I did some research on how to stop the synchronization between my on-premises active directory and Azure Active Directory. I found a lot of resources but not many that made sense to me. So I combined two of the sites I found and was able to successfully remove Azure AD Connect sync from my tenant. The biggest issue I found was having all the old users and groups left over in my AD tenant. So this ended up being a two step process for myself. After doing it, I did realize how easy it actually was. So I hope this helps someone in the future.
Connect To Directory (O365)
First I needed to Install the MSOnline PowerShell Module. So Open PowerShell as an Administrator and install the module, then input the login credentials, then connect to the msolservice. Once connected I was able to run the PowerShell command to disable the Azure AD Connect service.
Install-Module -Name MSonline $cred = get-credential connect-msolservice -credential $cred Set-MsolDirSyncEnabled -EnableDirSync $false
Once complete I also needed to log on to my server that I had Azure AD Connect installed on. Then uninstall the application and services from the control panel.
I can now verify that the service has been stopped and you are no longer syncing your identity to your tenant. The easiest way for me was to go to the AAD portal and look at the Azure AD Connect Sync status. It now says Status: Not Enabled, Last Sync: Sync has never run.
Now I need to clean up my Azure Active Directory. All the old users and groups still exist.
Remove Users and Groups
I found a comment by Prashant Chirde on the Microsoft Tech Community that really helped me with this one. His comments actually would have helped for the entire process but I had already removed the sync before I ran this step.
Since I was already connected to the online service we shouldn’t need to re-connect. If I did I would just run the following command again.
Install-Module -Name MSonline $cred = get-credential connect-msolservice -credential $cred
The first step that I did was export all my users and exported all my groups as well to two separate CSV files. One I called users.csv and the other groups.csv.
Get-MsolUser -all | Export-CSV users.csv Get-MsolGroup -all | Export-CSV groups.csv
I search the two list for any users and groups that I needed to keep. Remove those from the exported list then save the file again. Remember, any user or group I leave in this CSV will be removed from AAD. For myself I pretty much left all the users in my list except for two admin users. Since this is a “Dev/Lab” environment I wasn’t worried about possible accounts being used for various workloads.
Now that I have my CSV’s updated. I am ready for the next step. I need to import those CSV’s into PowerSHell then run the correct command to remove those users and groups.
Import-CSV users.csv | Remove-Msoluser -force Import-CSV groups.csv | Remove-Msolgroup -force
Once I ran these commands I verified that my users and groups no longer exist by going to the Azure Portal and going to Azure Active Directory.
I now have a clean tenant and ready to start managing identities from Azure Active Directory only. I did have to go back and re-add some users but only a handful that should actually have access to these subscriptions under this tenant.
I have a lot to learn still when it comes to various services within Azure and the Cloud. Every day I hit my head against a wall trying to figure something out that I feel should be easy but for me it wasn’t. This, at the the end of the day should have been an easy task. However it took a few hours of researching and trying various other ways to get it right. The older I get the less room in my head for new skills? :)
I need to give credit to the following post I read that helped me figure this out: