Share via

Safely converting Azure AD synced users to cloud-only without mailbox data loss (Exchange Online)

Muhammet Dilber 45 Reputation points
2026-02-11T10:35:04.6033333+00:00

Hello,

We are planning to decommission our on-premises Active Directory and Azure AD Connect, and convert all currently synced users to cloud-only in Microsoft 365.

Our environment details:

Users were originally synchronized from on-prem AD using Azure AD Connect.

Mailboxes are hosted in Exchange Online (no hybrid mailbox migration in progress).

All users currently have active licenses and working mailboxes.

We previously had a scenario where a synced user was soft-deleted and restored due to OU changes in on-prem AD.

In the past, we also removed the msExchMailboxGuid matching during initial synchronization.

Currently, mailboxes are healthy and accessible (OWA/Outlook working).

Our goal: We want to disable directory synchronization tenant-wide using Microsoft Graph:

Update-MgOrganization -OrganizationId <TenantId> -BodyParameter @{ onPremisesSyncEnabled = $false }

Then fully remove Azure AD Connect and keep all users as cloud-only.

Critical requirement: We MUST ensure:

No user object deletion

No mailbox soft-delete

No ExchangeGuid changes

Zero mailbox data loss

Questions:

When disabling directory synchronization using onPremisesSyncEnabled = false, are existing synced users converted in-place to cloud-only without re-provisioning?

Is there any scenario where Exchange Online mailboxes get soft-deleted during this process?

Does previous manipulation of msExchMailboxGuid in on-prem AD create any risk during this conversion?

Are there any additional recommended validation steps before disabling sync to guarantee no mailbox lifecycle event is triggered?

We are not removing licenses, not deleting users, and not modifying ImmutableID.

We would appreciate confirmation of the expected mailbox behavior during this transition.

Thank you.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Answer accepted by question author
  1. Vasil Michev 125.2K Reputation points MVP Volunteer Moderator
    2026-02-11T11:12:24.1866667+00:00

    ExO mailboxes are tied in to the corresponding Entra user objects, so as long as you don't make any breaking changes on that front, everything will be fine. Stopping dirsync will indeed convert the users to cloud-only, and allow you to "fully" manage them via the Entra/M365 tools. The associated mailbox will not be affected in any way during this process, and as long as a license remains assigned to it.

    As a hint, if you put the mailboxes on hold, be it "classic" litigation hold or as part of Purview retention policies, even in the event of deleting the user object, the mailbox will be preserved as the so-called "inactive" mailbox. Generally speaking, there should be no need to go that route just for the sake of the "disable dirsync" scenario, I only mention it as a method to doubly ensure your piece of mind.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-02-11T10:35:30.43+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    When you disable directory synchronization using onPremisesSyncEnabled = false, existing synced users are converted in-place to cloud-only without requiring re-provisioning. This means that their user objects will remain intact, and they will not be deleted or soft-deleted during this process, provided that you follow the correct steps and do not remove licenses or modify the ImmutableID.

    Regarding the risk of soft-deletion of Exchange Online mailboxes, as long as you ensure that no changes are made to the user objects in Azure AD (such as deletions or modifications that would trigger a soft-delete), there should be no scenario where mailboxes get soft-deleted. The previous manipulation of msExchMailboxGuid in on-prem AD should not create any additional risk during this conversion, as long as the mailbox is healthy and accessible prior to disabling sync.

    Before disabling sync, it is recommended to validate the following:

    1. Ensure that all mailboxes are healthy and accessible.
    2. Confirm that there are no pending changes in the on-premises AD that could affect the users.
    3. Verify that the PublicFoldersEnabled value is not set to 'Remote' if you are using public folders, as this could require migration to Exchange Online.
    4. Check that all users have active licenses and that no user object deletions are pending.

    By taking these steps, you can help guarantee that no mailbox lifecycle events are triggered during the transition to cloud-only users.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.