How to revert from hybrid AAD back to on-Prem AD only

Justin Lee 221 Reputation points

I am working with a company that is worried about the all or none feature when hybrid joining devices via AAD connect. They are wondering how to revert devices back to on-Prem only if joining to Azure AD causes an issue.


Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,071 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,127 questions
0 comments No comments
{count} votes

Accepted answer
  1. Limitless Technology 44,056 Reputation points


    I'd be happy to help you out with your question. Sorry for the inconvenience caused.

    To revert from hybrid Azure AD back to on-premises AD only, you can follow these steps:

    1. Remove the device from Azure AD by unjoining it. You can do this using the Azure portal or PowerShell.
    2. Remove the device from Intune if it is enrolled. This can be done in the Intune console or PowerShell.
    3. Remove the device from the Hybrid Azure AD join by running the following PowerShell command on the device: dsregcmd /leave.
    4. Remove the device object from Active Directory Users and Computers.
    5. Remove the device object from Active Directory Sites and Services.
    6. If you used Azure AD Connect to synchronize the device object to Azure AD, you need to ensure that the device object is not synchronized again by removing it from the appropriate synchronization group.
    7. Ensure that the device is joined to the on-premises AD domain using traditional methods.

    Note that if the device has been enrolled in Intune, any data or settings that were configured on the device using Intune may still remain after the device is removed from Azure AD. Therefore, it's important to ensure that all Intune policies are removed from the device as well.

    Also, reverting from hybrid Azure AD back to on-premises AD only means that the device is no longer managed by Azure AD. This can affect access to cloud resources and applications that rely on Azure AD authentication, so you may need to adjust your access policies accordingly.

    If you have any other questions or need assistance with anything, please don't hesitate to let me know. I'm here to help.

    If the reply was helpful, please don’t forget to upvote or accept as answer, thank you.

    0 comments No comments

2 additional answers

Sort by: Most helpful
  1. Sandeep G-MSFT 15,336 Reputation points Microsoft Employee

    @Justin Lee

    You can follow below steps to remove/unjoin devices from Azure AD,

    • Open command prompt as administrator.
    • Run the command dsregcmd /status.
    • This command will show you the current state of device, if it is joined to Azure or not.
    • If the device is joined, then you can run command "dsregcmd /leave"
    • This command will remove the device from Azure AD.

    Post this you can move the devices OU to AD connect sync scope.

    Let me know if you have any further questions

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. Daniel Mare 0 Reputation points

    This answer only answers it on a per individual computer basis. What if we're finding issues and want to roll it back globally? Can the change be rolled back in the Microsoft Azure Active Directory Connect utility to prevent further devices from hybrid-joining?

    0 comments No comments