Leaving AzureAD Domains
NOTE: As of release v2.2.0, the JumpCloud ADMU should invoke dsregcmd.exe /leave as the NTAuthority/System account. When "Leave Domain" is specified, the ADMU should be able to unbind from AzureAD domains while using the GUI tool. Previous versions of the ADMU do not elevate to NTAuthority/System, those versions of the tool will experience the limitation described below:
If a system is bound to an AzureAD domain, the ADMU can forcefully remove the system from the domain so long as the ADMU is running as NTAuthority/System user. In most cases, the ADMU GUI is never run as NTAuthority/System. Administrator user rights are not equivalent to NTAuthority/System rights. Even if the "Leave Domain" option is selected in the ADMU GUI, the ADMU may not leave the AzureAD Domain if it's only running with Administrator credentials.
If a system is Azure AD Bound, it may display the domain in "Access work or school" in the "Settings" app
To manually force a system to leave an AzureAD domain, open the settings app on the local system, click "Accounts" and in the left hand column, select "Access work or school". Select the AzureAD instance to which the system is connected and follow the on-screen prompts to "Disconnect" from the AzureAD domain.
By default, Windows commands in JumpCloud console are run as NTAuthority/System. This context provides the correct credential authority to remotely leave AzureAD domains. To leave an AzureAD domain through the JumpCloud command context create a command with the following payload:
Name: Leave AzureAD Domain
Type: Windows
Windows PowerShell: True (checked)
Command: dsregcmd.exe /leave
Assign the command to the computer currently bound to the AzureAD domain and run the command. The system should leave the domain after next reboot.
