Transforming fully to Entra ID: A Step-by-Step Guide to Converting Synchronized Users to Cloud Managed Identities

This blog post was originally published on the 31. January 2024, where we explored how to manage identities after transitioning all workloads to Azure. We provided an outline of the necessary steps to disable the Entra ID Connect synchronization after migrating from a traditional Active Directory. Fast-forward to today, one year later, and with an increasing number of organizations migrating to the cloud and decommission their last Active Directory server, it’s essential to revisit those steps and dive deeper into converting synchronized users to cloud-managed identities.

In this updated guide, we will focus on utilizing the Entra PowerShell and Microsoft Graph PowerShell modules as modern alternatives to the outdated and soon to be deprecated MSOnline PowerShell module, giving you all the tools you need to successfully decommission your last Active Directory server.

Recap of the Previous Blog Post

In our January 2024 version of this blog post, we outlined the phase-out of Active Directory for identity management, when migrating your workloads to Azure. To manage identities solely through Entra ID, it is crucial to migrate your identities and use some PowerShell magic. Here are the essential steps for successfully shifting to cloud-managed identities:

  1. Disabling Entra ID Connect Synchronization On-Premise: The first step in transitioning to cloud-managed identities was disabling the Entra ID Connect synchronization. To do so, you had to disable the synchronization service on your Entra ID Connect server via PowerShell (Set-ADSyncScheduler -SyncCycleEnabled $false) or disable the agent via the corresponding Windows services.

  2. Disabling Entra ID Connect Synchronization In The Cloud: We introduced the necessity of using the MSOnline module and outlined the specific PowerShell command required to disable directory synchronization. The PowerShell command was: Set-MsolDirSyncEnabled -EnableDirSync $false

  3. Verification: After disabling Entra ID Connect synchronization, verify the changes via the Admin Portal. You should see a “cloud” symbol next to all identities, indicating they are now managed solely in the cloud.

Transitioning to Cloud-Managed Identities

Now that we’ve made a recap of all the key points from the previous post, let’s dive deeper into how to transition your synchronized users to cloud-managed identities using the “newer” PowerShell modules and overhauled best-practices from 2025:

Understanding the Need for Migration

The migration from synchronized identities to cloud-managed ones is essential for getting the hold of your identity management after removing Active Directory. If you wouldn’t migrate you identities, you’re not able to change for example proxy addresses or other attributes, which were managed by the Active Directory.

Pre-Requisites for the Migration

Ensure you have the following before proceeding with the migration:

  • Administrative Access:
    • On-Premises: Ensure you have at least local administrative rights on the server to stop services and uninstall the Entra ID Connect agent.
    • Microsoft Entra ID:
      • If using the Graph PowerShell or Entra PowerShell module with delegated access, you need permissions for the Graph Enterprise Application, specifically OnPremDirectorySynchronization.ReadWrite.All and Organization.ReadWrite.All.
      • If using delegated authentication with the Entra PowerShell module, you need at least the Hybrid Identity Administrator  role in Entra ID to perform this task.
  • Data Backup:
    • It is advisable to back up user data to prevent any potential loss during the transition (better safe than sorry).
  • Current Synchronization Status:
    • Review and understand the current synchronization status of your users.
    • You can view the synchronization status via the Admin Portal. If users are already marked with a “cloud” symbol and can be fully managed via the cloud, no further action is needed.

Disabling Synchronization on-premise

As mentioned in the recap of our original January 2024 blog post, the first step is to disable synchronization on-premises. Before proceeding, it is essential to back up the Entra ID Connect configuration. Here’s how:

  1. Back Up Entra ID Connect Configuration:
    • Open the Microsoft Entra Connect agent.
    • Select the additional task labeled View or Export Current Configuration.
    • A summary of your settings will be displayed, with an option to export the full configuration.
    • By default, the settings are exported to %ProgramData%\AADConnect.
    • For added security and disaster recovery, you can choose to save the settings to a protected location.
    • Note: All settings are exported in JSON format, and to maintain logical consistency, they should not be manually created or edited. Importing manually created or edited files is not supported and may lead to unexpected results.
  2. Disable Synchronization:
    • On the server with the Entra ID Connect agent installed (where PowerShell modules are also installed), open PowerShell and execute the following command: Set-ADSyncScheduler -SyncCycleEnabled $false

Disabling Synchronization In the Cloud Using Entra PowerShell

To disable synchronization through the Microsoft Entra PowerShell module, execute the following command:

Connect-Entra -Scopes 'OnPremDirectorySynchronization.ReadWrite.All', 'Organization.ReadWrite.All'
Set-EntraDirSyncEnabled -EnableDirSync $false -Force $true
If you haven’t installed the Entra PowerShell module yet, please refer to this manual for detailed instructions.

Disabling Synchronization in the Cloud Using Microsoft Graph

For those preferring Microsoft Graph, follow these steps:

  1. Install the Module: Start by ensuring that the Microsoft Graph PowerShell module is installed: Install-Module Microsoft.Graph -Force

  1. Connect to Microsoft Graph: Connect using the appropriate permissions: Connect-MgGraph -Scopes "Organization.ReadWrite.All"

  2. Update Synchronization Status: Run the following command to disable the synchronization:
    $OrgID = (Get-MgOrganization).Id
    $params = @{ onPremisesSyncEnabled = $false }
    Update-MgOrganization -OrganizationId $OrgID -BodyParameter $params

Verifying Migration Success

With both migration methods (PowerShell modules), it is crucial to allow up to 72 hours for these changes to fully propagate, especially in larger environments where the process can take more time.

Check Synchronization Status with PowerShell: Run these commands to verify user synchronization status after waiting 24h or up to 72h:

For Entra PowerShell: Get-EntraOrganization | Select-Object DisplayName, OnPremisesSyncEnabled

For Microsoft Graph: Get-MgOrganization | Select-Object DisplayName, OnPremisesSyncEnable

Uninstall Entra ID Connect

After verifying that all identities have been successfully migrated, you can proceed to uninstall the Entra ID Connect service from your on-premise server. Here’s a step-by-step guide to ensure a smooth uninstallation process: Uninstall Microsoft Entra Connect – Microsoft Entra ID | Microsoft Learn

Conclusion

In conclusion, this blog post was built upon the foundation established in our January 2024, providing an updated and detailed approach to transitioning synchronized users to cloud-managed identities. Furthermore, we delved into the predecessor of our beloved MSOnline PowerShell module for this task. As organizations continue to navigate the complexities of cloud migration, embracing these identity management practices strengthens your efficiency, security, and flexibility during and after the migration.

 

Source: 

You might also like
Tags: Microsoft, Microsoft 365, Microsoft Entra

More Similar Posts