Computer objects
Read all properties on Computer objects

The detailed account creation and validation procedure is covered in AD Disjoin Account Preparation.

Microsoft Entra ID and Intune Configuration Requirements

The following table lists the Microsoft Entra ID and Intune configuration requirements for device migration using Opsole Migrate.

For AD-to-Entra and Hybrid-to-Entra migrations, apply these settings in the tenant the device will join after migration.
For Tenant-to-Tenant migrations, apply these settings in the target destination tenant, and review source-tenant policies that may affect cleanup or API operations.

Setting	Recommended
Automatic Enrollment (User Scope)	All or a scoped group containing the target users
MDM authority	Microsoft Intune
Allow users to join devices to Microsoft Entra ID	Enabled or scoped to the package/provisioning account
Require MFA for join/register devices	No
Enrollment restrictions	Windows platform must be allowed
Device-limit restrictions	Confirm the per-user device limit will not block enrollment of migrated devices
Enrollment Status Page (ESP)	Review targeted ESP behavior before production migration
Conditional Access policies	Exclude the bulk enrollment / package account "[package_[GUID]]" where required
Microsoft Defender for Endpoint onboarding	If MDE is in use, confirm post-migration enrollment will re-onboard the device cleanly

Misconfiguration of these settings can prevent devices from joining or enrolling during AD-to-Entra, Hybrid-to-Entra, or Tenant-to-Tenant migrations.

Conditional Access and MFA Requirements

Automated device join and provisioning package execution use non-interactive flows. Policies that require interactive MFA, compliant device state, trusted network location, or hybrid-joined state can block migration.

Review and scope exclusions for:

Bulk enrollment / package account
Device registration and join
Microsoft Graph application authentication
Target tenant enrollment
Cross-tenant access restrictions, where applicable

Review every Conditional Access policy that enforces any of the following:

MFA for device registration or join
Compliant device requirement
Hybrid-joined device requirement
Trusted-location requirement
Approved-client-app requirement
Sign-in or user risk controls
Blocking legacy or unknown platforms
Cross-tenant restrictions

All exclusions should be time-bound, documented, and removed after the migration window.

1.6 Required Microsoft Graph API Permissions

The Opsole Migrate application requires Microsoft Graph application permissions to perform device management, user lookup, identity correlation, Intune cleanup, recovery, and post-migration assignment operations.

For AD-to-Entra and Hybrid-to-Entra migrations, configure these permissions in the tenant where the migration operations are performed.
For Tenant-to-Tenant migrations, configure the permissions in both the source and target tenants.

Only grant permissions required for the enabled migration features. Feature-dependent permissions are required only when the corresponding capability is enabled, such as LAPS retrieval, group restoration, or configuration profile handling.

Permission	Type	Scope	Used for
`User.Read.All`	Application	Required	Read user attributes for identity correlation.
`Device.ReadWrite.All`	Application	Required	Update device attributes and clean up source-tenant device objects.
`Directory.Read.All`	Application	Required	Read directory objects for migration mapping.
`DeviceManagementManagedDevices.ReadWrite.All`	Application	Required	Clean up Intune device records and restore the primary user assignment.
`DeviceManagementServiceConfig.ReadWrite.All`	Application	Required	Read Intune service configuration used by validation.
`GroupMember.ReadWrite.All`	Application	Feature-dependent	Restore cloud group memberships after migration.
`DeviceLocalCredential.Read.All`	Application	Feature-dependent	Retrieve LAPS credentials for migration.
`DeviceLocalCredential.ReadBasic.All`	Application	Feature-dependent	Retrieve LAPS credential metadata.

These permissions require Admin Consent during the application registration process in Microsoft Entra ID.

1.7 Provisioning Package Planning

The following tool is required to support provisioning package creation and validation:

Windows Configuration Designer (WCD) Used to create Windows bulk enrollment provisioning packages.

Download Windows Configuration Designer from the Microsoft Store.

The migration depends on a Windows bulk enrollment provisioning package (.ppkg) generated against the Microsoft Entra tenant the device will join. The package itself is created later in Provisioning Package Configuration, but the constraints below must be planned now.

The provisioning package should be treated like a credential because it contains a bulk enrollment token. Access must be restricted to migration administrators only.

Validate the package before uploading it to the Opsole Migrate portal by applying it to a non-production standalone Windows device and confirming AzureAdJoined : YES using dsregcmd /status.

Constraint	Detail
Token validity	Microsoft sets a maximum 180-day validity on the bulk enrollment token embedded in the PPKG. Plan migration waves to finish well within that window.
MFA support	The bulk enrollment flow does not support MFA. This is a Microsoft platform limitation, not an Opsole limitation.
Tenant correctness	For Tenant-to-Tenant, the PPKG must be generated against the target tenant. Generating it against the source tenant is a common silent failure.
Rotation	If the migration runs across the 180-day boundary, generate a new PPKG, upload it to the Opsole Migrate portal, and revoke the previous package account .
Pilot	Validate every new PPKG against a non-production device before using it in a production wave.

1.8 Configure Security Software Exclusions

Opsole Migrate performs system-level operations for migration and post-migration cleanup - that endpoint security tooling will inspect closely. Without explicit allow-listing, it is common for an EDR, antivirus, WDAC, AppLocker, or hardening policy to block, quarantine, or delete components mid-migration.

The exclusions must be deployed and verified on representative devices that reflect production conditions.

What to Allow-list

Apply all three exclusions below.

Code-signing Certificate Trust

Trust the Opsole code-signing certificate so that all signed components are recognized as legitimate without behavioral-analysis triggers.

Subject: CN=Opsole Ltd, O=Opsole Ltd, ...
Issuer, SHA-256 thumbprint, and validity: provided in the certificate-trust pack delivered to your security team during onboarding. If you have not received it, contact Opsole Support.

File-system Path Exclusions

Exclude the Opsole Migrate runtime directories from real-time analysis and on-write scanning:

C:\Program Files\Opsole\OpsoleMigrate\
C:\ProgramData\OpsoleMigrate\
C:\ProgramData\OpsoleMigrate\runtime\
C:\ProgramData\OpsoleMigrate\logs\

Also confirm that:

Application-control, WDAC, and AppLocker policies allow Opsole-signed binaries to execute.
Controlled folder access in Microsoft Defender does not block writes to the runtime and logs paths above.

1.9 Recovery Readiness

Before migration, confirm that support teams have a recovery path if a device becomes inaccessible.

Recovery item	Requirement
Local administrator access	A working local administrator or LAPS recovery path must be available.
BitLocker recovery	Recovery keys must be available through the approved recovery location.
Service desk escalation	Failed or stuck migration devices must have a documented escalation path.

1.9 Application Readiness

Before production rollout, validate business-critical applications on pilot devices to confirm they function correctly after migration. Applications that bind configuration, credentials, certificates, or tokens to the existing domain or tenant identity may require reauthentication or reconfiguration post-migration. Opsole recommends engaging your application owners and internal teams to complete this validation before broad deployment.

1.10 Prerequisite Scope by Migration Scenario

Requirement	AD / Hybrid to Entra	Tenant-to-Tenant
Microsoft Intune licensing	Current tenant	Target tenants
Microsoft Entra ID P1/P2	Current tenant	Target tenants
Entra app registration	Current tenant	Source and target tenants
Provisioning package	Current tenant	Target tenant
AD disjoin account	Required for AD or Hybrid devices	Required only if source device is Hybrid joined
Intune automatic enrollment	Current tenant	Target tenant
Conditional Access review	Not applicable	Source and target tenants
Microsoft Graph permissions	Current tenant	Source and target tenants
EDR/AV exclusions	Target devices	Target devices
Pilot validation	Representative AD or Hybrid devices	Representative source and target tenant devices

2. Prerequisites for Opsole Migrate

Once all pre-migration readiness requirements are confirmed, complete the following configuration tasks in your environment. Each prerequisite is covered in a dedicated guide.

Entra Application Registration Register the Opsole Migrate application in Microsoft Entra ID, assign the required Microsoft Graph permissions, and grant admin consent.
Provisioning Package Generate a Windows bulk enrollment provisioning package against the target Entra tenant and upload it to the Opsole Migrate portal.
AD Disjoin Account Create a delegated Active Directory account with the minimum permissions required to disjoin devices from the domain. Required for AD-joined and Hybrid-joined migrations.

All three prerequisites must be completed and validated before proceeding to Portal Onboarding.

Next Steps

Continue to Entra Application Registration

Overview