Remove Azure AD Connect and make all AD objects cloud managed
In a hybrid environment, it is difficult for many administrators to manage users and e-mail objects on-premises. Rights in the Cloud. Members of groups in both places.
Do you want to solve this and fully manage all user objects, distribution groups, mailboxes contacts in the cloud?
What are the advantages of Azure AD managed objects?
- Easy management in Microsoft 365.
- Groups have managers and can easily be managed by third parties.
- The shift to the cloud is clear. No more confusion.
- Self-Service and MFA is easier to implement.
- No dependencies in the local infrastructure.
- Modern infrastructure armed for cybersecurity risks.
- A dynamic environment that is not tied to the systems within the business environment.
Disadvantages of a hybrid cut?
- Users exist 'twice'. You have a use on-premise and online with the same user name.
- On-premises AD gets new users.
- Passwords are no longer synced from your on-premises AD.
- Self-Service with password write-back and other features you use from the cloud to On-Premise disappear instantly.
Advice
If you opt for full-cloud, it is advisable to migrate more services to Microsoft 365 & Azure so that the dependency on your own systems will decrease. This scenario is best done when you have decided to phase out your Active Directory and other applications and continue in the Cloud.
How do you make all AD objects cloud-only?
Install-Module MSOnline
This user is synchronised for now. (see on the right)
Connect-Msolservice
Enter your username & password.
You are now connected to the MsolService
Set-MsolDirSyncEnabled -EnableDirsync $False
It can take up to 72 hours before you will see the status on your users. This depends on the number of users. Learn more: Microsoft Docs
Sync is stopped
You can now azure Ad remove connect.
If you do not continue with Azure AD Connect, please also remove this software.
If you want to go far and get back in sync, run through the Azure AD Connect Wizard again.
Also read
Installing Windows 10 + bringing devices into modern management with Intune
Add devices in Endpoint Manager - Azure AD or Hybrid Join
How to install Azure AD preview module with PowerShell?
Make your organization safer with one click thanks to Azure AD Security Defaults
Hello,
In a case where there are multiple forests synced to the same tenant how do you go about removing one forest and keep the cloud objects?
Hi! You can remove the sync and make all objects cloud when you disable it from the tenant level. Multiple forest is a supported scenario. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies I would ask Microsoft Support for assistance. Or work with a Advanced or premier support partner which could help you find this out. Regards, Jasper
Great article Jasper. Thanks a lot for a valuable piece in the AD world. I am struggling to understand what will happen post SYNC STOP from onprem AD to AAD. Basically, when all the on prem Security groups are Synced thru ADConnect to AAD be it mail enabled or just security groups, and then when one decides to stop the sync for these groups, what happens? How do I remediates User access and make sure that the users are not getting affected due to the stopping of the SYNC ?
I would really appreciate if you can enlighten on this question.
Great article, thank you a bunch!
What happens with all the local AD joined computers? I have for example a domain user with a domain joined PC (and the user is local admin on the PC), that I migrate to cloud only.
As I understand, after the migration, the user will be cloud only and the domain<->cloud sync will be gone, but the computer (and the local domain user) is still connected to the local AD.
Will I need to reinstall the PCs?
Thanks Christian for the reply! I believe it's best to reinstall pc's or reconnect from the domain and login to Microsoft 365. (same as step 9 -> https://365tips.be/windows-10-installeren-toestel-in-modern-beheer-brengen/)
There are some tools which you can find on Google that are helping this change on scale. But I'm more fan of resetting and have a nice clean workstation.
Identities can stay on-premise AD, with sync to Azure AD.
Devices can be deleted from AD only AAD joined. (with the same identity)
Looking forward to see how it goes!
Jasper
Thanks for the swift reply.
I think I'll have to do some tests to see how everything turns out, before I start the actual migration. The organization I'm going to migrate isn't that large, so to keep things simple, I think I'll end up going with the user migration only and then reinstall the PC's one at a time.
I'll keep you posted 🙂
/Christian