Disable Active Directory synchronization in Microsoft Entra ID (2024)

  • Updated on February 8, 2024
  • Microsoft 365, Microsoft Entra, Powershell
  • 11 Comments

We sync the Active Directory on-premises AD objects to Microsoft Entra ID with Microsoft Entra Connect Sync. When a company wants to move entirely to the cloud, we disable on-premises synchronization in AD on-premises and Microsoft Entra ID. This time, the on-premises server was already taken offline without considering this. In this article, you will learn how to disable Active Directory synchronization in Microsoft Entra ID.

Table of contents

  • How to uninstall Microsoft Entra Connect Sync
  • How to disable Active Directory synchronization in Microsoft Entra ID
    • Step 1. Install Microsoft Graph PowerShell module
    • Step 2. Connect to Microsoft Graph PowerShell
    • Step 3. Check current on-premises sync status
    • Step 4. Disable on-premises directory synchronization
    • Step 5. Verify on-premises synchronization status
  • Conclusion

How to uninstall Microsoft Entra Connect Sync

The correct way to disable Active Directory synchronization with Microsoft Entra ID is to follow the steps in the article Uninstall Azure AD Connect, which will:

  1. Turn off directory synchronization in on-premises AD
  2. Turn off directory synchronization in Microsoft Entra ID
  3. Uninstall Microsoft Entra Connect Sync from server

Suppose the AD on-premises environment is taken offline without turning off directory synchronization on-premises, you can turn off directory synchronization only in Microsoft Entra ID.

How to disable Active Directory synchronization in Microsoft Entra ID

To disable Active Directory Synchronization in Microsoft Entra ID, follow the below steps:

Step 1. Install Microsoft Graph PowerShell module

Start Windows PowerShell as administrator and Install Microsoft Graph PowerShell module.

Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force

Important: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.

Step 2. Connect to Microsoft Graph PowerShell

It’s essential to Connect to Microsoft Graph PowerShell with the correct permissions.

Connect-MgGraph -Scopes "Organization.ReadWrite.All"

Step 3. Check current on-premises sync status

Check the on-premises synchronization status.

Get-MgOrganization | Select-Object DisplayName, OnPremisesSyncEnabled

The value appears as True or null (empty), meaning True is enabled.

DisplayName OnPremisesSyncEnabled----------- ---------------------EXOIP True

Step 4. Disable on-premises directory synchronization

Turn off directory synchronization and convert your on-premises synchronized users to cloud-only. Run the Update-MgBetaOrganization cmdlet to stop the synchronization.

$OrgID = (Get-MgOrganization).Id$params = @{ onPremisesSyncEnabled = $false}Update-MgBetaOrganization -OrganizationId $OrgID -BodyParameter $params

Note: It may take up to 72 hours to complete deactivation once you have disabled on-premises directory synchronization through this cmdlet. The time depends on the number of objects that are in your cloud service subscription account. You cannot cancel the disable action. It needs to be completed before you can take any other action, including re-enabling on-premises directory synchronization. If you choose to re-enable on-premises directory synchronization, a full synchronization of your synced objects will happen. This may take a considerable time, depending on the number of objects in your Active Directory.

Step 5. Verify on-premises synchronization status

Check that on-premises directory synchronization is disabled in Microsoft Entra ID.

Get-MgOrganization | Select-Object DisplayName, OnPremisesSyncEnabled

The OnPremisesSyncedEnabled property should appear as a null (empty) value.

DisplayName OnPremisesSyncEnabled----------- ---------------------EXOIP

This is what the sync status looks like in Microsoft 365 admin center before turning off directory synchrnization.

Disable Active Directory synchronization in Microsoft Entra ID (1)

This is what the sync status looks like in Microsoft 365 admin center after turning off directory synchronization.

Disable Active Directory synchronization in Microsoft Entra ID (2)

That’s it!

Read more: Move Azure AD Connect to new tenant »

Conclusion

You learned how to disable Active Directory synchronization with Microsoft Entra ID. The correct way is to disable directory synchronization in both AD on-premises and Microsoft Entra ID. After that, uninstall Azure AD Connect software. Suppose this can’t be done because the on-premises environment is taken down, you can turn off directory synchronization in Microsoft Entra ID only.

Did you enjoy this article? You may also like Export Azure AD users to CSV with PowerShell. Don’t forget to follow us and share this article.

Disable Active Directory synchronization in Microsoft Entra ID (3)

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

What Others Are Reading

Uninstall Azure AD Connect

We like to uninstall Azure AD Connect. The organization will no longer use Azure AD…

Upgrade Azure AD Connect to V2.x

We have Azure AD Connect V1 running in the organization. We like to upgrade from…

Change AD DS Connector account

How to change AD DS Connector account in Azure AD Connect? After creating an AD…

This Post Has 11 Comments

  1. My fun question: In the same Tenant, I’ve got Entra Cloud Connector going to one AD forest, and also have Entra Cloud Sync running with another AD Forest. We are ready to shutdown and remove the 2nd AD Forest and remove the Cloud Sync.

    How do we switch just the users from then 2nd AD Forest to be Cloud only? we can’t run the disable OnPremisesSyncEnable command, cause won’t that break both?

    Translation, I just want to set one custom domain in our Tenant to Cloud Only. What’s the magic trick? or did I miss something in the above article
    Thanks, K.

    Reply

    1. We are facing the exact same issue with the added problem that we need to remove the proxyaddresses for all users that are cloud-synced.
      Unfortunately it is not clearly described what happens if you disable/delete the cloud-sync configuration – Microsoft just states that the user objects in the cloud will remain but not if they are converted to cloud users in the same step.

      Reply

  2. Why not to use Set-MsolDirSyncEnabled, or this command will not work? And will all messages in mailboxes/onedrive files remain after converting (no new users are created)?

    I just trying to prepare to scenario, where on premises AD server and AD Connect server is completely down without ability to restore and what to do then. So converting users to cloud only from cloud would be the only option, but not sure if everything will be ok.

    Reply

    1. The Set-MsolDirSyncEnabled cmdlet is going to be deprecated on March 30, 2024.

      All the accounts will stay the same in Microsoft 365.

      It would work, but that’s not what you want to do.

      The correct approach is to have a backup running for all the on-premises servers. When something happens to the server(s), you restore them.

      Reply

  3. Hi, great, it worked great for my test environment, I wanted to ask you, but does this command only affect users? In the sense, I have groups (memberships) in Microsoft Entra ID but they are like Target on Windows Server, and other Clouds, what will happen to them? Thank you 🙂

    Reply

    1. I’m curious about this as well. Are you able to confirm what happens to the synced distribution and security groups?

      Reply

  4. Hi.
    Thanks for your content, very helpful!

    We have one big AD sync with O365 – COMP1
    We needed to join another company on this tenant, joining the group; We have done that with ADConnect and Exchange Hybrid: COMP2. This worked perfectly.
    Now we want to stop AD Connect and remove Exchange Hybrid for COMP2 but keep it from COMP1. We have followed MS advice and everything seems ok. But it’s now a week delay, and users from COMPA2 are still “connected” to on Premise, even is AD Connect on AD-COMP2 has been removed after running the Powershell commands from the article and cleanup all hybrid stuff.
    Any Idea? Do we have to disabled temporarily AD Connect COMP1?

    JC

    Reply

  5. Hello Ali
    Please what is the “modern” way to convert only specific objects to cloud-only, e.g. when using Microsoft Entra Cloud Sync?
    In past there were hacky options to $null ImmutableId, remove objects from syncing and restoring them back with resetting password, changing sourceAnchor, etc..
    MS blocked such options and then, after user feedback reverted it back but then I lost the focus.
    Today, is there some supported/unsupported way how to convert object to cloud-only without disabling sync globally?
    Thank you very much!

    Reply

    1. I have this exact questions. I have to migrate and move a vanity domain from source tenant, so I guess I need to stop sync, but would love to be able to just delete and restore user to get it back to cloud instead.

      Reply

  6. I have a question about “Turn off directory synchronization and convert your synchronized users to cloud-only”. I have Microsoft Entra Cloud sync and do not wish to make the accounts cloud-only, only to remove AD Connect. Will the command in the article also disable the running Cloud Sync tool and still convert the accounts to cloud only?
    Thank you for your content.
    C.C.

    Reply

    1. If you want to uninstall Azure AD Connect, you should skip the steps to turn off directory synchronization because you need that.

      Follow the steps at the end of this article to uninstall Azure AD Connect.

      Reply

Leave a Reply

Disable Active Directory synchronization in Microsoft Entra ID (2024)

References

Top Articles
Latest Posts
Article information

Author: Patricia Veum II

Last Updated:

Views: 6128

Rating: 4.3 / 5 (64 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Patricia Veum II

Birthday: 1994-12-16

Address: 2064 Little Summit, Goldieton, MS 97651-0862

Phone: +6873952696715

Job: Principal Officer

Hobby: Rafting, Cabaret, Candle making, Jigsaw puzzles, Inline skating, Magic, Graffiti

Introduction: My name is Patricia Veum II, I am a vast, combative, smiling, famous, inexpensive, zealous, sparkling person who loves writing and wants to share my knowledge and understanding with you.