All product names, logos, and brands used in this post are property of their respective owners.
In the interest of full disclosure, I will admit that I have almost no experience with Microsoft’s User State Migration Tool (USMT), which is part of the free Windows ADK (Windows Assessment and Deployment Kit). That aside, I discovered a fast and easy way to use USMT to migrate local Active Directory Domain Services (ADDS) profiles to Azure Active Directory (AAD) profiles to retain user data when unjoining a device from AD and joining it to AAD.
Using USMT in that way may not be a supported scenario, so use it at your own risk. In my testing with Windows 10, these commands worked as expected with ADK version 1803 and later (through 2004). The only caveat I observed is that the home folders for the migrated profiles (Azure AD) are named email@example.com, instead of username or username.DOMAIN.
Building from Microsoft’s “To migrate two domain accounts (User1 and User2) and move User1 from the Contoso domain to the Fabrikam domain” example, I derived the following general syntax for migrating a local AD domain account (profile) to its Azure AD equivalent:
Capture the user state before unjoining from the local Active Directory domain:
scanstate \\server\share\migration\mystore /ue:*\* /ui:contoso\testuser /i:migdocs.xml /i:migapp.xml /o
Restore the user state after joining Azure Active Directory (and before logging in as the AAD user):
loadstate \\server\share\migration\mystore /mu:contoso\testuser:AzureAD\firstname.lastname@example.org /i:migdocs.xml /i:migapp.xml
The key is the down-level logon name format for Azure AD accounts, which is
AzureAD\email@example.com. As another example:
Local (on-premise) AD domain: ALLSAFE
Azure AD domain: allsafe.com
scanstate \\server\share\migration\mystore /ue:*\* /ui:allsafe\ggoddard /i:migdocs.xml /i:migapp.xml /o loadstate \\server\share\migration\mystore /mu:allsafe\ggoddard:AzureAD\firstname.lastname@example.org /i:migdocs.xml /i:migapp.xml
And an example of the profile folder naming errata I mentioned previously:
Expected folder naming, based on manually unjoining a device from AD, joining to Azure AD, and logging in as the AAD user
Actual folder naming when USMT is used to migrate a user profile from AD to Azure AD - only cosmetic as far as I can test
In the interest of automation, you can adapt those commands for use in a Configuration Manager Task Sequence to automate the AD to AAD migration process across endpoints.
I am hopeful this helps someone with a similar requirement - specifically if you do not have the budget to purchase a 3rd-party tool to perform an AD to AAD profile migration. Questions, feedback, suggestions? Leave a comment below.