My company is using an on-premises active directory domain controller. Years ago we also had an Exchange server running. The mailboxes where already migrated to Exchange Online and the on-premises domain controller was only needed for managing the exchange attributes for the hybrid accounts (Yes, I was using dsa.msc and not some fancy exchange management suite/tool). I decided to go full cloud-only with the accounts so these need to be converted to cloud only accounts. This blogpost will show you how to convert all accounts at the same time by disabling the sync. Here is my big list 😉 of user accounts and their type:
The on-premises column is important. The account with a “Yes” are hybrid accounts and that “Yes” must turn to “No” so I can fully manage them via EntraID (or when you reading this, this could be named something else again).
First lets have a look at the current sync status in EntraID:
Now open a powershell session and connect to Microsoft Online:
- First (if not done already) install the required modules:
- Install-Module MSOline
- Install-Module AzureAD
- Then import the module: Import-Module AzureAD
- Connect to your tenant: Connect-MSOLService (login with an admin account)
- Now get the current synchronisation status: (Get-MSOLCompanyInformation).DirectorySynchronizationStatus
As already mentioned, the sync is still Enabled.
Before you continue: Ensure that all user data and account details are backed up. Documentation of the current state of user accounts, including permissions and group memberships, is essential for a smooth transition.
Now we are going to disable the sync on the on-premises domain controller (or the machine where is is running):
I just shutdown the domain controller as it is not needed for me anymore 😉
Now in the powershell session stop the sync as well: Set-MsolDirSyncEnabled -EnableDirSync $false
Confirm the the status is changed: (Get-MSOLCompanyInformation).DirectorySynchronizationStatus
The “PendingDisabled” can take up to 72 hours before it changed to Disabled.
When the sync is disabled check on the user accounts:
Cool, all accounts smoothly transitioned to cloud-only accounts and the on-premises domain controller isn’t needed anymore. There is just one small thing to check. If the “On-Premises Directory Synchronization Service Account” user account still exist, you can delete it.