How to change AD DS Connector account in Azure AD Connect? After creating an AD…
Disable Active Directory synchronization in Microsoft Entra ID
We sync the Active Directory on-premises AD objects to Microsoft Entra ID with Microsoft Entra Connect Sync. When a company wants to move entirely to the cloud, we disable on-premises synchronization in AD on-premises and Microsoft Entra ID. This time, the on-premises server was already taken offline without considering this. In this article, you will learn how to disable Active Directory synchronization in Microsoft Entra ID.
Table of contents
How to uninstall Microsoft Entra Connect Sync
The correct way to disable Active Directory synchronization with Microsoft Entra ID is to follow the steps in the article Uninstall Azure AD Connect, which will:
- Turn off directory synchronization in on-premises AD
- Turn off directory synchronization in Microsoft Entra ID
- Uninstall Microsoft Entra Connect Sync from server
Suppose the AD on-premises environment is taken offline without turning off directory synchronization on-premises, you can turn off directory synchronization only in Microsoft Entra ID.
How to disable Active Directory synchronization in Microsoft Entra ID
To disable Active Directory Synchronization in Microsoft Entra ID, follow the below steps:
Step 1. Install Microsoft Graph PowerShell module
Start Windows PowerShell as administrator and Install Microsoft Graph PowerShell module.
Install-Module Microsoft.Graph -ForceInstall-Module Microsoft.Graph.Beta -AllowClobber -ForceImportant: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.
Step 2. Connect to Microsoft Graph PowerShell
It’s essential to Connect to Microsoft Graph PowerShell with the correct permissions.
Connect-MgGraph -Scopes "Organization.ReadWrite.All"Step 3. Check current on-premises sync status
Check the on-premises synchronization status.
Get-MgOrganization | Select-Object DisplayName, OnPremisesSyncEnabledThe value appears as True or null (empty), meaning True is enabled.
DisplayName OnPremisesSyncEnabled
----------- ---------------------
EXOIP TrueStep 4. Disable on-premises directory synchronization
Turn off directory synchronization and convert your on-premises synchronized users to cloud-only. Run the Update-MgBetaOrganization cmdlet to stop the synchronization.
$OrgID = (Get-MgOrganization).Id
$params = @{
onPremisesSyncEnabled = $false
}
Update-MgBetaOrganization -OrganizationId $OrgID -BodyParameter $paramsNote: It may take up to 72 hours to complete deactivation once you have disabled on-premises directory synchronization through this cmdlet. The time depends on the number of objects that are in your cloud service subscription account. You cannot cancel the disable action. It needs to be completed before you can take any other action, including re-enabling on-premises directory synchronization. If you choose to re-enable on-premises directory synchronization, a full synchronization of your synced objects will happen. This may take a considerable time, depending on the number of objects in your Active Directory.
Step 5. Verify on-premises synchronization status
Check that on-premises directory synchronization is disabled in Microsoft Entra ID.
Get-MgOrganization | Select-Object DisplayName, OnPremisesSyncEnabledThe OnPremisesSyncedEnabled property should appear as a null (empty) value.
DisplayName OnPremisesSyncEnabled
----------- ---------------------
EXOIPThis is what the sync status looks like in Microsoft 365 admin center before turning off directory synchrnization.
This is what the sync status looks like in Microsoft 365 admin center after turning off directory synchronization.
That’s it!
Read more: Move Azure AD Connect to new tenant »
Conclusion
You learned how to disable Active Directory synchronization with Microsoft Entra ID. The correct way is to disable directory synchronization in both AD on-premises and Microsoft Entra ID. After that, uninstall Azure AD Connect software. Suppose this can’t be done because the on-premises environment is taken down, you can turn off directory synchronization in Microsoft Entra ID only.
Did you enjoy this article? You may also like Export Azure AD users to CSV with PowerShell. Don’t forget to follow us and share this article.
What Others Are Reading
Why not to use Set-MsolDirSyncEnabled, or this command will not work? And will all messages in mailboxes/onedrive files remain after converting (no new users are created)?
I just trying to prepare to scenario, where on premises AD server and AD Connect server is completely down without ability to restore and what to do then. So converting users to cloud only from cloud would be the only option, but not sure if everything will be ok.
The Set-MsolDirSyncEnabled cmdlet is going to be deprecated on March 30, 2024.
All the accounts will stay the same in Microsoft 365.
It would work, but that’s not what you want to do.
The correct approach is to have a backup running for all the on-premises servers. When something happens to the server(s), you restore them.
Hi, great, it worked great for my test environment, I wanted to ask you, but does this command only affect users? In the sense, I have groups (memberships) in Microsoft Entra ID but they are like Target on Windows Server, and other Clouds, what will happen to them? Thank you 🙂
I’m curious about this as well. Are you able to confirm what happens to the synced distribution and security groups?
Hi.
Thanks for your content, very helpful!
We have one big AD sync with O365 – COMP1
We needed to join another company on this tenant, joining the group; We have done that with ADConnect and Exchange Hybrid: COMP2. This worked perfectly.
Now we want to stop AD Connect and remove Exchange Hybrid for COMP2 but keep it from COMP1. We have followed MS advice and everything seems ok. But it’s now a week delay, and users from COMPA2 are still “connected” to on Premise, even is AD Connect on AD-COMP2 has been removed after running the Powershell commands from the article and cleanup all hybrid stuff.
Any Idea? Do we have to disabled temporarily AD Connect COMP1?
JC
Hello Ali
Please what is the “modern” way to convert only specific objects to cloud-only, e.g. when using Microsoft Entra Cloud Sync?
In past there were hacky options to $null ImmutableId, remove objects from syncing and restoring them back with resetting password, changing sourceAnchor, etc..
MS blocked such options and then, after user feedback reverted it back but then I lost the focus.
Today, is there some supported/unsupported way how to convert object to cloud-only without disabling sync globally?
Thank you very much!
I have this exact questions. I have to migrate and move a vanity domain from source tenant, so I guess I need to stop sync, but would love to be able to just delete and restore user to get it back to cloud instead.
I have a question about “Turn off directory synchronization and convert your synchronized users to cloud-only”. I have Microsoft Entra Cloud sync and do not wish to make the accounts cloud-only, only to remove AD Connect. Will the command in the article also disable the running Cloud Sync tool and still convert the accounts to cloud only?
Thank you for your content.
C.C.
If you want to uninstall Azure AD Connect, you should skip the steps to turn off directory synchronization because you need that.
Follow the steps at the end of this article to uninstall Azure AD Connect.