Turning off directory synchronisation between your on-premises directory and Azure Active Directory is a crucial step to support works such as Microsoft 365 tenant-to-tenant migrations, acquisitions and mergers, and infrastructure modernisations.
Doing so will stop any identity synchronisation between on-premise infrastructure and its reliance, being most commonly used to synchronise passwords and password policies, groups, resource accounts and related objects between your traditional Active Directory and Azure Active Directory.
The original goal was to create a seamless authentication experience across services for the end user and to provide a simple management approach to the admin. However, a modern and cloud-based approach to identity management doesn’t and shouldn’t involve on-premise directories
In this tutorial, I am going to show you how you can turn off directory sync (Azure AD Connect) using Microsoft Graph PowerShell.
View current directory sync settings with Get-MgOrganization
Get-MgOrganisation is used to view information about your organisation, or more specifically the configuration of your Microsoft 365 tenant. In our case, we can use this information to view the OnPremisesSyncEnabled value.
For this step, you should Connect using the Organization.Read.All permission scope to Microsoft Graph PowerShell.
Connect-MgGraph -scopes Organization.Read.All
To view all of your organisational settings, use the format list cmdlet:
Get-MgOrganization | fl
For reference, your output should look like the following where I have highlighted the OnPremiseSyncEnabled setting.
If you need to view on the value of the OnPremesisSyncEnabled property, you can use the Select statement as follows:
Get-MgOrganization | Select OnPremisesSyncEnabled
Disable directory synchronisation with Update-MgBetaOrganization
The Update-MgBetaOrganization cmdlet is found in the ‘Microsoft.Graph.Beta’ module, as such you will need to install the beta modules of Microsoft Graph PowerShell. You can either install all of the modules, or just install the module for this purpose.
To install all of the Microsoft Graph PowerShell beta modules:
Install-Module Microsoft.Graph.Beta -scope currentuser -force
To install the Directory Management beta module:
Install-Module Microsoft.Graph.Beta.Identity.DirectoryManagement -scope currentuser -force
The correct permission to disable directory sync in your organisation is the Organization.ReadWrite.All Graph API permission. Start by connecting to Microsoft Graph and defining this permission scope.
Connect-MgGraph -scopes Organization.ReadWrite.All
Once your session is active use the below code to disable directory synchronisation for your organisation.
The script starts by storing the organisation ID to the $OrgID variable. This variable is then used to build the request’s body before all the information is passed into the Update-MgOrganisation command.
$OrgID = (Get-MgOrganization).id
$params = @{
onPremisesSyncEnabled = $null
}
Update-MgBetaOrganization -OrganizationId $OrgID -BodyParameter $params
Once you have run the script, re-run Get-MgOrganization to verify the status of directory synchronisation in your tenant.
Disable directory synchronisation with Invoke-MgGraphRequest
You can also achieve a similar result using Invoke-MgGraphRequest if you do not want to rely on the ever-change cmdlets and their parameters.
The below script will again store the organisation’s ID in the $OrgID parameter, then use that information to generate the unique URI for the resource we are updating. The body of the request is then defined and Invoke-MgGraphRequest is used with the PATCH (update) method.
$OrgID = (Get-MgOrganization).id
$uri = "https://graph.microsoft.com/v1.0/organization/$orgid"
$body = @'
{
"onPremisesSyncEnabled": 'null'
}
'@
Invoke-MgGraphRequest -uri $uri -Body $body -Method PATCH
Once you have run the script, re-run Get-MgOrganization to verify the status of directory synchronisation in your tenant.
How long until users change to in cloud?
When you turn off AD sync using Microsoft Graph PowerShell, the status returned by the Get-MgOrganisation cmdlet is updated instantly. However, for the synchronisation status of your users in the Microsoft 365 admin portal and Microsoft Entra Admin Center, you must wait up to 72 hours for this change to complete.
In reality, I have disabled directory sync many times and it usually completes within 12 hours, however, you should plan for 72.
What happens to users when you disable directory synchronisation?
Once directory sync is successfully disabled in your tenant, your end users will notice no immediate changes. You as the administrator however will first notice that the Sync status of your users in the Microsoft 365 admin center will show as in-cloud.
Some other factors to consider are:
- Users will keep the same password for their Microsoft 365 accounts as they previously had.
- If users’ passwords previously conformed to their on-premises directory password policy, they will now adhere to the password policy in Microsoft Entra.
- You should ensure the Active Directory Connect tool on-premises (or cloud sync) is disabled and uninstalled.
- If user workstations are joined to Azure Active Directory only, once Azure AD Connect is disabled, they will no longer be able to use Windows-Integrated authentication to applications utilising Active Directory.