Disable synchronization between Active Directory and Entra using Graph Explorer
Disable synchronization between Entra ID and ADDS: a practical step-by-step guide using Graph Explorer and PowerShell.
An era ends in my Lab. I’ve decided to decommission all on-premises components: domain controller, certification authority, and the Entra Connect server. Here are two methods to do it, one using Microsoft Graph Explorer and the other with PowerShell.
🧭 Objective
Disable synchronization with Active Directory and remove on-premises attributes from synchronized users, making everything cloud-only.
⚠️ Disclaimer
You should not use this method for any kind of troubleshooting. Disabling synchronization between AD and Entra is an action to be taken only if you intend to permanently convert your users to cloud-only.
If you’re doing this in a production environment, make sure you’ve completed all the necessary preparatory steps to do it safely.
The information and procedures described in this document are provided for informational purposes only and must be executed with the utmost caution. I take no responsibility for any damage, service interruptions, or data loss resulting from the application of the instructions provided, especially if implemented in production environments.
It is strongly recommended to always test these procedures in a development or staging environment before applying them in production, and to perform full backups of all involved systems.
Furthermore:
📎 Source: Turn off directory synchronization for Microsoft 365 - Microsoft 365 Enterprise | Microsoft Learn
🛠️ Method 1: Microsoft Graph Explorer
Sign in to Microsoft Graph Explorer
Go to Microsoft Graph Explorer and sign in with a Global Administrator account.Modify permissions
In the Modify Permissions section, grant the Organization.ReadWrite.All permission.Run the PATCH request
Enter the following request, replacing {organization-id} with your Tenant ID:
PATCH https://graph.microsoft.com/beta/organization/{organization-id}Request body (JSON)
{
"onPremisesSyncEnabled": false
}Execute the query
Click Run Query. Changes may take anywhere from 4–5 minutes up to 72 hours to reflect in the Azure portal, depending on the size of the objects.
🛠️ Method 2: Microsoft Graph PowerShell
Install the PowerShell modules
Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -ForceConnect with the administrator account
Connect-MgGraph -Scopes “Organization.ReadWrite.All,Directory.ReadWrite.All”Check the current synchronization status
Get-MgOrganization | Select OnPremisesSyncEnabledStore the Tenant ID and parameters
$organizationId = (Get-MgOrganization).Id
$params = @{ onPremisesSyncEnabled = $false }
Update the configuration
Update-MgOrganization -OrganizationId $organizationId -BodyParameter $paramsVerify the change
Get-MgOrganization | Select OnPremisesSyncEnabledBelow is the full script:
# Install v1.0 and beta Microsoft Graph PowerShell modules
Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force
# Connect With Hybrid Identity Administrator Account
Connect-MgGraph -scopes “Organization.ReadWrite.All,Directory.ReadWrite.All”
# Verify the current status of the DirSync Type
Get-MgOrganization | Select OnPremisesSyncEnabled
# Store the Tenant ID in a variable named organizationId
$organizationId = (Get-MgOrganization).Id
# Store the False value for the DirSyncEnabled Attribute
$params = @{
onPremisesSyncEnabled = $false
}
# Perform the update
Update-MgOrganization -OrganizationId $organizationId -BodyParameter $params
# Check that the command worked
Get-MgOrganization | Select OnPremisesSyncEnabled📎 Source: Turn off directory synchronization for Microsoft 365 - Microsoft 365 Enterprise | Microsoft Learn
✅ Final Result and Conclusions
Once the procedure is completed, previously synchronized users will be converted into cloud-only users.
Enjoy!
Riccardo