How to disable Entra ID Connect Sync using MSGraph PowerShell
Apart from companies who are “Born in the cloud” and only have cloud identities such as Microsoft Entra ID, most organizations are running hybrid identity and are syncing identity objects such as users, groups and devices from on-premises Active Directory to Entra ID. There are however, more and more companies that wish to migrate to a cloud only identity strategy and I’ve had the privilege of working with one such company recently. There’s a lot to plan and do before an organization can switch off their Active Directory Domain Controllers. There’s a high-level process documented in Microsoft’s “Road to the cloud” set of documentation, but in this post, I’m going to cover the seemingly undocumented step of disabling sync (using MSGraph).
Before you get to this point, there are a few things you should have completed:
- Stop creating users and groups in AD and syncing them to Entra ID. Create them directly in Entra ID
- Clean up unnecessary objects that are currently being synced (Groups, Admin accounts for On-prem only etc)
- Documenting synced groups and users for record purposes. You can do this by exporting from Entra ID admin portal. (Filter by “directorySynced”)
- Convert a test user to cloud by removing them from sync scope and restoring the object in Entra ID using PowerShell (if you restore the user via the Admin portal you are forced to reset their password, and this could disrupt the user)
- Make sure that the test user can go about their daily functions (if you have done all the hard work in the “Road to the cloud” documentation, you should be good)
Ready to disable sync
Disabling sync needs to be done in two places. On your Entra ID Connect Sync (AAD Connect) server and in Entra ID itself.
Disable sync on server
Disabling sync on the Connect Sync server is a single PowerShell command:
Set-ADSyncScheduler -SyncCycleEnabled $false
Disable sync in Entra ID
Disabling sync in Entra ID itself is also simple if you are able to use the MSOnline PowerShell module (see the official documentation here), but the MSOnline module was supposed to have been deprecated on 30th June 2023, and Microsoft have updated the retirement to 30th March 2024 to give people more time to “migrate” to using MSGraph instead. Details of the new dates are here. So, I am determined to do things the new way.
On my test environment I couldn’t even install the MSOnline PowerShell module (something about unable to find package provider ‘NuGet’ which I wasn’t going to waste time on trying to fix)
So I used the Microsoft.Graph.Identity.DirectoryManagement MS Graph PowerShell module which is part of the entire Microsoft.Graph module (38 sub modules) or you can install just the Identity.DirectoryManagement sub module to make this quick change because it takes about 15 minutes to install the full module.
Once you have the MS Graph PowerShell module installed, you need to connect to the graph with ReadWrite permission on the Organization scope. This is done by running the command:
Connect-MgGraph -scopes Organization.ReadWrite.All
Then you can view the current settings for the organization by running:
Get-MgOrganization | Fl
or
Get-MgOrganization | Select OnPremisesSyncEnabled
The output of the above should show that OnPremisesSyncEnabled is True
The production version (v1.0) of Update-MgOrganization is used to update properties of the currently authenticated organization, but the parameter “OnPremisesSyncEnabled” is read only. In fact, I think all paroperties of MgOrganization are read only on the v1.0 endpoint.
Enter: Invoke-MgGraphRequest
I thought I was being smart and didn’t want to download the Beta Graph modules. I read that one can use the Invoke-MgGraphRequest which is useful for making almost any call to the Microsoft Graph API without additional cmdlets or modules.
The API accepts GET, POST, PUT, PATCH and DELETE as methods.
The PATCH method updates certain properties of an object. In my case, I wanted to update the “onPremisesSyncEnabled” property of Organization to False. So I tried the following:
$OrgID = (Get-MgOrganization).id
$uri = "https://graph.microsoft.com/v1.0/organization/$orgid"
$body = @'
{
"onPremisesSyncEnabled": 'false'
}
'@
invoke-MgGraphRequest -uri $uri -Body $body -Method PATCH
However, that failed because I was using the v1.0 endpoint.
Beta Endpoint
What if we use the same Invoke-MgGraphRequest to update the Organization, but point it to the beta endpoint (“https://graph.microsoft.com/beta/organization/$orgid”)?
Just by changing the $uri variable and then running the same command:
invoke-MgGraphRequest -uri $uri -Body $body -Method PATCH
No confirmation or error is returned so I confirm the status by running the following command:
Get-MgOrganization | Fl OnPremisesSyncEnabled
It had worked! The full command looked like this:
$OrgID = (Get-MgOrganization).id
$uri = "https://graph.microsoft.com/beta/organization/$orgid"
$body = @'
{
"onPremisesSyncEnabled": 'false'
}
'@
Invoke-MgGraphRequest -uri $uri -Body $body -Method PATCH
I had read that you should set the value of “onPremisesSyncEnabled” to ‘null’ but in reading the documentation on https://learn.microsoft.com/en-us/powershell/module/microsoft.graph.identity.directorymanagement/update-mgorganization it says:
Learn.microsoft.com
“true if this object is synced from an on-premises directory; false if this object was originally synced from an on-premises directory but is no longer synced. Nullable. null if this object has never been synced from an on-premises directory (default).”
I understood that to mean if it was True, it must be set to False. Regardless, when you get the value of the property after making the change, it appears to be Null (and not empty).
Confirming sync is disabled
What happens to Entra ID connect sync
As I mentioned in the begining of this article, you should have disabled sync on your Entra ID Connect Sync server(s) already.
I purposely did not disable the sync scheduler on my test environment’s Entra ID Connect, because I wanted to see what would happen if the sync tried to run. As you can see the Entra ID connector (M365x83006617.onm…) shows “stopped-server-down” in the status.
Microsoft Entra Portal
To confirm sync is not enabled, I also navigated to Entra ID > Hybrid management > Connect Sync and noticed the sync status there was “Sync has never run”
What about Entra ID Cloud Sync?
Just by the way, diabling sync on the tenant also affects Entra ID Cloud sync provisioning so make sure you are not also syncing from any Microsoft Entra Provisioning Agents
I couldn’t find the “Activate” button mentioned in the error message above but this Q&A thread about the same error is hilarious all things considered!
Confirm users are converted
Users that used to be synced from on-premises are now “Cloud” in the Microsoft Admin Center
In Entra ID the object properties on a user confirm the user is not synced from on-premises, but the presence of an immutable ID value indicates that it once was (this is good for rolling back if required)
Something else I learned about Graph PowerShell
Another learning: If you run Get-MgUser and return all the properties of the object like this:
Get-MgUser -UserId brian.may@myignite.biz | fl
You won’t see the value for OnPremisesImmutableID
You have to specify the property to collect in the command and then format-list. So, I specified the three properties I was interested in (DisplayName, UserPrincipalName and OnPremisesImmutableID)
Get-MgUser -UserId brian.may@myignite.biz -Property OnPremisesImmutableId,UserPrincipalName,DisplayName | Fl DisplayName,UserPrincipalName,OnPremisesImmutableId
Conclusion
I recently ran through the process on a customer’s production tenant (after doing the testing on my demo tenant) and it only took about 5 minutes to complete converting 120 users and groups to cloud. In larger organizations, this will likely take a bit longer. Microsoft say up to 72 hours. During that time, you can’t change it back to enabled, but once it is complete, if you need to rollback, you can.
The Update-MgBetaOrganization is the beta version of the cmdlet which does work in updating the OnpremisesSyncEnabled property. The production (v1.0) version of the cmdlet does not allow changes yet. Hopefully Microsoft will make changes and allow the updates through the production cmdlet Update-MgOrganization
The next step is to then uninstall the Entra ID Connect Sync software, but that process is well documented so I won’t go into it.
Soon I will be decommissioning all the AD DS servers at my customer. I hope to be able to blog about that soon too.
Happy migrating!