Any organization that signs up with Office 365 are given 3 identity models to choose. The identity model you choose decides the level of control you as an admin have and the convenience for your users.
- Cloud identity
- Synchronized identity
- Federated identity
When you use cloud identities, you would be provisioning your Office 365 users and other objects such as security groups, distribution groups, in Azure Active Directory and you will be managing them from Office 365 portal. When you choose synchronized or federated identities, your on premises directory becomes the authoritative source for the synchronized objects and therefore you must use your on-premises directory to manage synchronized objects. This allows administrators to manage users from a central location but it is a bit trickier when it comes to managing Exchange related properties such as email aliases, etc. Currently the most user friendliest way to manage your on premises users’ Exchange properties is, by installing an Exchange Server in your environment. If you are de-commissioning your Exchange Server deployment, it is recommended to keep one Exchange Server for managing these synchronized objects.
For some organizations, this doesn’t make sense. They choose Office 365 to reduce their on-premises footprint by migrating their users and de-commissioning existing servers. Keeping a server is not something they would want at this point. Or else, the organization may have a directory service on-premises that have all the required details of users, such as their user name, display name, email addresses, contact details, groups, etc. So you will be using Azure Active Directory Connect to synchronize and provision users to the cloud. And once that is done, the organization may not need to keep the directory service synchronizing with the cloud and they may be comfortable enough at managing identities on Office 365 and on-premises separately. If you have come across a situation similar to that, or you are looking for steps on how to disable the directory synchronization, then this post is for you.
Once you synchronize your users using Azure Active Directory Connect, uninstalling the software or removing the synchronization server from your environment is not sufficient or it is not the recommended way if you want to manage identities on cloud. Reason being, although you remove the software or the server from your environment, for objects in AAD that were synchronized from your directory service, authoritative source will still be the on-premises directory service. You won’t be able to manage any of these objects using Office 365 until you disable directory synchronization from Azure Active Directory. When you follow below steps, the directory synchronization will be disabled and all your synchronized objects will be available for management using Office 365 portal.
Connect to Azure Active Directory using PowerShell and execute following command.
Set-MsolDirSyncEnabled -EnableDirsync $False
When you execute above command, it will prompt for confirmation and press “Y” and continue with the process.
Now you can manage your users, security groups, distribution groups, etc, that were synchronized from your directory service in Office 365.