HomeSolutionsBlogContact
Migration Prerequisites

Validation Checklist

Checklist before portal onboarding and migration scheduling

Pre-Migration Validation Checklist

Complete every item below before initiating migration. These requirements must be met in full — partial readiness is a leading cause of preventable migration failures.

The full rationale for each item appears in the prerequisite pages above.

Licensing Validation

  • Entra ID P1 or P2 license is assigned to all migrating users
  • Microsoft Intune license is assigned to all migrating users
  • Users are visible and licensed in the target tenant before migration begins

Entra ID & Tenant

  • Target Entra ID tenant is accessible and correctly identified
  • Users are permitted to join devices to Entra ID — confirmed under Entra ID > Devices > Device Settings
  • Device limit per user is not exceeded (default is 50; verify under Device Settings)
  • MDM auto-enrollment is enabled and Intune scope covers target users
  • Intune device platform restrictions permit Windows enrollment
  • No Conditional Access policies block device registration or Entra join for target devices
  • The package_[guid] bulk enrollment account is excluded from MFA-enforcing policies

Opsole Migrate App Registration

  • App registration exists in the Entra ID tenant
  • Required Microsoft Graph API permissions are granted and admin-consented
  • Client secret is active and not expired
  • App registration credentials are configured correctly in the Opsole portal

Provisioning Package

  • PPKG is created using Windows Configuration Designer targeting the correct tenant
  • PPKG validated on a test device — Entra join confirmed via dsregcmd /status
  • The package_[guid] account is excluded from Conditional Access policies that enforce MFA or block device registration
  • PPKG is stored in approved secure storage with access restricted to migration administrators
  • PPKG is uploaded to the Opsole Migrate portal

AD Disjoin Account

  • AD disjoin service account exists in Active Directory
  • Delegated permissions to disjoin computers from the domain are granted
  • AD disjoin service account validated on a test device — successful domain disjoin confirmed
  • Account credentials are entered and validated in the Opsole portal

Device Readiness Validation

  • Devices are running Windows 10 /Windows 11 — Windows Home edition is not supported
  • Devices are AD-joined or Hybrid-joined.
  • TPM 2.0 is present and enabled
  • Sufficient disk space is available on the system drive

Network Validation

  • Devices can reach login.microsoftonline.com, device.login.microsoftonline.com, and Intune service endpoints
  • Firewall or proxy rules permit outbound communication to *.opsole.com
  • DNS resolves Entra ID and Intune endpoints correctly from target devices

Operational Readiness Validation

  • Pilot wave of 3–5 devices is planned and scoped before full rollout
  • Security tooling is confirmed not blocking the Opsole Migrate application
  • User communication is sent to affected users before migration begins
  • Migration schedule is confirmed and migration wave timing accounts for PPKG token expiry

Do not proceed to production migration until all items above are satisfied. Conditional Access misconfiguration, Intune enrollment restrictions, and security tooling interference are the most common causes of silent first-wave failures.

How is this guide?

AD Disjoin Account Preparation

Create and delegate the Active Directory account used to disjoin AD-joined or Hybrid-joined devices, validate permissions, and prepare for portal configuration.

Getting Started

Onboard your organization to the Opsole Migrate portal after prerequisite validation, including account registration and initial portal setup.