Skip to content

Requirements

Before proceeding with migration, the following prerequisites must be met.

Info

If migration between tenants, these requirements must be met in BOTH tenants.

Source tenant

Licensing

  • All users must be licensed for Microsoft Intune, either as a standalone service or as part of a bundle such as Microsoft 365 E3 or E5
  • All users must be licensed for Entra ID P1 or P2, either as a standalone service or as part of a bundle such as Microsoft 365 E3 or E5
  • Devices that are enrolled with Autopilot must also have a Windows 10/11 Enterprise per-user license or an equivalent license that includes the Windows 10/11 Enterprise Subscription Upgrade (ESU) activation feature, otherwise the PC will remain at the Windows Pro edition.

Access

  • Organization resources will require global administrator privileges to the M365 environment to perform the following tasks:
    • Create an application registration
    • Generate a client secret for application
    • Add and consent to Graph API permissions for application

Technical

  • PC requirements
    • Windows 10 minimum build 22H2 (19045)
    • Windows 11 minimum build 22H2 (22621)
    • 8GB RAM
    • 256GB SSD storage
    • 64-bit CPU or System on a Chip (SoC) with two or more cores (four is recommended)
    • Trusted Platform Module (TPM) version 2.0 or higher
    • Internet connection
  • Network requirements
    • Internet connection supports HTTPS over port 443
    • Internet connection allows connections to the Microsoft online services endpoints
    • Internet connection does not require authentication or use a proxy that requires authentication
    • The Microsoft online services URLs needed are:
      • https://*.manage.microsoft.com
      • https://*.manage.microsoftazure.us
      • https://*.msazure.cn
      • https://*.microsoftonline.com
      • https://*.microsoftonline-p.com
      • https://*.microsoftonline.us
      • https://*.microsoftonline.de
      • https://*.microsoftonline.cn

Tenant

  • Entra ID connect must be configured to support Microsoft account login:
    • Entra ID Premium subscription with verrified domain name
    • Configured identity provider (IdP) to support the WS-Federation protocol and the SAML 2.0 token format
    • Registered IdP as an enterprise application in Entra ID and assigned users or groups to it
    • Enable Entra ID connect for their IdP in the Azure portal and provide the required metadata and settings
  • PCs must be in one of the following states:
    • Entra ID joined (formerly Azure AD joined)
    • Hybrid Entra joined
    • Active Directory domain joined
    • Microsoft Endpoint Configuration Manager (MECM/SCCM) managed
    • Co-managed
    • Intune managed

Info

Devices that are not managed by Intune or MECM will require some form of communication to deploy the migration package

Destination tenant

When migrating devices between tenants, the following Intune settings must be configured and validated in the destination environment.

Intune

  • Intune must be configured to support Windows device enrollments including:
    • Device configuration profiles
    • Application packages
    • PowerShell and remediation scripts
    • Windows Update for Business rings
    • Device compliance policy
  • Specific settings
    • Automatic enrollment: user scope must be set to "All"
    • Users may join devices to Microsoft Entra: must be set to "All"
    • User/Account ESP tracking: must be disabled with custom configuration policy
      • ./Vendor/MSFT/DMClient/Provider/MS DM Server/FirstSyncStatus/SkipUserStatusPage
    • Dynamic device groups: Policies and applications will need to be assigned to Entra dynamic device membership groups to apply to migrated PC

Warning

If dynamic membership groups are not used for device assignment, profiles and applications must be targeted to "All devices"

Graph API Permissions

graph icon The following Graph API permissions are required to be granted to the application registration. Here is a brief description of their purpose.

Note

When migrating between tenants, these permissions are required for BOTH source and destination tenants

Permission type Permission Usage
Application Device.ReadWrite.All Set device group tag attribute prior to Autopilot registration
Application DeviceManagementManagedDevices.ReadWrite.All Set primary user, deletes Intune object from source tenant
Application DeviceManagementServicesConfig.ReadWrite.All Autopilot registration, Autopilot device delete
Application User.Read.All Get user attributes from Entra ID

Additional Components

Windows Configuration Designer

configuration designer logo The Windows Configuration Designer App allows you to simplify deployment of Windows devices.

Download Windows Configuration Designer from the Microsoft Store

Microsoft Win32 Content Prep Tool

content prep tool logo Use the Microsoft Win32 Content Prep Tool to pre-process Windows applications for Intune. The packaging tool converts application installation files into the .intunewin format.

Download from GitHub

Visual Studio Code

vscode logo Visual Studio Code is a code editor redefined and optimized for building and debugging modern web and cloud applications. With support for PowerShell and JSON, it is the best choice to configure the migration solution.

Download from the official site

Intune Network Requirements tool

github logo An open source application by Martin Himken that allows you to check the network configuration of your environment to see if there are any issues with Intune connectivity.

Download from GitHub

Sysinternals

sysinternals_logo Advanced system utilities for Windows. Use the included psexec.exe to test the migration tool locally as SYSTEM

Download from Microsoft