question

AlbertGostick-6663 avatar image
0 Votes"
AlbertGostick-6663 asked ·

Disabling or removing Azure AD Connect

A client of mine had me install AD Connect a few years ago to sync pwds to their new O365 tenant. Now they are asking for it to be removed as they want to enforce a different password on their O365 mailboxes than on their AD accounts. It took a fair bit to get this working properly and I would prefer that I somehow just disable this "semi-permanently" than to uninstall all components.

I know I can stop the sync service but I want to make sure that:

a) it does not somehow start back up on its own (on an upgrade or a reboot etc.)
b) and by just suspending synch, O365 does not start to show all kinds of errors

If I cannot just disable safely, then I need to know how to uninstall in such a way that there are not a lot of errors being thrown in O365. There does not seem to be a document on how to uninstall properly so any suggestions appreciated.

Thank you


azure-ad-connect
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

4 Answers

michev avatar image
0 Votes"
michev answered ·

You can disable it either client-side (on the AAD Connect server) or server-side (via the corresponding PowerShell cmdlet). In the former scenario, objects continue to be managed on-premises, any updates you make will not be synchronized of course and you will eventually start receiving emails telling you that no recent sync has occurred. If you disable it server-side, objects will be "converted" to cloud-only and can be managed directly in Azure AD/Office 365.

Now, if password is the only thing they want, the above is mute. You can have different passwords configured in the cloud vs on-premises, even when password sync is enabled. But if that's the way they want it, you should disable the password sync feature by rerunning the AAD Connect config wizard. So TL;DR answer is, depends on what your end goal is here.

· 3 ·
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlbertGostick-6663 avatar image AlbertGostick-6663 ·

Just to follow up, so the only thing to do to disable password synch (while retaining the synching of the user objects) is to re-run the AD configuration wizard? This then must then somehow set a "flag" in the cloud objects such that the password can then be changed in the cloud.

With password synch turned off, just to make sure I am getting this right:

1) all other attributes on user objects get synched
2) new user objects are created in the cloud from on-premises new objects.

Thanks.

0 Votes 0 ·
michev avatar image michev AlbertGostick-6663 ·

Yes, that's all you need to do, it will take care of all the details and will not affect synchronization of anything other than the passwords.

0 Votes 0 ·
AlbertGostick-6663 avatar image AlbertGostick-6663 ·

Hi again,

So far, they are still saying they want to disable AAD Sync totally.

1) what PS module contains the command to disable this so that all objects in O365 become cloud-only objects; and then what PS command?

2) you said "you can have different passwords configured in the cloud vs. on-premises, even when password sync is enabled" - wouldn't I have to disable password synch or ?? no sure what you are saying here.

Albert

0 Votes 0 ·
AlbertGostick-6663 avatar image
0 Votes"
AlbertGostick-6663 answered ·

Right...I forgot that AD Connect not only syncs passwords but also all AD objects from the selected OU's AD. which means if they really want this service disconnected and the objects in O365 converted to cloud only, then I really need to know the steps for that.

I think they also want to go to a hybrid solution in the next year as they find the O365 tenant too slow. So that is the reason I was not going to blow away the whole setup - I figured we might need it in the future (do you know if we do? I think hybrid needs federation set up - which I have not done before so don't know much about it) and I wondered if the hybrid will also require AAD connect?

Albert

·
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

michev avatar image
0 Votes"
michev answered ·

Hybrid requires AAD Connect, so you should leave it as is.

·
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlbertGostick-6663 avatar image
0 Votes"
AlbertGostick-6663 answered ·

Hi Michev,

I am going to suggest that we just turn off password sync and leaving AAD Connect set up.

I poked around and could not find a setting in O365 to allow different passwords for it vs. on premises AD. I am guessing I have to set something as you cannot change the pwd in O365 at present - it alerts you to "change it some other way" which means going to AD to change.

Albert

·
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.