Introduction

You may have already skimmed through many article which tells you to set EnableDirSync value to False but that’s doesn’t give enough confidence to administrators running this org wide command, we need more context and how long to wait before object will be converted from synced to Cloud Only.

In below screenshots, I will explain, how to turn off directory sync and How much time it took for 10 users company in conversion of user and group, So that you can plan the change carefully.

Key take away :

  • Plan turn off of the object way before your actual implementation.
  • It could take 6 hours or + for objects to be converted.
  • You can’t turn off/turn on Directory Sync, Microsoft says, it could tak upto 72 hours, so be careful.
  • Always test in a test environment first to set your expectations, if you haven’t do so in past.

Validation

Run this command to find current status of DirectorySync and look for DirectorySynchronizationEnabled value.

Get-MSOLCompanyInformation
  • This shows that few objects are synced via AD and few are local.
  • If you try editing them, it will throw error that objects are synced from AD.
  • Run this to disable Directory Sync.
Connect-MsolService
Set-MsolDirSyncEnabled -EnableDirSync $false

Note : It took around 15 minutes to show Directory Sync status to Off.

Running Directory Sync manually results in “stopped-server-down” error.

It take another 15 min for User to be editable and i could now update user display name, email address in cloud.

Note – If you have federated identity, don’t clear ImmutableId, otherwise it will break SSO.

C:\WINDOWS\system32>Get-MsolUser -UserPrincipalName usr5@labexchdom.tk |fl 
ImmutableId : dBKRRZ1cDU++bFXaFtAOZQ==

It took around 4 hours for AD groups to be available for editing. All AD Groups will now show up as Source of “Cloud”

All Users will have “Directory Synced” set to No.

Thank you reading !

Advertisement