How to Convert Synced Users to Cloud-Only Using PowerShell
To convert synced user to cloud only using PowerShell, organizations must disable Microsoft Entra ID (Azure AD) directory synchronization. Once synchronization is turned off, Microsoft automatically converts all synced identities into cloud-only users while preserving their existing Microsoft 365 data and permissions.
This method is the recommended and supported approach when planning to convert on-prem user to cloud-only after fully retiring on-premises Active Directory.
Introduction
In scenarios where an on-premises AD no longer has any dependencies, organizations may choose to fully embrace the cloud by converting their synchronized users in Microsoft Entra ID (formerly Azure AD) to cloud-only users.
This migration can be seamlessly achieved using the Entra ID Connect synchronization service, ensuring that users retain uninterrupted access to all Microsoft 365 workloads and cloud-based applications.
Step-by-Step Guide to Disabling Microsoft Entra ID Synchronization
The following steps will walk you through the process of disabling Entra ID synchronization using PowerShell to connect to your Microsoft 365 tenant:
Prepare the Environment:
- Ensure that your on-premises AD no longer has dependencies that require synchronization with Microsoft 365.
- Verify that all workloads have been successfully migrated to the cloud and that all users can access their necessary applications and services.
Install the Required PowerShell Modules:
- Open PowerShell as an administrator.
- Install the Azure AD module using the following command
Install-Module AzureAD
Install the MSOnline module (optional but recommended) using the following command
Install-Module MSOnlineConnect to Your Microsoft 365 Tenant:
- Use the following command to connect to your Microsoft 365 tenant
Connect-MsolService
- Use the following command to connect to your Microsoft 365 tenant
You will be prompted to enter your Global Administrator credentials.
Disable Directory Synchronization:
- To disable directory synchronization, run the following command
Set-MsolDirSyncEnabled -EnableDirSync $false
- To disable directory synchronization, run the following command
This command stops the synchronization between your on-premises AD and Microsoft Entra ID.
Verify Synchronization Status:
- Check the synchronization status to confirm that directory synchronization has been disabled
(Get-MsolCompanyInformation).DirectorySynchronizationEnabled - The output should return
False, indicating that synchronization is disabled.
- Check the synchronization status to confirm that directory synchronization has been disabled
Convert Synchronized Users to Cloud-Only Users:
- After disabling synchronization, Microsoft Entra ID will automatically convert the synchronized users to cloud-only users.
- These users will retain their access to all Microsoft 365 services, including their mailboxes, SharePoint, OneDrive, Teams, applications, and groups.
Conclusion
Converting identities after retiring on-prem AD does not require recreating users or migrating data. By disabling directory synchronization, administrators can convert synced users to cloud-only using PowerShell while ensuring uninterrupted access to Microsoft 365 workloads.
This approach is ideal for organizations looking to convert on-prem users to cloud-only and simplify identity management using Microsoft Entra ID.
If you need any help with your migration or have questions about the process, feel free to reach out. I’m here to assist you with all your Microsoft 365 security and compliance needs.
support@old.ngcloudsecurity.com
