How to Stop Azure AD Connect and Safely Convert All Users to Cloud-Only

by

After converting your domain from Federated to Managed authentication, the next logical step in a cloud-first identity strategy is to disconnect Azure AD Connect and make all users cloud-only.

This sounds simple, but it’s one of the most misunderstood steps in Microsoft Entra ID. Many admins assume stopping the sync service is enough, it isn’t.

This blog walks through the correct, Microsoft-supported process, explains confusing Graph behavior (like “no output” results), and sets expectations so you can complete this change without user interruption.

Critical Concept (Read This First)

Stopping Azure AD Connect does NOT make users cloud-only.

There are two separate actions that must happen:

  1. Break directory synchronization ownership at the tenant level
  2. Stop Azure AD Connect on the server

Both are required — and order matters.

Phase 1 – Pre-Checks (Mandatory)

1. Confirm Authentication Is Managed

Before touching sync, make sure ADFS is no longer involved.

Get-MgDomain | Select Id, AuthenticationType

✔ All domains must show Managed
❌ If any domain is still Federated, stop here

2. Ensure Password Hash Sync Was Working

This ensures users can continue signing in once they become cloud-only.

On the Azure AD Connect server:

Get-ADSyncAADCompanyFeature

Confirm:

PasswordHashSync : True

If this is False, do not proceed.

3. Identify How Many Users Are Still Synced

Get-MgUser -All | Where-Object {$_.OnPremisesSyncEnabled -eq $true} | Measure-Object

This gives you a baseline of how many objects will transition.

Phase 2 – Disable Directory Sync at the Tenant Level (MOST IMPORTANT STEP)

This is the step that actually makes users cloud-only.

1. Connect to Microsoft Graph

Connect-MgGraph -Scopes Directory.ReadWrite.All

2. Disable Directory Synchronization

$org = Get-MgOrganization
Update-MgOrganization -OrganizationId $org.Id -BodyParameter @{
    onPremisesSyncEnabled = $false
}

What Happens Next (This Is Normal)

  • The change is not immediate
  • Microsoft backend processing takes:
    • ⏱️ 30 minutes to 72 hours
  • During this window:
    • Users may still show as synced
    • This is expected behavior

Phase 3 – Monitoring the Transition

1. “No Output” When Checking Tenant Sync Status

Many admins run:

(Get-MgOrganization).OnPremisesSyncEnabled

…and see no output.

This Is NOT an Error

In Microsoft Graph:

  • OnPremisesSyncEnabled is a nullable property
  • If the value is null, PowerShell prints nothing
  • null is treated the same as sync disabled

Correct way to check:

Get-MgOrganization | Select Id, OnPremisesSyncEnabled

Possible results:

OutputMeaning
TrueSync still enabled
FalseSync explicitly disabled
Blank / nullSync already disabled (cloud-only state)

👉 Blank is good.

2. Monitor User Conversion (Best Indicator)

Get-MgUser -Top 20 | Select DisplayName, OnPremisesSyncEnabled

Final expected state:

  • False or
  • Blank value

Both mean:

  • Users are cloud-only
  • Source of authority is Microsoft Entra ID

Phase 4 – Validation (Do Not Skip)

1. Identity Management Validation

In Entra Admin Center, confirm you can now edit:

  • Display Name
  • Job Title
  • Department
  • ProxyAddresses

If editable → users are cloud-only.

2. Password and MFA Validation

  • Password sign-in works
  • MFA prompts correctly
  • SSPR works
  • No dependency on on-prem AD

3. App and Client Testing

Test:

  • Browser sign-in
  • Outlook
  • Teams
  • Mobile devices

Phase 5 – Stop Azure AD Connect (Server-Side)

Only do this after tenant sync is disabled.

On the Azure AD Connect server:

Stop-Service ADSync
Set-Service ADSync -StartupType Disabled

At this point:

  • No changes flow from on-prem
  • Users remain functional
  • No passwords change

Phase 6 – Decommission Azure AD Connect (Safely)

Recommended Approach

  1. Power off the server
  2. Wait 7–14 days
  3. Monitor sign-in logs and helpdesk tickets
  4. If stable:
    • Uninstall Azure AD Connect
    • Decommission the VM

⚠️ Do not delete immediately — rollback insurance matters.

Rollback (If Ever Needed)

You can re-enable directory sync:

Update-MgOrganization -OrganizationId (Get-MgOrganization).Id -BodyParameter @{
    onPremisesSyncEnabled = $true
}

Then reinstall Azure AD Connect. or restart the services.

Common Mistakes to Avoid

❌ Only stopping the ADSync service
❌ Expecting instant cloud-only conversion
❌ Deleting Azure AD Connect too early
❌ Forgetting service or break-glass accounts

Will Users Be Impacted?

Short Answer: No major disruption

What Most Users Experience

  • Same password
  • Same MFA
  • Same apps
  • No visible change

What a Small Subset Might See

  • One-time MFA prompt
  • Token refresh
  • “Stay signed in?” prompt

These are normal and temporary.

Final Takeaway

Authentication (Federated → Managed)
Identity ownership (Synced → Cloud-only)

These are two different operations and must be done in sequence.

If you:

  • Disable tenant sync first
  • Wait for backend processing
  • Then stop Azure AD Connect

You get:

  • Zero downtime
  • No password resets
  • No user interruption
  • Fully cloud-managed identities

Closing Thought

If things have “stopped” and users are signing in normally, you did it right.

At this stage:

  • Do nothing
  • Monitor for 24–48 hours
  • Then close the change confidently

!!! THANKS FOR READING !!!

Regards,
HARISH KUMAR

Knowledge is not a finite resource to hoard; it’s a boundless treasure that grows when shared

Leave a Comment