How to migrate from Hybrid Identity to cloud-only identity ?

Rahul 226 Reputation points

Hi Team, Currently we are using hybrid identity i.e. users getting synced from on-prem AD to Azure AD with password hash sync authentication , now we are planning to go to have cloud only identity i.e. existing users remain in Azure AD only. Is there any migration steps that we need to follow ? please share links to any microsoft article. Is this a supported scenario because if we turn-off AAD Connect server it will cause errors correct ? (Please share your thoughts if worked on this scenario)

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
14,743 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Akshay-MSFT 5,916 Reputation points Microsoft Employee


    Thank you for posting your query on Microsoft Q&A. In order to move your environment to cloud kindly follow Transition to the cloud.

    When you plan your migration to Azure AD, consider migrating the apps that use modern authentication protocols (such as SAML and OpenID Connect) first. You can reconfigure these apps to authenticate with Azure AD either via a built-in connector from the Azure App Gallery or via registration in Azure AD.

    After you move SaaS applications that were federated to Azure AD, there are a few steps to decommission the on-premises federation system:

    Move application authentication to Azure Active Directory

    Migrate from Azure AD Multi-Factor Authentication Server to Azure AD Multi-Factor Authentication

    Migrate from federation to cloud authentication

    Move remote access to internal applications, if you're using Azure AD Application Proxy

    If you're using other features, verify that those services are relocated before you decommission Active Directory Federation Services.

    Once done, Only option is to disable dirsync for entire tenant by using the same command as mentioned as below.

    Set-MsolDirSyncEnabled -EnableDirsync $False

    If you go into Azure AD Connect, and under Domain and OU filtering, uncheck a group, this will delete the group from Azure AD as well. This approach will not suit for your requirement.

    Please do let me know if you have any further queries.


    Akshay kaushik

    Please "Accept the answer" (Yes), and share your feedback if the suggestion answers you’re your query. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments No comments