none
Convert local accounts to AAD accounts? RRS feed

  • Question

  • I'm hoping someone has some idea on this more than a Microsoft "oops, we didn't think of that" ... There seems to be essentially zero documentation, as far as I can tell.

    I've got quite a few users on Windows 8.1 Enterprise. All of them currently log in with a Microsoft account that matches their corporate e-mail address. Useless from a management standpoint, but at least it gives them a way to reset their local passwords without heroic efforts (most of my users are remote, and not technical). We manage the systems with Intune.

    The ability to log into AAD directly from a Win10 system is -- by far -- our biggest motivator to upgrading to 10. Other than some QA systems, we'd absolutely not even consider it otherwise. (I shudder to think supporting a slew of non-technical users who need to learn an entirely new OS, with entirely new behaviors, after the fiasco of 7->8...)

    I had sort of assumed that one could convert a Microsoft account back to a local account, and then convert it to an AAD account after joining AAD, the way you can convert a local account to a Microsoft account. It doesn't seem to do that, though. The test systems I can associate the local user with an AAD account (although I have no idea what benefits that brings, again -- we need some documentation, Microsoft), but there's no ability to convert the account types. I had thought, maybe, once you associated the local account, if you then logged in as the AAD account it'd somehow do the conversion at that point, but that also doesn't happen. It creates a new local profile for the AAD user separate from the local account bound to that AAD account.

    I know, in theory, I can manually convert users to a local account, have them log in as the AAD account and move their files across, but anything using any profile-based crypto will be lost (saved passwords, EFS-protected files, application settings, etc). And, that's both a huge time sink, something I can't talk an inexperienced user through, and nearly impossible for me to do from remote.

    So does anyone know if there's a way to do it? Maybe its just not in the UI yet? It seems strange the Microsoft account CAP can do it but the AAD CAP can't.

    Tuesday, August 4, 2015 12:03 PM

Answers

  • Hi,

    I don't have experience with Azure Active Directory but it should be the same as a standard Active Directory.

    If yes, you can't convert a Local account to a Domain account.
    Each account have a unique identifier.

    What you can try is to install the Windows 10 ADK on the computer and use the User State Migration Tool to transfer the settings from the Local account profile to the Domain Account profile.

    Gerald

    Tuesday, August 4, 2015 12:26 PM
  • Hi,

    We cannot convert a local account to AAD account.

    in System - About, we can click Join Azure AD to start the wizard.

    After finishing the process, we need to logoff and logon with the company account so it will be another account other than the local account.

    Detailed steps and pictures please see:

    Azure AD join on Windows 10 devices

    http://blogs.technet.com/b/ad/archive/2015/05/28/azure-ad-join-on-windows-10-devices.aspx


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, August 6, 2015 2:41 AM

All replies

  • Hi,

    I don't have experience with Azure Active Directory but it should be the same as a standard Active Directory.

    If yes, you can't convert a Local account to a Domain account.
    Each account have a unique identifier.

    What you can try is to install the Windows 10 ADK on the computer and use the User State Migration Tool to transfer the settings from the Local account profile to the Domain Account profile.

    Gerald

    Tuesday, August 4, 2015 12:26 PM
  • Hi,

    We cannot convert a local account to AAD account.

    in System - About, we can click Join Azure AD to start the wizard.

    After finishing the process, we need to logoff and logon with the company account so it will be another account other than the local account.

    Detailed steps and pictures please see:

    Azure AD join on Windows 10 devices

    http://blogs.technet.com/b/ad/archive/2015/05/28/azure-ad-join-on-windows-10-devices.aspx


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, August 6, 2015 2:41 AM
  • You are correct that there is no way to convert a local account to an AAD account.  And a native AAD account does not act like an MSA in the ability to "disconnect".

    An AAD account and an AAD joined device is much more like a domain account (AD) and a domain joined device, than it is like an MSA. 

    The concept of joining your device to AAD means that the trust authority is AAD (or federated to AD if that is what you do) and that your work or school would be the "owner" of that identity.  Disconnecting from AAD and retaining all the information related to that identity as an unmanaged local user is not a scenario that corporations would support. 

    Yes, I believe there is a need to more easily migrate files to the new AAD user account for those users that have a local/MSA account.  However, Windows 10 does not include a tool to do this work. 

    Vicki Milton (MSFT)


    Vicki Milton

    Thursday, September 10, 2015 3:46 PM
  • Any update on this functionality? We have a dozen Win 10 laptops- I want to Azure AD join them, but migrate the existing user profiles to Azure AD account on the local machine. 

    Otherwise users will have to recreate their local profiles. bad. 

    Tuesday, April 18, 2017 3:37 PM
  • I really need this functionality as well - have about 50 win 10 laptops I would like to join to Azure AD but having to setup all the profiles again is stopping me doing so.
    Thursday, April 27, 2017 1:45 PM
  • You now can, with USMTGUI from EhlerTech

    This weekend we successfully migrated a bunch of local Workgroup users from 22 old PC's, over to 22 new AzureAD joined PC's.

    This is such a timesaver!

    Monday, August 19, 2019 1:42 PM
  • You now can, with USMTGUI from EhlerTech

    This weekend we successfully migrated a bunch of local Workgroup users from 22 old PC's, over to 22 new AzureAD joined PC's.


    Monday, August 19, 2019 1:42 PM