Share via

Correct way to convert 365 tenant from AAD Connect Sync to cloud-only

Caspar - ABO 196 Reputation points
2024-04-30T15:08:44.93+00:00

Hi, about a year ago, one of my customers has enabled AAD Connect Sync to synchronize all users, security groups from their existing on-premise Active Directory to a freshly setup Microsoft 365 tenant. This past year all applications and services have been fully migrated to 365. (Teams, Exchange, Sharepoint)

The old Active Directory is no longer needed and we want to completely shutdown all remaining on-premise servers and get rid of all the old server-hardware.

The customer wants me to completely remove the old synchronization so that all objects become "cloud-only" in such a way that we can fully edit everything from the 365 portal and also create users from the tenant without having to first create them on-premise and wait for the sync to happen. There are no services or applications left that depend on the old AD. So this should be simple.

What are the exact steps to make this happen? Does the command "Set-MsolDirSyncEnabled -EnableDirSync $ false" still work? I'm having a little trouble finding what to do exactly in what steps, turn off the sync tool and then run this command (if still available?) Hopefully someone has the exact steps as multiple websites tell me a different story every time.

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
3,912 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,958 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,754 questions
0 comments
Accepted answer
  1. Vasil Michev 96,356 Reputation points MVP
    2024-04-30T15:17:59.2366667+00:00

    The only thing you need to do is to disable the synchronization process, which indeed can be achieved by the above cmdlet. The Graph API/SDK does not currently offer a method to disable synchronization, so you're stuck with the good old Set-MsolDirSyncEnabled cmdlet.

    After you run the cmdlet, it might take some time to process the changes on the backend, depending on the size of your tenant. Once the process completes, you will be able to manage any previously synchronized object directly within the M365/Entra admin center, or via PowerShell/Graph API. No further steps are needed.

    Just for the sake of completeness, how are your users authenticating? Those additional steps you might have read about apply to scenarios where you have configured federation or leverages the PTA/SSO features that similarly redirect the sign-in process. If that's the case, additional steps such as converting the users or provisioning a password for them might be needed. If you are leveraging "native" cloud authentication or password sync, no further steps are needed.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 142.6K Reputation points MVP
    2024-04-30T15:18:55.2666667+00:00