Remove Azure AD Connect and make all AD objects cloud managed
In a hybrid environment, many administrators find it difficult to manage users and e-mail objects on-premises. Permissions in the Cloud. Members of groups in both places....
Want to solve this and manage full management of all user objects, distribution groups, mailboxes contacts in the cloud?
What are the benefits of Azure AD managed objects?
- Easy management in Microsoft 365.
- Groups have managers and can be easily managed by third parties.
- The Cloud Shift to the cloud is clear. No more confusion.
- Self-Service and MFA is easier to implement.
- No dependencies in the local infrastructure.
- Modern infrastructure armed for cybersecurity risks.
- Agile and dynamic environment not tied to the systems within the corporate environment.
Disadvantages of a hybrid cut-through?
- Users exist "twice. You have a use on-premises and online with identically the same username.
- On-premise AD gets new users.
- Passwords are no longer synced from your on-premises AD.
- Self-Service with password write-back and other features you use from the cloud to On-Premise disappear instantaneously.
If you opt for full-cloud, it is recommended to migrate more services to Microsoft 365 & Azure so that the dependency on your own systems will decrease. Therefore, it is best to implement this scenario only when you have decided to phase out your Active Directory and other applications and continue in the Cloud.
How do you make all AD objects cloud-only?
This user is syncted for now. (see on the right side)
Enter your username & password.
You are now connected to the MsolService
Set-MsolDirSyncEnabled -EnableDirsync $False
It may take up to 72 hours before you will see the status on your users. This depends on the number of users. Learn more: Microsoft Docs
You can now azure Ad remove connect.
If you do not continue with Azure AD Connect then uninstall this software as well.
If you do want to go far and back with sync run through the Azure AD Connect Wizard.
Install Windows 10 + bring device into modern management with Intune
Add devices in Endpoint Manager - Azure AD or Hybrid Join
How to install Azure AD preview module with PowerShell?
Making your organization more secure in one click with Azure AD Security Defaults
In a case where there are multiple forests synced to the same tenant how do you go about removing one forest and keep the cloud objects?
Hi! You can remove the sync and make all objects cloud when you disable it from the tenant level. Multiple forest is a supported scenario. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/plan-connect-topologies I would ask Microsoft Support for assistance. Or work with an Advanced or premier support partner which could help you find this out. Regards, Jasper
Great article Jasper. Thanks a lot for a valuable piece in the AD world. I am struggling to understand what will happen post SYNC STOP from onprem AD to AAD. Basically, when all the on prem Security groups are Synced thru ADConnect to AAD be it mail enabled or just security groups, and then when one decides to stop the sync for these groups, what happens? How do i remediates User access and make sure that the users are not getting affected due to the stopping of the SYNC ?
I would really appreciate if you can enlighten on this question.
Great article, thank you a bunch!
What happens with all the local AD joined computers? I have for example a domain user with a domain joined PC (and the user is local admin on the PC), that I migrate to cloud only.
As I understand, after the migration, the user will be cloud only and the domain<->cloud sync will be gone, but the computer (and the local domain user) is still connected to the local AD.
Will I need to reinstall the PCs?
Thanks Christian for the reply! I believe it's best to reinstall pc's or reconnect from the domain and login to Microsoft 365. (same as step 9 -> https://365tips.be/windows-10-install-device-in-modern-manage/)
There are some tools which you can find on Google that are helping this change on scale. But I'm more fan of resetting and have a nice clean workstation.
Identities can stay on-premise AD, with sync to Azure AD.
Devices can be deleted from AD only AAD joined. (with the same identity)
Looking forward to seeing how it goes!
Thanks for the swift reply.
I think I'll have to do some tests to see how everything turns out, before I start the actual migration. The organization I'm going to migrate isn't that large, so to keep things simple, I think I'll end up going with the user migration only and then reinstall the PC's one at a time.
I'll keep you posted 🙂