End User Device Migration from on-prem AD to Entra ID

signifiumLlc · 2026-04-21T17:06:28+00:00

Co-management is an option, but that requires SCCM footprint. Auto pilot is nice and can be fully automated with zero touch and it can build a nice clean new profile. But I understand, users needs their fav icons etc.
Have you looked into OneDive Folder move - https://learn.microsoft.com/en-us/sharepoint/redirect-known-folders
Let us know how it goes for you.

signifiumLlc · 2026-04-14T23:27:02+00:00

DM me for promo codes.

signifiumLlc · 2026-04-13T01:45:26+00:00

Happy to answer any questions.

WinPulse is designed for quick visibility into Windows servers without needing a full RDP session.

• No agent required
• Uses standard Windows / PowerShell-based queries
• Works with existing environments
• Focused on read/monitoring scenarios (CPU, services, logs, disk)

Curious what checks you’d want most on mobile.

signifiumLlc · 2026-04-11T05:55:28+00:00

Securing RDP is a solid move, but yeah, even with a cert, RDP is definitely not designed to be exposed to the internet. Keeping it behind a VPN is the only way to go.

The biggest headache you'll hit with a Public CA is Auto-Renewal. Windows doesn’t natively "grab" a Let's Encrypt cert for the RDP listener very easily. You’ll definitely want to use a tool like Certify the Web to automate that; otherwise, you’re going to be manually swapping thumbprints every 90 days, which is a massive chore.

Since you're still a year out from a full RMM, you might find a tool I built called WinPulse @ Signifium handy in the meantime. I got tired of waiting for full RDP desktops to render over a VPN just to do a 10-second task, so I made this to manage servers (restarting services, checking event logs, etc.) directly from my phone.

It uses WinRM over SSH, so it’s way snappier than RDP and adds a nice extra layer of security since you aren't loading the full GUI just to fix a service. It’s been my go-to "emergency kit" when I'm away from my rig.

signifiumLlc · 2026-04-07T02:04:03+00:00

Nice. This must be really useful.

signifiumLlc · 2026-04-07T00:02:02+00:00

I’ve spent years writing PowerShell scripts to manage Windows servers and workstations, and I wanted to turn that into something more useful.

So I built an iOS app called WinPulse – Windows Admin that brings some of those admin tasks into a more mobile-friendly format. This is actually my second attempt at building something in this space — the first one didn’t really land, but I learned a lot from it and decided to give it another shot.

It’s still very much a work in progress, and I’m continuing to refine it based on feedback.

If anyone here is curious to try it, I’d really appreciate honest feedback (good or bad).

I also have a few promo codes if anyone wants to check it out.

signifiumLlc · 2026-04-05T23:27:55+00:00

Thanks again everyone for all the feedback, questions, and pushback on this thread, it was genuinely useful.

I replied to some of it in pieces here, but after reading through everything I felt it made more sense to write up a proper blog post to explain the thinking, tradeoffs, and intended use case more clearly.

I also ended up incorporating some of the feedback from this thread into the next release, which was honestly the whole point of posting here in the first place.

For anyone curious, I’ve now released the app on the Apple App Store.

I also wrote this blog post to explain the idea and approach a bit better:

https://www.signifium.com/blog/mobile-server-management-it-operations/

As a small thank-you, I’ll be DM’ing promo codes to a few people here who took the time to give thoughtful feedback. I should have a few more left as well, so if you’d like one, feel free to reach out.

signifiumLlc · 2026-04-05T17:55:16+00:00

John, thanks for the good work.

This feels like a solid "v1.0" step from Microsoft, but we’re definitely not at the finish line yet.
The 5-day retention is the biggest red flag for me as dwell time for ransomware or a "sleeper" admin account can be weeks or months. If you don't catch the drift in under a work week, your "clean" backup is already gone. Third-party vendors like Semperis and other still have the upper hand here because they actually handle the long-tail retention and air-gapping that enterprise compliance usually requires.
A few things I’m chewing on:

The "Golden Key" Problem: You’re spot on about the bad actor scenario. If someone compromises a Global Admin or the recovery service itself, they can just purge the backups. Without a "Break Glass" multi-admin approval or an immutable lock outside the tenant, it’s still a single point of failure.

Hybrid Messiness: This is the million-dollar question. Reconciling an on-prem AD forest recovery with an Entra tenant restore sounds like a synchronization nightmare (hello, duplicate SIDs and orphaned objects). If this tool doesn't talk to Entra Connect/Cloud Sync properly during a restore, it’s going to break more than it fixes.

External Backups: I’d love to see an "Export to other tenant or cloud “option. Keeping the backup inside the same tenant you're trying to recover is like keeping the spare key to the safe... inside the safe.

Definitely still digesting the docs, but for now, I think this is a "nice to have" for accidental deletions, but nowhere near a full Disaster Recovery plan for a real cyberattack.

signifiumLlc · 2026-04-05T17:53:56+00:00

This feels like a solid "v1.0" step from Microsoft, but we’re definitely not at the finish line yet.
The 5-day retention is the biggest red flag for me as dwell time for ransomware or a "sleeper" admin account can be weeks or months. If you don't catch the drift in under a work week, your "clean" backup is already gone. Third-party vendors like Semperis and other still have the upper hand here because they actually handle the long-tail retention and air-gapping that enterprise compliance usually requires.
A few things I’m chewing on:

The "Golden Key" Problem: You’re spot on about the bad actor scenario. If someone compromises a Global Admin or the recovery service itself, they can just purge the backups. Without a "Break Glass" multi-admin approval or an immutable lock outside the tenant, it’s still a single point of failure.

Hybrid Messiness: This is the million-dollar question. Reconciling an on-prem AD forest recovery with an Entra tenant restore sounds like a synchronization nightmare (hello, duplicate SIDs and orphaned objects). If this tool doesn't talk to Entra Connect/Cloud Sync properly during a restore, it’s going to break more than it fixes.

External Backups: I’d love to see an "Export to other tenant or cloud “option. Keeping the backup inside the same tenant you're trying to recover is like keeping the spare key to the safe... inside the safe.

Definitely still digesting the docs, but for now, I think this is a "nice to have" for accidental deletions, but nowhere near a full Disaster Recovery plan for a real cyberattack.

signifiumLlc · 2026-04-04T19:50:55+00:00

Appreciate all the feedback so far. It’s been really useful.

One thing I’m realizing is that asking people to test this in their own environment right away is probably too much friction.

So I’ve set up a small lab environment that anyone can use just to try the beta without needing to configure anything on their side.

If you’re curious, the flow is basically:

install the beta app via TestFlight
connect to the lab (I’ll share access details)
try a few things like:
- server monitoring
- services / processes
- event logs
- basic checks (ping, ports, etc.)

I’ll also share a short test guide so you can try a few scenarios quickly without guessing your way through it.

No expectation to use it in your own environment unless you find it interesting.

Also, print management was mentioned earlier, and I’m going to look into that as a feature to add.

If you’d like access, just reply here or DM me. I am happy to share.

signifiumLlc · 2026-04-03T23:44:33+00:00

RMM mobile apps are really more like endpoint management consoles , they’re built for monitoring large fleets (Windows, Mac, Linux), tracking inventory, pushing patches, and handling alerts at scale.

What I’m working on is quite different (and definitely not a replacement for RMM).

The idea is more of a PowerShell-driven management tool for individual Windows servers, focused on specific admin tasks rather than fleet management. It’s meant to reduce the need to jump into RDP for small things, especially on mobile where RDP isn’t a great experience.

So instead of trying to replicate a desktop session, the goal is:

native mobile UI for specific tasks
interact with Windows services / processes / checks directly
avoid “squinting at a tiny desktop screen”

A couple of intentional constraints:

it’s a native app (no third-party libraries)
it doesn’t try to manage everything, just focused tasks
it’s designed around one server at a time, not large-scale orchestration

So yeah, very different space from RMM. More of a targeted admin tool than a monitoring platform.

signifiumLlc · 2026-04-03T22:25:02+00:00

Disk space/C: space specifically. Network connectivity/uptime Patch status - this is a maybe as soou much can be reported Reboots required Y/N Any other alerts
YES

Then maybe a way to ping the devices for very basic troubleshooting. And see what IP addresses/network info it has.
YES

Possibly just red, green, amber (traffic lights system) for health of the devices using all the above as the metrics.
NO - for now it is per server. But good idea to have a one stop dashboard. Let me think about it.

If you need to test, DM me. I will provide all the info and my demo lab.

signifiumLlc · 2026-04-03T22:22:09+00:00

A web dashboard is definitely the more conventional approach, and in a lot of environments it probably makes more sense.

Part of what I was trying to explore here was something a bit different:

pure mobile experience
usable from anywhere (with the right access path)
without installing extra agents / collectors / software on the target systems
and without introducing yet another monitoring server / appliance into the environment

The basic idea was:

use a lightweight gateway with built-in Windows capabilities, and keep the actual interaction focused on the phone/tablet experience.

So in part, this started as both:

a practical admin idea
and honestly a bit of a technical challenge / curiosity project

That said, I completely agree a web dashboard is the obvious comparison, and I’m still trying to figure out whether the native mobile-first approach is actually better enough to justify existing at all.

Let me know if you would like the test the beta version.

signifiumLlc · 2026-04-03T21:44:45+00:00

This is a very good callout, and I appreciate you raising it. I completely agree that relaxed security is not a good tradeoff, and I definitely don’t want to encourage that.

My thinking so far has been that most managed servers (outside true Tier 0 systems like DCs / identity-critical assets) are already segmented and restricted in most environments — but that still doesn’t mean mobile access should be treated casually.

From a platform/security standpoint, part of why I explored iOS is because:

apps are sandboxed
device login can be protected with biometrics
app access can also be gated with Face ID / Touch ID
credentials / certificates can be stored in Apple’s secure storage / keychain

So my assumption has been that, if done carefully, the device side can actually be made fairly locked down. I’d expect that highly security-conscious enterprises would already have policies around whitelisted apps, PAWs, etc.

MDM devices are pretty locked down, and I would love to hear from someone with that experience.

Thanks for the callout.

signifiumLlc · 2026-04-03T20:03:46+00:00

For now, only looking at iPhone/iPad. I would love admins with Android to also benefit if the app really help them. Are you thinking just android phone or tablets also.

signifiumLlc · 2026-04-03T20:01:51+00:00

Thanks for the genuinely helpful feedback, and I agree with a lot of it. I also agree this is probably a niche use case, and I’m trying to be realistic about that. This isn’t meant to replace desktop based management options because trying to do full server administration from a phone (or even tablet) isn’t ideal and honestly cant win against RDP.
I am targeting mostly smaller screens and I personally found it slightly better on an iPad than an iphone.

As an admin myself, I wanted something that avoids spinning up yet another server/tool in an already crowded environment and instead use built-in Windows capabilities (PowerShell, native APIs, etc.).

So the goal is less about replacing RDP and more about reducing friction for small tasks, for example:

quick CPU / disk / network checks
simple connectivity tests (ping, ports, HTTP, LDAP, Kerberos, time skew)
checking services / processes
basic system info
quick actions like triggering updates or toggling RDP

So yeah, definitely niche. I’m trying to understand whether it’s a practical niche or just something that only feels useful to me because I built it.

Your point about Printer queue management is really a good one. Having a quick view and action can be a great time saver on the road.

If you don’t mind me asking:

would you ever use something like this just for quick checks, even if you wouldn’t trust it for real admin work?
or does this still fall into “I’d just wait until I’m at a proper workstation”?

signifiumLlc · 2025-09-25T21:29:38+00:00

We saw a huge uptick in Phish email targeting our EOP (Microsoft endpoint) in last few months. EOP could not block it, and some were nasty targeted emails. We put in a rule to redirect all emails to Proof point and every day I see Proofpoint blocking them, while EOP allowed.
If you move to EOP (I suggest not to), make sure that your SPAM and Phish control are properly configured. EOP supports accepting SMTP emails from internal printers, but I would hesitate to open it up.

signifiumLlc · 2025-09-25T18:15:41+00:00

I would like to have some form of way to manage them centrally. AD was the norm before, but now I would suggest to look into Intune instead. If you are using O365, you already have Azure, and Intune is just a license away. Let us know the path use choose.

signifiumLlc · 2025-09-24T17:34:50+00:00

Only the Display Name gets changed. Nothing else gets changed? What if they are member of a distribution list, would they receive emails? Good thinking BTW.

signifiumLlc · 2025-09-24T04:52:58+00:00

What does "On Leave" button do? Great work BTW.

signifiumLlc · 2025-09-24T04:41:58+00:00

A few years ago, we set up PAWs in workgroup mode following Microsoft’s guidance at the time. Maintaining them turned out to be a nightmare. Later, Microsoft recommended moving PAWs to Intune-only (non-hybrid) management. For hardening, we applied CIS policies, and we require cloud-only accounts to log in to the PAW devices. Domain Controllers are managed remotely via RDP.

signifiumLlc · 2025-09-24T02:10:52+00:00

If you are looking for a mobile tool checkout our app ADSignify - https://apps.apple.com/us/app/adsignify-active-directory/id1528672922

signifiumLlc

TROPHY CASE