Share via

Migrate to AAD and decom on prem AD

Patrick M 20 Reputation points
2023-03-07T01:54:57.5433333+00:00

I have a very simple on prem AD domain which has a small set of users (less than 10) and I am sync'ing those users into AAD. The AAD directory is driving O365 services. I want to keep the AAD/O365 setup for the domain however I want to decommission the on prem Active Directory which is no longer needed.

I have found resources where users discuss breaking the sync, converting the user accounts to cloud only, and then re-establishing sync afterwards whereby the cloud users are under a different domain.

I am not interesting in re-enabling sync'ing afterwards. I want to complete eliminate the on prem AD domain controller and have all users be cloud only under the user principle name of the current domain (@imichalski.net).

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,244 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,629 questions
0 comments
Accepted answer
  1. Dillon Silzer 56,681 Reputation points
    2023-03-07T02:42:16.34+00:00

    Hello Patrick,

    #1 You can turn it off via PowerShell:

    Please see the following documentation:

    Turn off directory synchronization for Microsoft 365

    https://learn.microsoft.com/en-us/microsoft-365/enterprise/turn-off-directory-synchronization?view=o365-worldwide

    #2 Disable Azure AD Connect:

    Office 365: What happens when you disable AD Connect?

    https://www.slashadmin.co.uk/office-365-what-happens-when-you-disable-ad-connect/

    If this is helpful please accept answer.

    2 people found this answer helpful.
    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sandeep G-MSFT 16,696 Reputation points Microsoft Employee
    2023-03-10T04:03:04.4+00:00

    @Patrick M

    If you are looking for completely decommission on-premises AD then you will have to break the link between on-premises and Azure AD. AD connect will not be functional to sync objects from Azure AD to cloud.

    To stop the sync you can either stop the AD connect service on the on-premises server or you can uninstall AD connect from the server.

    Post this you will still not be able to manage previously synced user objects in Azure AD. To manage these users you will have to follow below steps,

    • Open Windows PowerShell as administrator.
    • Run command "Install-module msonline"
    • Connect-Msolservice
    • Above command will prompt for credentials. You can enter global admin credentials in the prompt.
    • Post this you can run command Set-MsolDirSyncEnabled -EnableDirsync $False
    • Above command will change all users as "cloud only" users. This will let you manage user objects in Azure AD itself.

    Post this you can decommission your on-premises environment.

    You can also refer below article,

    https://learn.microsoft.com/en-us/microsoft-365/enterprise/turn-off-directory-synchronization?view=o365-worldwide

    Let me know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    2 people found this answer helpful.
  2. Thameur-BOURBITA 32,636 Reputation points
    2023-03-07T11:35:56.2+00:00

    Hi, @Patrick M

    You can convert synced users to cloud only user by disable directory synchronization.

    Set-MsolDirSyncEnabled -EnableDirSync $false

    Once the directory synchronization is disabled , you will be able to manage user accounts only from Azure portal.

    Before demoting the last domain controller check if you still have any GPO settings can impact desktop or server configuration .

    Please don't forget to mark helpful answer as accepted

    1 person found this answer helpful.
  3. Korbyn Forsman 5 Reputation points
    2024-02-29T21:55:08.7033333+00:00

    All these years and there still isn't a simple switch in Azure/Entra to set ownership from on-premises to Cloud-Only for users/groups/exchange objects... I have a Tenant, running Connect to one AD Forest and a Cloud Sync to another AD Forest. We're ready to shut down the Cloud Sync/AD. Does disabling the Cloud Sync configuration, make all the users Cloud Only?

    Also in the Connect, I would love to shift ownership of all Exchange object to Online?