Can't uninstall Entra AD Sync

Question

Can't uninstall Entra AD Sync

Alan Auld 0

Our on premises AD server is no longer available. Therefore, I can't uninstall ADSync. I've tried to disable it supplied PowerShell scripts but it doesn't work. I now have accounts and groups from the on-prem server living in the cloud that I cannot remove.

Rukmini 36,695 Reputation points Microsoft External Staff Moderator

2026-03-10T19:46:02.2033333+00:00
Hey Alan, it sounds like since your on-prem AD is gone, the Azure AD Connect (Entra AD Sync) agent can’t find its source and won’t uninstall normally—and because directory sync is still “on,” the synced accounts/groups remain locked in the cloud. Here’s a two-part approach:

Turn off directory sync so you can delete the stale objects • Install and import the MSOnline PowerShell module if you haven’t already: Install-Module MSOnline Import-Module MSOnline • Connect to your tenant: Connect-MsolService • Disable DirSync: Set-MsolDirSyncEnabled –EnableDirSync $false • Wait for Azure AD to fully process the change (it can take up to 72 hours in rare cases). • You can now delete the orphaned users and groups directly in the Azure portal or via Remove-MsolUser / Remove-MsolGroup.

Force-uninstall the Azure AD Connect agent from the server Since the original domain is gone, you’ll need to manually remove the service and binaries: a. Stop and disable the services Stop-Service ADSync Stop-Service AADConnectorService Set-Service ADSync –StartupType Disabled Set-Service AADConnectorService –StartupType Disabled b. Uninstall via MSI (run as Admin in an elevated prompt) • Find the product GUID under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
• Then run:
msiexec.exe /x {YOUR-PRODUCT-GUID} /qn REMOVE=ALL
c. Clean up remaining folders and registry keys • Delete “C:\Program Files\Microsoft Azure AD Sync” and “C:\Program Files\Microsoft Azure AD Connect” • Remove registry branches under HKLM\SOFTWARE\Microsoft\ADSync and HKLM\SOFTWARE\Microsoft\AzureADConnect d. Reboot the server

If you’d rather avoid manual clean-up, another option is to stand up a temporary Windows Server, rejoin it to a domain (or even a fresh lab domain), install the same version of Azure AD Connect, point it at your tenant, let it register, then uninstall cleanly from there.

Hope that helps! Let me know if you hit any errors during the PowerShell steps or MSI uninstall.

Note: This content was drafted with the help of an AI system. Please verify the information before relying on it for decision-making.
Rukmini 36,695 Reputation points Microsoft External Staff Moderator

2026-03-11T18:23:56.4066667+00:00

Hello Alan Auld

Following up to see if the above provided information was helpful. If you have any further queries do let us know.

1 answer

Your answer

Rukmini 36,695 Reputation points Microsoft External Staff Moderator

2026-03-11T18:23:56.4066667+00:00

Hello Alan Auld

Following up to see if the above provided information was helpful. If you have any further queries do let us know.

Answer 1

Hello @Alan Auld,

Based on your description, I understand that you want to completely disable synchronization and you would like to remove the synced users and group from Cloud. To do that you should first convert synced users into cloud-only users without any on-premises attributes and post that you can delete the accounts from cloud. Additionally, you mentioned that you no longer have access to on-premises server as you decommissioned and no longer available.

To proceed with converting synced users into cloud-only users, please follow the steps below using Microsoft Graph Explorer to disable directory synchronization:

Open Microsoft Graph Explorer.
Sign in using a Global Administrator account.
Use the following PATCH request (replace {organization-id} with your actual Tenant ID):

YAML

PATCH https://graph.microsoft.com/beta/organization/{organization-id} (Replace org id with Tenant ID)

Navigate to the Modify Permissions tab and grant Organization.ReadWrite.All permission (consent on behalf of the organization).
In the Request Body, enter the following JSON:

JSON

{
  "onPremisesSyncEnabled": false
}

Click Run Query.

Note: It may take 4–5 minutes for the changes to reflect in the Azure portal. The maximum time to disable directory sync is 72 hours, but it may vary based on the object size.

User's image

Once completed, the previously synced users will be converted to cloud-only users. Then if you want to have those users you can keep it like that if not you can delete those users as per your needs.

Alternatively, you can also use PowerShell to disable directory synchronization. Please refer to the official Microsoft documentation below for detailed steps:

Turn off directory synchronization for Microsoft 365

You can use Microsoft Graph PowerShell SDK. This is the modern, unified PowerShell module built on the Microsoft Graph API.

# Install v1.0 and beta Microsoft Graph PowerShell modules 
  Install-Module Microsoft.Graph -Force
  Install-Module Microsoft.Graph.Beta -AllowClobber -Force 
  
  # Connect With Hybrid Identity Administrator Account
  Connect-MgGraph -scopes "Organization.ReadWrite.All,Directory.ReadWrite.All" 
  
  # Verify the current status of the DirSync Type
  Get-MgOrganization | Select OnPremisesSyncEnabled 
  
  # Store the Tenant ID in a variable named organizationId
  $organizationId = (Get-MgOrganization).Id 
  
  # Store the False value for the DirSyncEnabled Attribute
  $params = @{
  	onPremisesSyncEnabled = $false
  }
  
  # Perform the update
  Update-MgOrganization -OrganizationId $organizationId -BodyParameter $params 
  
  # Check that the command worked
  Get-MgOrganization | Select OnPremisesSyncEnabled

Let me know if you need assistance with any of the steps.

Share via

Can't uninstall Entra AD Sync

1 answer

Your answer