🔄 How to Move from Entra Connect Synced Users to Cloud-Only in Microsoft 365
If you’re done with on-premises Active Directory and ready to manage users entirely in Microsoft 365, you need to convert your synced users to cloud-only. This means disabling directory sync and letting Microsoft Entra (Azure AD) take full control of identity management.
No fluff — here’s exactly how to do it.
✅ Why Move to Cloud-Only?
When you’re using Entra Connect, all users synced from AD are read-only in the Microsoft 365 portal. You have to make changes in AD and let them sync up. If you’re decommissioning AD, this becomes a problem.
Going cloud-only lets you:
- Manage users and groups directly in Microsoft 365
- Shut down your on-prem sync server
- Reduce complexity and maintenance
🔧 Step-by-Step: Disable Directory Sync
⚠️ Before you do this: Make sure your Entra Connect server is shut down or removed. If sync is still running, it can re-enable itself and start syncing again.
1. Install Microsoft Graph PowerShell Module
If it’s not installed already:
Install-Module Microsoft.Graph.Authentication
2. Connect to Microsoft Graph
Connect-MgGraph -Scopes "Organization.ReadWrite.All"
3. Get Your Tenant ID
$id = Get-MgOrganization | Select-Object -ExpandProperty Id
4. Disable Directory Sync
Update-MgOrganization -OrganizationId $id -OnPremisesSyncEnabled:$false
5. Confirm It’s Off
Get-MgOrganization | fl OnPremisesSyncEnabled
⏱️ What Happens Next?
- User and group sync will stop.
- Existing synced users will automatically become cloud-managed.
- You can now manage them fully from the Entra or M365 admin portals.
⏳ It may take up to 72 hours for users to show as fully cloud-only, but most small tenants flip in under an hour.
📌 What to Expect
- You’ll see the cloud icon next to user accounts in Entra/M365 instead of the sync icon.
- Groups will become editable directly in the portal.
- Group owners may be blank post-transition — you’ll need to reassign them manually if needed.
🔁 Want to Re-Enable Sync Later?
If you ever need to turn sync back on (not recommended unless you go back to using on-prem AD):
Update-MgOrganization -OrganizationId $id -OnPremisesSyncEnabled:$true
🧠 Final Thoughts
If you’re shutting down AD, do it right. Turn off sync, confirm your users are cloud-managed, and move forward with a simpler, more flexible identity model.
No more waiting on sync cycles or dealing with AD schema weirdness. Just fast, direct management from the cloud.