Active Directory to Entra ID Migration
Author: Ofir Gavish
This article is about migration of user and group objects that are already synced from on-premises AD to Microsoft Entra ID, we are going to “convert” them to “Cloud-only” objects, that is – not synced.
This is intended for organizations that are moving their workloads to the cloud or removing the on-premises services and have no need for on-premises Active Directory Domain Services
This method allows you to migrate users and groups to Entra ID without deleteting and recreating group objects, and no downtime
Please ensure that your computers are Entra Joined and not Hybrid Joined.
Check that your Entra Connect Server is running the latest version and updates before you begin.
Check that you have an OU that is not synchronized or create a new one.
Look for any special attributes you use which are not synced, and sync them, or use a script to move them to new attributes in the cloud objects (more on that in a different post).
A few things to pay attention to:
- Both hybrid and cloud-only users can be members of cloud-only groups
- Both hybrid and cloud-only groups can be members of cloud-only groups
- Cloud-only users and groups cannot be members of hybrid groups.
Now that you’re ready, let’s describe the process:
- Disable synchronization on Entra ID
- Move your objects to an unsynced OU
- Enable synchronization on Entra ID
- Remove the errors in Entra Connect synchronization service – Delete Connector Space Only
To disable the synchronization on Entra ID we’ll use these commands:
# Install v1.0 and beta Microsoft Graph PowerShell modules
Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force
# Connect With Hybrid Identity Administrator Account
Connect-MgGraph -scopes "Organization.ReadWrite.All,Directory.ReadWrite.All"
# Verify the current status of the DirSync Type
Get-MgBetaOrganization | Select OnPremisesSyncEnabled
# Store the Tenant ID in a variable named organizationId
$organizationId = (Get-MgBetaOrganization).Id
# Store the False value for the DirSyncEnabled Attribute
$params = @{
onPremisesSyncEnabled = $false
}
# Perform the update
Update-MgBetaOrganization -OrganizationId $organizationId -BodyParameter $params
# Check that the command worked
Get-MgBetaOrganization | Select OnPremisesSyncEnabled
Once the sync is disabled, the first thing to check is that all users and groups appear as “Cloud-Only” objects. When all the objects appear as “Cloud-Only,” it means that the synchronization is disabled successfully.
Now we can move users and groups to an unsynced OU. When you’ve moved all the objects you want to migrate, we can enable the synchronization back on:
# Store the False value for the DirSyncEnabled Attribute
$params = @{
onPremisesSyncEnabled = $true
}
# Perform the update
Update-MgBetaOrganization -OrganizationId $organizationId -BodyParameter $params
# Check that the command worked
Get-MgBetaOrganization | Select OnPremisesSyncEnabled
After running the commands, you should run a full sync:
Start-ADSyncSyncCycle -PolicyType Initial
We should see the objects that were not moved to an unsynced OU change their status to “synced” again, while the objects that were moved to an unsynced keep their “Cloud-Only” status.
Finishing Touches
You will see errors in the Synchronization service. If you migrated user objects only, then you can “Nullify” their Immutable ID attribute. But if you migrated Groups as well, we need to “clear the cache” so to speak of the Connector space:
You can repeat this process multiple times to migrate your objects gradually (you should not do this process multiple times in a timespan of less than 8 hours).
That’s all for now. If you need any assistance, I’m happy to help.