Skip to main content

We sync the Active Directory on-premises AD objects to Microsoft Entra ID with Microsoft Entra Connect Sync. When a company wants to move entirely to the cloud, we disable on-premises synchronization in AD on-premises and Microsoft Entra ID. This time, the on-premises server was already taken offline without considering this. In this article, you will learn how to disable Active Directory synchronization in Microsoft Entra ID.

How to uninstall Microsoft Entra Connect Sync

The correct way to disable Active Directory synchronization with Microsoft Entra ID is to follow the steps in the article Uninstall Azure AD Connect, which will:

  1. Turn off directory synchronization in on-premises AD
  2. Turn off directory synchronization in Microsoft Entra ID
  3. Uninstall Microsoft Entra Connect Sync from server

Suppose the AD on-premises environment is taken offline without turning off directory synchronization on-premises, you can turn off directory synchronization only in Microsoft Entra ID.

How to disable Active Directory synchronization in Microsoft Entra ID

To disable Active Directory Synchronization in Microsoft Entra ID, follow the below steps:

Step 1. Install Microsoft Graph PowerShell module

Start Windows PowerShell as administrator and Install Microsoft Graph PowerShell module.

Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force

Important: Always install the Microsoft Graph PowerShell and Microsoft Graph Beta PowerShell modules. That’s because some cmdlets are not yet available in the final version, and they will not work. Update both modules to the latest version before you run a cmdlet or script to prevent errors and incorrect results.

Step 2. Connect to Microsoft Graph PowerShell

It’s essential to Connect to Microsoft Graph PowerShell with the correct permissions.

Connect-MgGraph -Scopes "Organization.ReadWrite.All"

Step 3. Check current on-premises sync status

Check the on-premises synchronization status.

Get-MgOrganization | Select-Object DisplayName, OnPremisesSyncEnabled

The value appears as True or null (empty), meaning True is enabled.

DisplayName OnPremisesSyncEnabled
----------- ---------------------
EXOIP                        True

Step 4. Disable on-premises directory synchronization

Turn off directory synchronization and convert your on-premises synchronized users to cloud-only. Run the Update-MgBetaOrganization cmdlet to stop the synchronization.

$OrgID = (Get-MgOrganization).Id

$params = @{
    onPremisesSyncEnabled = $false
}

Update-MgBetaOrganization -OrganizationId $OrgID -BodyParameter $params

Note: It may take up to 72 hours to complete deactivation once you have disabled on-premises directory synchronization through this cmdlet. The time depends on the number of objects that are in your cloud service subscription account. You cannot cancel the disable action. It needs to be completed before you can take any other action, including re-enabling on-premises directory synchronization. If you choose to re-enable on-premises directory synchronization, a full synchronization of your synced objects will happen. This may take a considerable time, depending on the number of objects in your Active Directory.

Step 5. Verify on-premises synchronization status

Check that on-premises directory synchronization is disabled in Microsoft Entra ID.

Get-MgOrganization | Select-Object DisplayName, OnPremisesSyncEnabled

The OnPremisesSyncedEnabled property should appear as a null (empty) value.

DisplayName OnPremisesSyncEnabled
----------- ---------------------
EXOIP

This is what the sync status looks like in Microsoft 365 admin center before turning off directory synchrnization.

Disable Active Directory synchronization in Microsoft Entra ID before

This is what the sync status looks like in Microsoft 365 admin center after turning off directory synchronization.

Disable Active Directory synchronization in Microsoft Entra ID after

That’s it!

 

Leave a Reply