ANAVEM
EnglishFrancais
ANAVEM
Reference
Languagefr
How to Disable Active Directory Synchronization in Microsoft Entra ID

How to Disable Active Directory Synchronization in Microsoft Entra ID

Learn to properly disable on-premises Active Directory synchronization with Microsoft Entra ID using Microsoft Graph PowerShell, including both standard and offline scenarios.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
March 17, 2026 15 min 4
mediumentra-id 8 steps 15 min

Why Disable Active Directory Synchronization in Microsoft Entra ID?

Organizations often need to disable Active Directory synchronization when migrating to a cloud-first identity strategy, decommissioning on-premises infrastructure, or resolving synchronization conflicts. This process transforms your hybrid identity environment into a pure cloud-managed setup, where Microsoft Entra ID becomes the single source of truth for user and group management.

What Happens When You Disable Directory Synchronization?

When you disable synchronization, several important changes occur immediately. All previously synced users and groups become cloud-managed objects, meaning you can modify their properties directly in Microsoft Entra ID. However, their original on-premises attributes and relationships are preserved, so users retain their licenses, group memberships, and application access. The process is designed to be non-disruptive to end users, though administrators must adapt their management workflows.

Which Method Should You Choose for Your Environment?

The approach depends on your current infrastructure state. If your on-premises environment is still online and accessible, follow the standard process that includes properly stopping the sync scheduler before disabling tenant-level synchronization. However, if your on-premises infrastructure has already been decommissioned or is offline, you can proceed directly with the cloud-side disable operation using Microsoft Graph PowerShell. Both methods achieve the same result, but the standard approach provides cleaner logging and status reporting.

Related: How to Bulk Import Users into Microsoft 365 with PowerShell

Related: How to Export BitLocker Recovery Keys from Active Directory

Related: How to Bulk Import Active Directory Users from CSV Using

Related: How to Monitor Active Directory Health with PowerShell

Implementation Guide

Full Procedure

01

Install Microsoft Graph PowerShell SDK

First, install the Microsoft Graph PowerShell SDK, which replaced the legacy Azure AD modules. This is your primary tool for managing Microsoft Entra ID synchronization settings.

Install-Module Microsoft.Graph -Scope CurrentUser -Force

If you encounter execution policy issues, temporarily allow script execution:

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Verification: Check the installed version to confirm successful installation:

Get-Module Microsoft.Graph -ListAvailable | Select-Object Name, Version
Pro tip: The Microsoft Graph PowerShell SDK v2.19.0+ is the current stable version as of 2026. It auto-updates via Update-MgModule, so you'll always have the latest features.
02

Connect to Microsoft Graph with Required Permissions

Connect to Microsoft Graph with the necessary permissions to modify organization settings. The Organization.ReadWrite.All scope is required to disable synchronization.

Connect-MgGraph -Scopes "Organization.ReadWrite.All"

This will open a browser window for authentication. Sign in with your Global Administrator or Hybrid Identity Administrator account. After successful authentication, you'll see a confirmation message in PowerShell.

Verification: Confirm your connection and permissions:

Get-MgContext | Select-Object Account, Scopes
Warning: Ensure you're using an account with sufficient privileges. Insufficient permissions will cause the disable operation to fail silently in some cases.
03

Check Current Synchronization Status

Before making changes, document the current synchronization state. This helps you understand what's currently enabled and provides a baseline for verification.

Get-MgOrganization | Select-Object DisplayName, OnPremisesSyncEnabled, OnPremisesLastSyncDateTime, OnPremisesDomainName

The output shows:

  • OnPremisesSyncEnabled: Should be True if sync is active
  • OnPremisesLastSyncDateTime: Timestamp of last successful sync
  • OnPremisesDomainName: Your on-premises domain being synced

Also check which sync features are currently enabled:

Get-MgOrganization | Select-Object OnPremisesPasswordSyncEnabled, OnPremisesPassthroughAuthenticationEnabled

Verification: Document these values for comparison after disabling sync. Take a screenshot or save the output to a file for your records.

04

Disable On-Premises Sync Scheduler (If Server is Online)

If your Microsoft Entra Connect server is still online and accessible, stop the synchronization scheduler first. This prevents new sync cycles from starting while you're disabling the feature.

On the Microsoft Entra Connect server, open PowerShell as Administrator and run:

Import-Module ADSync
Set-ADSyncScheduler -SyncCycleEnabled $false

Check that no synchronization is currently running:

Get-ADSyncScheduler

The output should show SyncCycleEnabled: False and SyncCycleInProgress: False.

If your on-premises environment is offline or decommissioned: Skip this step entirely. You can disable synchronization from the cloud side without on-premises access.

Verification: Wait 5 minutes, then check the scheduler status again to ensure no sync cycles are starting.

Pro tip: If you can't access the on-premises server, don't worry. Microsoft Entra ID will automatically detect that sync has stopped after the disable operation.
05

Disable Directory Synchronization in Microsoft Entra ID

Now disable synchronization at the tenant level using Microsoft Graph. This is the critical step that tells Microsoft Entra ID to stop expecting synchronization from on-premises.

Update-MgOrganization -OnPremisesSyncEnabled $false

Alternatively, you can use the more explicit method:

$org = Get-MgOrganization
$org.OnPremisesSyncEnabled = $false
Update-MgOrganization -OrganizationId $org.Id -OnPremisesSyncEnabled $false

The command should complete without errors. If successful, you won't see any output, which is normal for Graph PowerShell commands.

Verification: Immediately check the status (it may take a few minutes to reflect):

Get-MgOrganization | Select-Object DisplayName, OnPremisesSyncEnabled, OnPremisesLastSyncDateTime

You should see OnPremisesSyncEnabled: False.

Warning: Once disabled, you cannot re-enable synchronization for 72 hours. Plan this change during a maintenance window and ensure all stakeholders are informed.
06

Verify Synchronization Disable Status

The disable process can take up to 72 hours to fully propagate through Microsoft's systems. Monitor the status regularly during this period.

Check the current status:

Get-MgOrganization | Select-Object OnPremisesSyncEnabled, OnPremisesLastSyncDateTime

Also verify in the Microsoft Entra admin center:

  1. Navigate to https://entra.microsoft.com
  2. Go to Identity > Hybrid management > Microsoft Entra Connect
  3. Check that the sync status shows as disabled

Monitor for the next 72 hours. The portal may show conflicting information initially, but PowerShell provides the authoritative status.

Verification: Run this command daily for 3 days to confirm the status remains disabled:

Get-Date; Get-MgOrganization | Select-Object OnPremisesSyncEnabled
Pro tip: Create a scheduled task or reminder to check the status after 72 hours. Some features like Password Hash Sync may appear "enabled" in the portal even when non-functional.
07

Uninstall Microsoft Entra Connect (If Applicable)

If you have access to the Microsoft Entra Connect server and no longer need it, uninstall the software to complete the cleanup process.

On the Microsoft Entra Connect server:

  1. Open Programs and Features from Control Panel
  2. Find Microsoft Entra Connect or Azure AD Connect
  3. Right-click and select Uninstall
  4. Follow the uninstall wizard

Alternatively, use PowerShell (if available):

Uninstall-MicrosoftEntraConnect

After uninstalling, restart the server to ensure all services are properly stopped.

If using Microsoft Entra Cloud Sync: Uninstall the provisioning agent from each server where it's installed.

Verification: Confirm the software is removed:

Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*Entra*" -or $_.Name -like "*Azure AD*"}

This should return no results if the uninstall was successful.

Warning: Microsoft recommends uninstalling Entra Connect before disabling tenant sync to avoid portal status mismatches. If you disabled sync first, some features may still appear "enabled" in the portal despite being non-functional.
08

Update User and Group Management Processes

With synchronization disabled, all user and group management must now be done directly in Microsoft Entra ID. Update your administrative processes accordingly.

Check for users that were previously synced and are now cloud-managed:

Connect-MgGraph -Scopes "User.Read.All"
Get-MgUser -Filter "userType eq 'Member'" -Property DisplayName,UserPrincipalName,OnPremisesImmutableId | Where-Object {$_.OnPremisesImmutableId -ne $null} | Select-Object DisplayName,UserPrincipalName

Review and update dynamic groups that may have relied on on-premises attributes:

Get-MgGroup -Filter "groupTypes/any(c:c eq 'DynamicMembership')" -Property DisplayName,MembershipRule

Update any dynamic group rules that reference on-premises attributes (like extensionAttribute1) to use cloud-based attributes instead.

Key changes to implement:

  • Create new users directly in Microsoft Entra ID
  • Manage group memberships through the cloud
  • Update any automation scripts to use Microsoft Graph instead of on-premises AD
  • Reconfigure any applications that relied on on-premises group memberships

Verification: Test creating a new user in Microsoft Entra ID to ensure your new processes work:

$newUser = @{
    DisplayName = "Test User"
    UserPrincipalName = "testuser@yourdomain.com"
    MailNickname = "testuser"
    PasswordProfile = @{
        Password = "TempPassword123!"
        ForceChangePasswordNextSignIn = $true
    }
    AccountEnabled = $true
}
New-MgUser @newUser

Frequently Asked Questions

How long does it take to fully disable Active Directory synchronization in Microsoft Entra ID?+
The disable operation completes immediately when you run the PowerShell command, but full propagation through Microsoft's systems can take up to 72 hours. During this time, you may see inconsistent status information in the Azure portal, but PowerShell commands provide the authoritative status. Monitor the OnPremisesSyncEnabled property daily for three days to confirm the change has fully propagated.
Can I re-enable Active Directory synchronization immediately after disabling it?+
No, Microsoft enforces a 72-hour waiting period before you can re-enable directory synchronization. This is a safety measure to prevent accidental toggles and ensure system stability. Plan your disable operation carefully and ensure all stakeholders understand this limitation. If you need to re-enable sync, you'll need to wait the full 72 hours and then reconfigure Microsoft Entra Connect.
What happens to user passwords when I disable Active Directory synchronization?+
User passwords remain functional, but the authentication method depends on your previous configuration. If you were using Password Hash Sync, users can continue signing in with their existing passwords since the hashes are stored in Microsoft Entra ID. However, password changes must now be made directly in the cloud. If you were using Pass-through Authentication or federation, you'll need to reset passwords for all users and configure cloud-based authentication.
Will disabling synchronization affect my users' access to applications and services?+
No, disabling synchronization should not disrupt user access to applications and services. All existing licenses, group memberships, and application assignments are preserved when users transition from synced to cloud-managed status. However, any dynamic groups that rely on on-premises attributes will need to be reconfigured to use cloud-based attributes. Test critical applications after the disable operation to ensure continued functionality.
What should I do if my on-premises Active Directory server is already offline or decommissioned?+
You can still disable synchronization even if your on-premises environment is offline. Simply skip the on-premises steps and proceed directly with the Microsoft Graph PowerShell commands to disable sync at the tenant level. Microsoft Entra ID will detect that the on-premises environment is no longer available and complete the disable process. This is a common scenario when organizations have already decommissioned their on-premises infrastructure but forgot to disable the sync configuration.
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#entra-id#powershell#identity-management

Further Intelligence

Deepen your knowledge with related resources

How to Install Office 365 Offline for Enterprise Deployment
tutorial
General

How to Install Office 365 Offline for Enterprise Deployment

Deep Dive
How to Bulk Import Active Directory Users from CSV Using PowerShell
tutorial
DevOps

How to Bulk Import Active Directory Users from CSV Using PowerShell

Deep Dive
How to Deploy and Configure Remote Desktop Services (RDS) on Windows Server
tutorial
Networking

How to Deploy and Configure Remote Desktop Services (RDS) on Windows Server

Deep Dive

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...