Disable Active Directory synchronization in Microsoft Entra ID (company-wide)
Categories:
The process described
The correct way to disable Active Directory synchronization with Microsoft Entra ID is to follow the steps in the Microsoft article on how to uninstall Microsoft Entra Connect Sync. We will disable the Synchronization on the Microsoft Entra ID side, which prevents any users from being moved to the recycle bin. After all these steps described, the software can be removed from your server.
If your on-premises AD environment is offline or unreachable then you cannot do the uninstallation of the server. In that case, you can disable the sync setting only in Microsoft Entra ID forcing this process. We are assuming that the server won’t be online again in this case.
Step 1. Install and Connect with Microsoft Graph
We first need to install the Microsoft Graph PowerShell module, if you don’t already have it installed. Let’s open up PowerShell on your computer and run the command below:
Install-Module Microsoft.Graph -ForceIf you already have this module installed, you can skip this step. Let’s connect to Microsoft Graph PowerShell using the required scopes, which are the permissions you request:
Connect-MgGraph -Scopes "Organization.ReadWrite.All"If being asked to grant consent to the Microsoft Graph Command Line Tools, grant this as we need those permissions to execute the actions after this.
After this has been completed, check if you are logged in correctly by using this command:
Get-MgContextThis should result in a list of details of your account and sign-in:
We are now ready to perform the further steps. If this doesnt show a list similar to the list above, then you are not logged in or the PowerShell module is not installed correctly.
Step 2. Check current on-premises sync status
Now we are logged in to Microsoft Graph, let’s check the current status of the sync in Microsoft Entra ID:
Get-MgOrganization | Select-Object DisplayName, OnPremisesSyncEnabledThis results in a list of your tenants with the actual sync status:
If this list shows a “Yes” or “Enabled” at the OnPremisesSyncEnabled coloumn, then synchronization is enabled. In my case, Entra Connect Sync is already disabled.
Step 3. Disable on-premises directory synchronization
Now we can disable the on-premises ADSync with this simple script below. Copy and run these commands to disable the synchronization.
$OrganizationID = (Get-MgOrganization).Id
$param = @{onPremisesSyncEnabled = $false}
Update-MgOrganization -OrganizationId $OrganizationID -BodyParameter $paramThis gives not any output as the execution was succesful. You can now check the status again just like in the previous steps:
Get-MgOrganization | Select-Object DisplayName, OnPremisesSyncEnabled- Disabling the synchronization can take up to 72 hours to complete
- Wait for the process to fully complete before performing any other organization wide action
- Once the disable process has started, it cannot be canceled so use it with care
After that we can also check the status in the Microsoft 365 Admin center and Entra ID Admin center. Make sure to check it on a subset of users which had synchronization enabled before:
Microsoft 365 Admin Center:
Make sure to enable the Sync status column:
Entra ID Admin Center:
This shows the user is now a full cloud-only user, which makes the disable action a success. You can now remove the Entra Connect Sync application from your servers as no further action is needed there. Re-enable the synchronization needs consent from a Global Administrator account.
Summary
In this post, I showed how to disable Active Directory synchronization in Microsoft Entra ID which can be used to phase this synchronization out and fully leverage all features of Entra ID. This action prevents any users from getting moved to the recycle bin which is also nice. If we were to disable the synchronization of the users in AD first, then all users will be moved to the recycle bin in the cloud, and needing manual action to recover them.
Thank you for reading this post and I hope it was helpful!
Sources
These sources helped me by writing and research for this post;
- https://learn.microsoft.com/entra/identity/hybrid/connect/how-to-uninstall-entra-connect
- https://learn.microsoft.com/powershell/module/microsoft.graph.identity.directorymanagement/update-mgorganization
End of the page 🎉
You have reached the end of the page. You can navigate through other blog posts as well, share this post on X, LinkedIn and Reddit or return to the blog posts collection page. Thank you for visiting this post.
If you think something is wrong with this post or you want to know more, you can send me a message to one of my social profiles at: https://justinverstijnen.nl/about/
If you find this page and blog very useful and you want to leave a donation, you can use the button below to buy me a beer. Hosting and maintaining a website takes a lot of time and money. Thank you in advance and cheers :)
The terms and conditions apply to this post.