question

77293397 avatar image
0 Votes"
77293397 asked Dev073 commented

Convert Security Group that is synced from on-premises, to an online only group and break the syncing

Hi there,
I have synced our on-premises active directory to Azure AD with Azure AD Connect.

So, all our on-premises security groups are synced to Azure AD, and I cannot modify members in Azure AD(of course). However, since they are already in Azure AD(and linked to all the Sharepoint data we have also migrated... I would like to convert these synced groups in Azure AD to a cloud-only security groups.

Or, put another way, I want to keep them in azure AD, and disjoin them from syncing, so that they don't sync to on-prem AD anymore, and so that I can modify their membership in Azure AD going forward.

Or, in even another way... change the source of the group from "Windows Server AD" to "Cloud"

How can this be done?

azure-ad-connectazure-ad-group-management
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi, Just checking the progress. did you end up converting the group ?

0 Votes 0 ·

Not Yet, but soon. I'll update when I confirm it all works.

0 Votes 0 ·
Dev073 avatar image
0 Votes"
Dev073 answered Dev073 commented

Yes its possible. But there is no easy or direct way. Its more of work around.

  1. Disable your AD sync. This process will convert all the synced objects to cloud Only.

  2. move your desired sec groups to non -sync ou

  3. Enable the sync back

AAD is depended on immutable ID and you cant modify using any scripts when its in active sync.



· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This worked great. Thank You

1 Vote 1 ·

Thanks for confirming . Glad it worked :)

0 Votes 0 ·

Thank you. This is a similar approach to what I've seen elsewhere online. I'm going to give it a shot and I'll come mark this as "answered" if it works.

0 Votes 0 ·

This answer is correct. If you disable Azure AD Connect, all synchronized objects will be converted to cloud-only. We don't currently have a way to convert a synchronized group into a cloud-only group without turning off the sync, though this feature is being worked on.

1 Vote 1 ·
MatthewBrowne-7065 avatar image
0 Votes"
MatthewBrowne-7065 answered 77293397 commented

Your best option is to do the following

Open Up Azure AD Connect

Create an Ou for all the security groups you dont want synced , put the security groups into this

Once this is done , then go back into your ad connect and ensure the out is not synced the security groups should disappear out of azure after 30 minutes.

Best Regards
Matthew Browne MCT
@AzureGuruMatt

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

This is not what I was looking to achieve. I want to keep it in AzureAD. Dev073 got me an answer that I'm testing out.

0 Votes 0 ·