Overview

This article covers the migration of user and group objects that are already synced from on-premises Active Directory to Microsoft Entra ID. We're going to "convert" them to "Cloud-only" objects—that is, not synced from on-premises.

This is intended for organizations that are moving their workloads to the cloud or removing on-premises services and have no need for on-premises Active Directory Domain Services.

Key Benefits

  • • Migrate users and groups to Entra ID without deleting and recreating objects
  • • Zero downtime migration process
  • • Maintain existing group memberships and permissions

Prerequisites

Before You Begin

  • Ensure that your computers are Entra Joined and not Hybrid Joined
  • Check that your Entra Connect Server is running the latest version and updates
  • Check that you have an OU that is not synchronized or create a new one
  • Look for any special attributes you use which are not synced, and sync them or use a script to move them to new attributes in the cloud objects

Important Considerations

✅ Allowed

  • • Hybrid and cloud-only users can be members of cloud-only groups
  • • Hybrid and cloud-only groups can be members of cloud-only groups

❌ Not Allowed

  • • Cloud-only users and groups cannot be members of hybrid groups

⚠️ Note

Plan your group strategy accordingly to avoid membership conflicts

Migration Process

Now that you're ready, here's the step-by-step migration process:

1

Disable synchronization on Entra ID

Stop the sync process to convert objects to cloud-only

2

Move your objects to an unsynced OU

Move users and groups that should remain cloud-only

3

Enable synchronization on Entra ID

Re-enable sync for remaining on-premises objects

4

Remove the errors in Entra Connect synchronization service

Delete Connector Space Only to clean up sync errors

Step 1: Disable Synchronization

To disable the synchronization on Entra ID, use these PowerShell commands: 

# Install v1.0 and beta Microsoft Graph PowerShell modules 
Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -AllowClobber -Force 

# Connect With Hybrid Identity Administrator Account
Connect-MgGraph -scopes "Organization.ReadWrite.All,Directory.ReadWrite.All" 

# Verify the current status of the DirSync Type
Get-MgBetaOrganization | Select OnPremisesSyncEnabled 

# Store the Tenant ID in a variable named organizationId
$organizationId = (Get-MgBetaOrganization).Id 

# Store the False value for the DirSyncEnabled Attribute
$params = @{
    onPremisesSyncEnabled = $false
}

# Perform the update
Update-MgBetaOrganization -OrganizationId $organizationId -BodyParameter $params 

# Check that the command worked
Get-MgBetaOrganization | Select OnPremisesSyncEnabled

Verification: Once the sync is disabled, check that all users and groups appear as "Cloud-Only" objects. When all objects appear as "Cloud-Only," it means that the synchronization is disabled successfully.

Step 2: Move Objects to Unsynced OU

Now move users and groups to an unsynced OU. When you've moved all the objects you want to migrate, re-enable synchronization: 

# Store the True value for the DirSyncEnabled Attribute
$params = @{
    onPremisesSyncEnabled = $true
}

# Perform the update
Update-MgBetaOrganization -OrganizationId $organizationId -BodyParameter $params 

# Check that the command worked
Get-MgBetaOrganization | Select OnPremisesSyncEnabled

Step 3: Run Full Synchronization

After running the commands, you should run a full sync: 

Start-ADSyncSyncCycle -PolicyType Initial

We should see the objects that were not moved to an unsynced OU change their status to "synced" again, while the objects that were moved to an unsynced OU keep their "Cloud-Only" status.

Finishing Touches

You will see errors in the Synchronization service. If you migrated user objects only, then you can "Nullify" their Immutable ID attribute. But if you migrated Groups as well, we need to "clear the cache" so to speak of the Connector space:

Delete connector space in AD Connect

Delete Connector Space to clean up synchronization errors

Important Timing Note

You can repeat this process multiple times to migrate your objects gradually. However, you should not perform this process multiple times within a timespan of less than 8 hours.

Migration Complete!

That's all for now! Your Active Directory objects have been successfully migrated to cloud-only Entra ID objects without downtime or data loss. If you need any assistance with this process, feel free to reach out for help.

Ofir Gavish

Ofir Gavish

Microsoft MVP in Security | Cloud Infrastructure Team Lead

Ofir is a Microsoft MVP specializing in Enterprise Mobility and Security solutions, with extensive experience in Active Directory migrations and Microsoft cloud technologies.

Share this article

Related Articles

BitLocker with Intune and Azure Key Vault

Configure BitLocker encryption using Microsoft Intune and back up recovery keys to Azure Key Vault

Latest Articles

Explore all the latest Microsoft cloud insights and migration guides