25,148 questions
Hi,
- No, it won't. You can see the sync error "latest data is not available" but there won't be an impact on account source.
- The password from the most recent AAD sync will stick.
I hope this helps
Cheers
Sakaldeep
What will happen when you turn off directory synchronization for MS 365?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 3%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Noctis0791
121
Reputation points
Hi Experts,
Just a quick confirmation here since I cannot find the answers online thru my searches. What will happen when you turn off directory synchronization for MS 365?
- Will all Synced accounts in MS 365 become Cloud Only accounts?
- How about the passwords, will it be the cloud password prior to AAD Sync implementation? Or the passwords from the most recent AAD Sync will stick?
Please advise.
Thank you so much!
Logbi
Microsoft Security | Microsoft Entra | Microsoft Entra ID
4 answers
Sort by: Most helpful
-
Sakaldeep Yadav 171 Reputation points MVP2020-07-24T19:54:14.437+00:00 -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 0%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)
VipulSparsh-MSFT 16,311 Reputation points Microsoft Employee2020-07-27T10:33:47.79+00:00 @Noctis0791-8502 If you plan to turn off directory synchronization for MS 365, all users will start showing up as In-Cloud users. And you will be able to delete the synced users just like cloud users.
For example, this user was a synced user :
Once you disable the synchronization, you will see that this user changed to In-cloud user on Office portal.
Azure AD portal might take upto 72 hours to show this change but office portal is quite quick. You can then test it by deleting the previously synced user from office portal to confirm, just like this screenshot :
And for the password, it sticks to the last password which was synchronized from local AD. Hope this helps. Let us know if you have any questions.
If the suggested response helped you resolve your issue, do click on "Mark as Answer" and "Up-Vote" for the answer that helped you for benefit of the community.
-
VipulSparsh-MSFT 16,311 Reputation points Microsoft Employee
2020-07-30T14:58:21.093+00:00 @Noctis0791 I wanted to follow up and know if the above response helped in answering your query. If it did, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 52%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
Julian Laibach 0 Reputation points2024-10-19T08:08:57.2833333+00:00 How about Accounts on Computers, if an Account is now only Cloud based is the User still able to Log-In to the Account or is there any additional Configuration required locally?
Sign in to comment -
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(140.8, 33%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDC%3C/text%3E%3C/svg%3E)
Doug Chandler 2 Reputation points2025-02-20T17:08:28.8566667+00:00 The other thing that happens is the account name gets updated. This is used by Windows as the directory name for the user. All the time this is synced, I believe it can be overridden or uses the ImmutableID, but when you switch off the sync it is forced to be the Account Name without any spaces. This causes a problem if you put any non-standard characters into the account name as it might cause problems with software on a Windows PC.
Never understood why they use essentially a free text field for the folder name c:\Users...
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 34%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESP%3C/text%3E%3C/svg%3E)
Stéphane RENAUD 0 Reputation points2025-03-18T10:49:29.9733333+00:00 Hi Thanks for the clarifications. and what about the ImmutableID, is it cleared when all accounts are converted ? and if we reenable the Sync 72h later how it will match all accounts with on-prem ?
Thanks for your answer
-
Doug Chandler 2 Reputation points
2025-03-18T11:06:57.96+00:00 No the ImmutableID is not cleared, the data is preserved, we used the ImmutableID as our key field to match with an on-prem user. But also consider that you cannot update the ImmutableID if the domain is 'federated'. So if you need to update the ImmutableID directly you will need to do a multi-stage process of changing the UPN (and hence domain) of the user to the tenant domain (.onmicrosoft.com) do the change, then change the UPN back.
I've done a lot of work in this area, including disabling the sync from on-prem and updating users directly using Graph API and Exchange PowerShell.
The 72h quoted is an estimate of how long it will take to cycle through all the users and un-sync them. This time period will be dependent on the number of users in the directory. We had 373,000 user accounts and it took just over 37h (average of 167.5 users/min), so well below 72h. During this period of un-syncing, the users are available to be updated directly, but you cannot re-enable the sync until it has finished un-syncing all accounts.
Sign in to comment -