Writing
One unintended Yes on Windows' "Sign in to all apps" prompt can put a corporate device into a customer's, partner's, or personal Entra tenant. Here's why I block this on every enterprise endpoint.
Step-by-step process for moving sync'ed users off on-prem AD - plus a PowerShell script, example output, and the caveats that bite.