There are several different ways Windows Active Directory (AD) can be used in an organization. Active Directory is used primarily to manage user accounts, their passwords, group access, home folders and permissions. Some networks have AD running only on local onsite servers. Other organizations use Azure Active Directory to manage their users from the cloud as they do not utilize onsite servers. Still others use a combination of both, having on-premise servers running AD that also sync with cloud-based Azure AD services.
If you have a local installation of Active Directory syncing with Azure, and decide to move to an all cloud-based server solution, you will first need to disable AD syncing. This post demonstrates the process for disabling local Active Directory syncing with Azure in preparation for moving to an all-cloud solution.
How to Disable Active Directory Syncing with Azure
Syncing the local Active Directory with Azure AD services is very common. It is often implemented on networks that have local Active Directory services, but also want additional options. Enabling Azure AD syncing enables single sign-on for Microsoft services for all AD accounts.
By syncing the local and cloud-based AD services, users can use their account not only to log into devices on the network, but also to log into Outlook online, Office.com, install Microsoft software associated with their account, Teams, OneDrive, and other applications assigned to them.
Disabling local Active Directory syncing with Azure AD services is a two-step process that requires the installation of a PowerShell module and running commands to disable the syncing service.
Install MSOnline PowerShell
Use the following steps to install the Microsoft Azure AD module for Windows PowerShell, referred to as the MSOnline module in the commands below:
- Open Windows PowerShell and run it as an administrator by right-clicking on PowerShell and selecting "Run as Administrator".
- Type "Install-Module MSOnline" and press enter to run the command.
- If prompted to install either of the following additional modules, type "Y" for yes and press enter to continue:
Next you will need to run the commands to disable the AD sync service.
Run PowerShell commands
In the PowerShell window, run the following commands:
- Type "Connect-MsolService" and press enter to connect to O365.
- Type "(Get-MsolCompanyInformation).DirectorySynchronizationEnabled" and press enter to check the current status of on-premises syncing and verify it is enabled. If it is enabled, the result will be "True".
- Type "Set-MsolDirSyncEnabled -EnableDirSync $false" and press enter to disable the on-premises syncing.
- Type the command for checking the status of the on-premisis syncing "(Get-MsolCompanyInformation).DirectorySynchronizationEnabled" and press enter to verify the syncing has been disabled. If syncing has correctly been disabled, the result will be "False".
NOTE: If disabling the syncing service is being applied to a large tenet with lots of users, you may need to run these commands additional times before it applies to all users. This happens because the command has to propagate to all users and the time it takes to process depends on the number of users it is being applied to.
For more information about this process, refer to this Microsoft document discussing the topic.
Syncing local Active Directory services with Azure AD is very common and makes it easier for users to access Microsoft applications. However, if an organization decides they no longer need local servers or want to shift to an all cloud-based solution, there are some things to consider about AD syncing, as well as many other things not covered in this post of course! However, disabling AD syncing is an easy two-step process that can be easily re-enabled if the need arose.
As always, knowing what is entailed before making big changes is key in uptime and data availability!