Convert Security Group that is synced from on-premises, to an online only group and break the syncing

Question

Convert Security Group that is synced from on-premises, to an online only group and break the syncing

77293397 41

Hi there,
I have synced our on-premises active directory to Azure AD with Azure AD Connect.

So, all our on-premises security groups are synced to Azure AD, and I cannot modify members in Azure AD(of course). However, since they are already in Azure AD(and linked to all the Sharepoint data we have also migrated... I would like to convert these synced groups in Azure AD to a cloud-only security groups.

Or, put another way, I want to keep them in azure AD, and disjoin them from syncing, so that they don't sync to on-prem AD anymore, and so that I can modify their membership in Azure AD going forward.

Or, in even another way... change the source of the group from "Windows Server AD" to "Cloud"

How can this be done?

Devaraj G 2,096 Reputation points Volunteer Moderator

2022-03-10T00:40:33.913+00:00

Hi, Just checking the progress. did you end up converting the group ?
77293397 41 Reputation points

2022-03-10T18:33:54.357+00:00

Not Yet, but soon. I'll update when I confirm it all works.
77293397 41 Reputation points

2024-02-27T20:19:41.8633333+00:00

This is not the solution. In exchange admin center, there is a button to convert a mailbox from user to shared. We need a button like that to convert a group from synced to cloud.

6 answers

Your answer

Devaraj G 2,096 Reputation points Volunteer Moderator

2022-03-10T00:40:33.913+00:00

Hi, Just checking the progress. did you end up converting the group ?
77293397 41 Reputation points

2022-03-10T18:33:54.357+00:00

Not Yet, but soon. I'll update when I confirm it all works.
77293397 41 Reputation points

2024-02-27T20:19:41.8633333+00:00

This is not the solution. In exchange admin center, there is a button to convert a mailbox from user to shared. We need a button like that to convert a group from synced to cloud.

Answer 1

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

9 deleted comments

Comments have been turned off. Learn more

Answer 2

Rahul Shah 5

Hi Steve - Where you able to convert on-prem security group to cloud only ? I am in the same boat and would like to convert specific security groups to cloud only. But when I move these groups out of sync, they are just removed from Azure. I do not see them in Azure as deleted groups to restore them in Azure. I have followed this process for user accounts and it does work. I am able to restore the user accounts in Azure and then nullify the immutable id. But I guess groups do not work the same way. Any suggestions, workarounds for the groups ? Please advise.

Thanks,

Rahul

A, Harvin (Cognizant) 5 Reputation points

2023-04-15T16:30:07.85+00:00

hi Rahul Shah - Yes you can move the user to non-syncing OU and it will be available in the deleted users feature in Azure AD where you can restore it with ease but the same scenario doesn't work with synced security groups as per the current flow. There is no deleted groups feature as well, i checked this. Only option available is to stop the sync completely for the domain which will convert all the user accounts and groups to CLOUD ONLY. This option will help only for scenarios where you want to remove the on-premise setup after stopping the sync and use only Azure AD in the future.

Answer 3

Matthew Browne 21 MVP

Your best option is to do the following

Open Up Azure AD Connect

Create an Ou for all the security groups you dont want synced , put the security groups into this

Once this is done , then go back into your ad connect and ensure the out is not synced the security groups should disappear out of azure after 30 minutes.

Best Regards
Matthew Browne MCT
@AzureGuruMatt

77293397 41 Reputation points

2022-03-03T21:33:30.357+00:00

This is not what I was looking to achieve. I want to keep it in AzureAD. Dev073 got me an answer that I'm testing out.

Answer 4

77293397 41

Not yet, no... I have not been able to do that successfully.

Answer 5

Md. Abdul Razzak 10

Create a new OU. Move all existing security groups to new OU that is non-sync to AAD.

Run AD Connect tool and confirm that new OU is out of sync. After completing the sync process all the security group will be cloud only.

Charles Reid 15 Reputation points

2024-02-27T19:26:18.4866667+00:00

Doing this simply removes the groups from Azure Ad not convert them to cloud only
Ahmad Shahidan 0 Reputation points

2024-05-31T09:32:38.33+00:00

you can restore in the deleted group and it will become cloud only group.
Sebastian Stauber 15 Reputation points

2024-05-31T12:43:17.0133333+00:00

@Ahmad Shahidan did this work for you? I just tried moving these groups to a non-syncing OU, but they were just deleted in Entra and they do not appear in the trashbin.
Markus Schädlich 70 Reputation points

2024-12-18T07:26:26.3033333+00:00

Here, too, the groups were deleted after they were moved to a non-synchronized OUde.

Share via

Convert Security Group that is synced from on-premises, to an online only group and break the syncing

6 answers

Your answer