Hi @Christian Horn , As a first step, evaluate what is the authentication method being used for the tenant. Make sure it is not PTA or ADFS but PHS. Next you would have to convert all synced account to cloud only accounts. For that you will have to disable synchronization using the PowerShell provided in https://learn.microsoft.com/en-us/microsoft-365/enterprise/turn-off-directory-synchronization?view=o365-worldwide. Post this, the users will reflect as cloud only in Azure AD. Other thing to keep in mind is that the groups should also be synced over to Azure so that the users do not lose on their memberships. I dont think there is a documentation as such but ill see if i can find something.
Disconnect AD from AAD
This is something I'll need for the mid-term future and I'd like to start by asking for useful resources, links, hints, tips, etc. on this topic:
Current setup: local AD + AAD Connect -> all users in AAD -> Exchange Online, M365, etc.
Future setup: eliminate local AD -> keep the users in AAD only -> don't lose data
Surely going to be a nightmare. Anything is welcome, be it whitepapers, experience, whatever you have I can start reading...
Thank you,
Chris
-
Abhijeet-MSFT 546 Reputation points Microsoft Employee
2021-01-22T14:35:23.08+00:00
2 additional answers
Sort by: Most helpful
-
Vasil Michev 109.5K Reputation points MVP
2021-01-22T14:25:01.543+00:00 All you need to do is disable dirsync via PowerShell:
Set-MsolDirSyncEnabled -EnableDirSync $false
Doing this will "break" the link with on-premises, but will keep any synchronzied and cloud-created objects intact, and will switch their "source of authority" to Azure AD, allowing you to manage them directly via the cloud tools.
-
Christian Horn 31 Reputation points
2021-01-28T14:40:41.14+00:00 Thanks already, didn't know the conversion takes place automatically once the link's broken, that makes life much easier.
Any advise on how to handle PCs? As far as I know with domain joined machines they can only Hybrid Join or AzureAD Register but not AzureAD Join, so cloud-only users won't be able to logon. Is there any logic that I can follow or is this a dead-end requiring a manual rollout of freshly imaged PCs?