Migration Guide

Active Directory to Entra ID Migration

Complete guide for migrating from on-premises Active Directory to Microsoft Entra ID with best practices and step-by-step instructions.

By Ofir Gavish
Migration Expert
Step-by-step Guide

Overview

This article is about migration of user and group objects that are already synced from on-premises AD to Microsoft Entra ID, we are going to "convert" them to "Cloud-only" objects, that is – not synced.

This is intended for organizations that are moving their workloads to the cloud or removing the on-premises services and have no need for on-premises Active Directory Domain Services.

This method allows you to migrate users and groups to Entra ID without deleting and recreating group objects, and no downtime.

Prerequisites

Ensure that your computers are Entra Joined and not Hybrid Joined.

Check that your Entra Connect Server is running the latest version and updates before you begin.

Check that you have an OU that is not synchronized or create a new one.

Look for any special attributes you use which are not synced, and sync them, or use a script to move them to new attributes in the cloud objects.

Important Notes

  1. Both hybrid and cloud-only users can be members of cloud-only groups
  2. Both hybrid and cloud-only groups can be members of cloud-only groups
  3. Cloud-only users and groups cannot be members of hybrid groups

Migration Process

1

Disable synchronization on Entra ID

Stop the sync process to prevent conflicts during migration

2

Move your objects to an unsynced OU

Transfer objects to an organizational unit that isn't synchronized

3

Enable synchronization on Entra ID

Resume the synchronization process

4

Remove the errors in Entra Connect

Clean up synchronization service errors by deleting connector space only

PowerShell Commands

To disable the synchronization on Entra ID we'll use these commands:

# Install v1.0 and beta Microsoft Graph PowerShell modules 
Install-Module Microsoft.Graph -Force
Install-Module Microsoft.Graph.Beta -Force

# Connect to Microsoft Graph with necessary permissions
Connect-MgGraph -Scopes "Organization.ReadWrite.All"

# Get current directory synchronization status
Get-MgOrganization | Select-Object Id, OnPremisesSyncEnabled

# Disable directory synchronization
$params = @{
    OnPremisesSyncEnabled = $false
}
Update-MgOrganization -OrganizationId (Get-MgContext).Organization -BodyParameter $params

# Verify synchronization is disabled
Get-MgOrganization | Select-Object Id, OnPremisesSyncEnabled

Note: Wait for the synchronization to be fully disabled before proceeding to the next step. This may take a few minutes.

Re-enable Synchronization

After moving objects to unsynced OU, re-enable synchronization:

# Re-enable directory synchronization
$params = @{
    OnPremisesSyncEnabled = $true
}
Update-MgOrganization -OrganizationId (Get-MgContext).Organization -BodyParameter $params

# Verify synchronization is enabled
Get-MgOrganization | Select-Object Id, OnPremisesSyncEnabled

# Force a delta synchronization on Entra Connect server
Start-ADSyncSyncCycle -PolicyType Delta

Troubleshooting

Common Issues

  • Synchronization errors in Entra Connect
  • Objects not appearing as cloud-only
  • Group membership issues

Solutions

  • Delete connector space entries for migrated objects
  • Force full synchronization cycle
  • Verify OU exclusions in Entra Connect