Troubleshooting Device Migrations
Resolve common issues when migrating devices between tenants.
Overview
Users may struggle to join a new tenant using the Cloudiway agent, potentially losing access to their devices since they've already left the source tenant but haven't joined the target one yet.
Safety Measure
Cloudiway automatically creates a temporary local admin account to prevent complete lockout. This account is deleted after migration completes.
Device Migration Flow
How Tenant Joining Works
Provisioning Package Role
The provisioning package, created via Microsoft Windows Configuration Designer, handles the join process. The Cloudiway agent is just programmatically installing the provisioning package and does nothing more.
Common Failure Points
Authentication Token Issues
Changing the password of the account that created the provisioning package invalidates the stored authentication token. The package will fail to authenticate.
MFA Conflicts
Multi-factor authentication on the service account must be disabled via exclusion rules, or devices will join then immediately unjoin due to non-compliance.
Compliance Policies
Policies preventing non-compliant devices from joining may block enrollment. Review Conditional Access policies for device compliance requirements.
Diagnostic Steps
1. Run MDM Diagnostics
mdmdiagnosticstool.exe -area DeviceEnrollment;DeviceProvisioning2. Check Azure AD Sign-in Logs
Review failed enrollment attempts in Azure AD
3. Review Intune Device Status
Check device compliance status in Intune admin center
4. Manual Package Test
Install the provisioning package manually via PowerShell to isolate the issue to Microsoft components before opening a support ticket.