Get rid of your Local AD

Get Rid of Your Local AD


We wanted to spare a whole article to AD connectivity since we have been getting rid of our local resources recently. If you have migrated from your local environment to O365 or Azure and you no longer need on-prem services, you may want to consider removing AD dependency. We have decided to implement this plan, which we have been keeping pendent for a long time, with the new year. However, it is always important to be cautious. That’s why we decided to move our users one by one or in small groups instead of going to the M365 Admin Center and deactivating AD Connection. Now, let’s go through the steps together.


Actually, the action we are supposed to execute is pretty simple. First, we will create a new OU that won’t be synched by the AD Connect.


Now we will move the users we will take out of sync here.


Now, we will trigger a delta sync on AD Connect so for the change to be reflected upwards.


Since we took the user to an OU that was not synced, O365 naturally deleted that user.


Now we will recycle the user. But since the user has no counterpart to synchronize locally, it will be a “cloud user”.


Let’s check if our user has come back or not.


Finally, we will empty the Immutable ID value of the user so that this value does not hinder us later if we attempt to synchronize or move again.


Let’s check the action we have completed.


And that’s it! Now our user looks like it has been created in O365 from the very beginning. We open the Admin Center and check the latest status and when we look at the column that says “Synchronization Status” next to the user, we see the cloud icon.


Now our user has nothing to do with AD Connect or local AD. If you want to do these all together, all you need is to create a CSV file and then run the following sets of commands.


First, create a very simple file in Excel as below. One column is enough for us.


Save this file as follows. CSV, UTF-8, Comma delimited (This part is important for Powershell to be able to read the file correctly).


Open a powershell window on your local AD server and run the following commands.


$users2move = Import-Csv C:\dosya\yolu\users2move.csv

$users2move | FOREACH-OBJECT {get-aduser -Identity $_.USERPRINCIPALNAME |Move-ADObject -TargetPath “OU=CloudUsers,OU=HQ Staff,OU=PeakUp,DC=cloudbond365,DC=com”}


In the second command, you need to edit the targetpath parameter according to yourself.

With this command, the users in the csv file are moved to the OU that will not be synchronized. Now, a delta synchronization is triggered on AD Connect. At this point, you can observe the result with the “get-msoluser -returndeletedusers” command.


Now let’s write the UserPrincipalName part of our users in the csv file completely. I mean, let’s edit and save it as [email protected].


Once we import our csv file again, we will first return it from the recycle bin with the following commands, and then empty the Immutable ID value.


$users2move = import-csv C:\dosya\yolu\users2move.csv

$users2move | restore-msoluser

$users2move | set-msoluser -ImmutableId “$null”

$users2move | Get-MsolUser | select userpri*, immu*


With the last command, we will get a list of the users we have processed with their Immutable ID values. Of course we expect the second column to be blank.


That’s it. 😊 Our users are now “Cloud Users” independent of the local. From now on, we will continue to manage via Azure AD. I hope you enjoyed reading this article. Have a great day 😊

Start typing and press Enter to search