cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

How to remove on-prem AD after migration to 365?

AndrewDoe
Copper Contributor

‎Aug 17 2021 08:43 AM - edited ‎Aug 17 2021 11:19 AM

‎Aug 17 2021 08:43 AM - edited ‎Aug 17 2021 11:19 AM

How to remove on-prem AD after migration to 365?

Objective: Convert all Exchange 2013 users to Microsoft 365 cloud-only users and remove on-prem AD.

 

Hello,

We have Exchange 2013 with Hybrid Configuration, and only 20 users. Our on-prem AD is only for Exchange authentication purpose and doesn't do anything else. We plan to convert all users to cloud-only users and are halfway there. However, Microsoft 365 asks for Azure AD Premium P1 licenses, or it doesn't allow Hybrid users to do SSPR (Self Service Password Reset). How can we bypass AAD P1 license and let users reset their password using SSPR? (We won't need on-prem AD after we finish migration.) Is the unofficial method listed below the only way to go?

https://www.sikich.com/insight/office-365-convert-an-active-directory-synced-account-to-cloud-only/

 

Thank you!

-Andrew

 

Ps. Without AAD P1 license, the Hybrid users can't change password on Microsoft 365 portal. (Business Basic license.) This message would appear instead: "Your organization doesn’t allow you to change your password on this site."

https://answers.microsoft.com/en-us/msoffice/forum/all/users-cannot-change-office365-password/a8dd94...

 

https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-sspr-licensing

 

 

4,635 Views
0 Likes
4 Replies
Reply
4 Replies
Vasil Michev

‎Aug 17 2021 11:13 PM

‎Aug 17 2021 11:13 PM

Re: How to remove on-prem AD after migration to 365?

That's not true, SSPR is free for all SKUs. What needs P1 license is the "writeback" functionality, which you don't need as you plan to decommission your on-premises environment.
0 Likes
Reply
best response confirmed by AndrewDoe (Copper Contributor)
aliat_IMANAMI

‎Aug 18 2021 06:41 AM

‎Aug 18 2021 06:41 AM

Solution

Re: How to remove on-prem AD after migration to 365?

@AndrewDoe 

 

Assuming that all on prem mailboxes are moved to cloud and you will deprovision on prem AD. Else there will be disconnected identities on both sides...
 
In a Hybrid environment, the mailboxes can be located in on-premises and cloud. AAD Connect syncs the user objects from local AD to the cloud. An synced object can only be managed on the sync sources (here your on-premises AD and Exchange). When you want to decommission your Hybrid server, please move all the on-premises mailboxes to the cloud. After the migration is completed, they will be converted to mail enabled users automatically. You don't need to convert the users or mailboxes manually.


As mentioned above, you cannot manage the objects in the cloud if AAD Connect is enabled and as the source of authority is on prem AD, so you need   P1 SSPR feature and password write-back enabled on AAD Connect. If you want to manage them in the cloud, you need to deactivate your AAD Connect.
 
When you execute the command Set-MsolDirSyncEnabled –EnableDirSync $false. After this all the users in the office365 tenant will keep there password what they have at that moment. When you have done this you can execute the command get-msolcompanyinformation to check if the sync is really gone because I think it takes around 72 hours for completely getting rid of AAD Connect.
 
 
Once the users are in cloud only mode, you don't need Azure AD P1 subscription and Azure AD free tier service can reset the password.
1 Like
Reply
AndrewDoe

‎Aug 18 2021 07:16 AM

‎Aug 18 2021 07:16 AM

Re: How to remove on-prem AD after migration to 365?

Thank you! I also saw this method in another post but was hesitant to follow since it's not well discussed. Most people don't have a need to get rid of on-perm AD. I'll give it a try in a week or two and post my final result. This method is much easier and I don't need to worry about account deletion/recovery.
1 Like
Reply
aliat_IMANAMI

‎Aug 18 2021 08:28 AM - edited ‎Aug 18 2021 09:00 AM

‎Aug 18 2021 08:28 AM - edited ‎Aug 18 2021 09:00 AM

Re: How to remove on-prem AD after migration to 365?

Glad you could find value. Look forward to your results

 

Adding on to above: 


Since, removing on-prem AD after migration to 365 is not only about getting rid of passwords, but in the context of password synchronization, there are solutions  such as Password Centre that can automatically sync passwords at multiple locations meaning Active Directory and 365, so a user can easily update password in one location and it gets replicated / updated to the other as well.

1 Like
Reply
1 best response

Accepted Solutions
best response confirmed by AndrewDoe (Copper Contributor)
aliat_IMANAMI

‎Aug 18 2021 06:41 AM

‎Aug 18 2021 06:41 AM

Solution

Re: How to remove on-prem AD after migration to 365?

@AndrewDoe 

 

Assuming that all on prem mailboxes are moved to cloud and you will deprovision on prem AD. Else there will be disconnected identities on both sides...
 
In a Hybrid environment, the mailboxes can be located in on-premises and cloud. AAD Connect syncs the user objects from local AD to the cloud. An synced object can only be managed on the sync sources (here your on-premises AD and Exchange). When you want to decommission your Hybrid server, please move all the on-premises mailboxes to the cloud. After the migration is completed, they will be converted to mail enabled users automatically. You don't need to convert the users or mailboxes manually.


As mentioned above, you cannot manage the objects in the cloud if AAD Connect is enabled and as the source of authority is on prem AD, so you need   P1 SSPR feature and password write-back enabled on AAD Connect. If you want to manage them in the cloud, you need to deactivate your AAD Connect.
 
When you execute the command Set-MsolDirSyncEnabled –EnableDirSync $false. After this all the users in the office365 tenant will keep there password what they have at that moment. When you have done this you can execute the command get-msolcompanyinformation to check if the sync is really gone because I think it takes around 72 hours for completely getting rid of AAD Connect.
 
 
Once the users are in cloud only mode, you don't need Azure AD P1 subscription and Azure AD free tier service can reset the password.

View solution in original post

1 Like
Reply