Migrate from a AAD and AD Hybrid to AAD only?
-
We've gotten notification from management that they want to move away from on-prem Active Directory to Azure Active Directory only in the future. We already make heavy use of Intune and auto-pilot as of a year ago so we aren't too worried about GPOs and things like that. The bigger issue for us would be the couple of SQL Servers we have, a few dev VMs and of course a couple of older web apps that use Kerberos authentication.
Does anyone have any good solution for those things?
Additionally, does anyone even know how you'd disconnect a Hybrid AD from AAD so that the synced users become cloud only users?
Thanks
-
BillyScott you could stop the sync for the OU where the shared mailboxes are held. This would in fact delete the shared mailboxes in office 365 but you could then recover them directly which would remove the dependency on AD.
We also use ADSync and use the same method. If we terminate a user, we delete the account and then recover the mailbox directly in the cloud then convert it to shared to free up the license.
-
BillyScott said in Migrate from a AAD and AD Hybrid to AAD only?:
Additionally, does anyone even know how you'd disconnect a Hybrid AD from AAD so that the synced users become cloud only users?
Yes, I have extensive experience in this. The real issue here is the immutable ID side of things. Do you still have an on-prem Exchange server? If so, that needs to be uninstalled - you can't just power it off.
-
phenomlab No more on-prem Exchange, although we did do a Hybrid Exchange migration around 2 years ago. So we still are managing some attributes via Exchange 2019 PowerShell on-prem. We've been working to migrate the distribution lists migrated fully to cloud only (the hard way). Not sure yet what would happen to the shared accounts. I'm hoping that they can simply be turned into cloud only accounts at the same time as actual users?
And when you say uninstalled, do you mean like we currently have it? Or like actual complete uninstall like a day before we convert everything to cloud only?
-
BillyScott said in Migrate from a AAD and AD Hybrid to AAD only?:
The bigger issue for us would be the couple of SQL Servers we have, a few dev VMs and of course a couple of older web apps that use Kerberos authentication.
I can speak to this part. You'll probably need Azure AD Domain Services (it's a seperate Azure resource) to act as a Active Directory server for things like SQL, Dev VMs, etc. I'd recommend spinning that up sooner rather than later because it only authenticates users correctly after they've reset their passwords (after you've spun it up). It's a weird technical issue I guess, so to make it more seamless to users if you spin it up now, hopefully in the next year (or whatever your timeline is) all the employees will have changed their passwords at least once before you've fully migrated things over to it.
We have one SQL server, and at least a dozen older windows auth IIS apps currently using it and it's gone basically perfect. We haven't tried things like Dev VMs though yet.
-
BillyScott sorry. What I meant was a complete uninstall of Exchange. By the sounds of it, you are still executing powershell against a local instance?
-
phenomlab We have the Exchange Management tools only (as per https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/install-management-tools?view=exchserver-2019)
Basically it's only managing AD attributes, there is no IMAP, SMTP, etc. installed. Because of the previous Hybrid migration this is the only way we're able to manage distribution lists that haven't been migrated to cloud controlled manually and some user attribute data (notably on shared mailboxes)
-
BillyScott ok, but are the shared mailboxes still on premise, or were they migrated to cloud? If they were migrated then you should be able to delete the AD accounts unless you are using AdSync.
Is your domain federated? I'd yes, then you'll likely need to unfederate in order to fully decouple.
-
phenomlab The shared mailbox email boxes themselves are in the cloud, but they are AdSynced from on-prem for attributes and what not.
-
BillyScott you could stop the sync for the OU where the shared mailboxes are held. This would in fact delete the shared mailboxes in office 365 but you could then recover them directly which would remove the dependency on AD.
We also use ADSync and use the same method. If we terminate a user, we delete the account and then recover the mailbox directly in the cloud then convert it to shared to free up the license.
-
phenomlab We did try this a couple of months back, but after we recovered the users account and converted it AdSync kept sending us emails about a Sync error. Notably the SyncError is:
DeletingCloudOnlyObjectNotAllowedwhich is just kind of strange? Maybe we did the order of operations wrong or something? -
BillyScott said in Migrate from a AAD and AD Hybrid to AAD only?:
DeletingCloudOnlyObjectNotAllowed
Yes, I've come across this before. Have you looked at https://learn.microsoft.com/en-us/answers/questions/905372/deletingcloudonlyobjectnotallowed
-
phenomlab I had not seen this MS learning Q&A thing until just now despite searching for that information in the past. I'll give this a go and let you know how it goes.
-
BillyScott Do try it - but only on a test OU obviously. It should resolve the issue.
-
phenomlab Well I ran the command, so we'll see if it resolves the issue. If it does then I shouldn't get the warning email tomorrow morning. But I'm still seeing the Immutable ID in the Azure Portal properties for the test user account. So I'm not sure if it worked properly or not.
-
phenomlab So, the test account worked it seems (no error on it), however the old account that's been throwing the error for months (hence why we stopped the process) is still throwing the error, even after trying both the new
Set-AzureADUsercommand the old andSet-MsolUsercommand. I should note that this old account doesn't exist at all on-prem anymore (not in recycle bin anymore). I don't think that should impact anything though?Edit: I think I found the issue. I was passing
$nullto the Set-MsolUser command instead of"$null". Apparently that makes a huge difference. And theSet-AzureADUsercommand just straight up doesn't work. -
phenomlab said in Migrate from a AAD and AD Hybrid to AAD only?:
BillyScott said in Migrate from a AAD and AD Hybrid to AAD only?:
Additionally, does anyone even know how you'd disconnect a Hybrid AD from AAD so that the synced users become cloud only users?
Yes, I have extensive experience in this. The real issue here is the immutable ID side of things. Do you still have an on-prem Exchange server? If so, that needs to be uninstalled - you can't just power it off.
phenomlab can you elaborate on this a bit? I'm currently wrapping up an email migration to Exchange Online and the topic of just shutting down the Exchange servers instead of uninstalling was brought up. We don't currently have plans to migrate AD as well, but I don't want to limit that possibility in the future.
-
font I'm actually interested to know about this too. While I already took care of the Immutable ID thing for our shared mailboxes, we haven't completely removed the Exchange Tools (we don't have a server, but we have the PowerShell Tools and didn't uninstall Exchange.
I'd be very interested to know how uninstalling Exchange ends up impacting user accounts and what not, and if it would allow me to actually manage user accounts entirely from the cloud (instead of the current mix of on-prem and cloud that I have to-do today.
-
phenomlab It appears that I got all the shared mailboxes taken care of properly with the Immutable ID thing! Huge thanks for that. Now here's an interesting question, we did a Hybrid migration for exchange (instead of cut-over) I'm assuming that I'll need to uninstall Exchange before make users cloud only, but not before we're actually ready to cut over to cloud only (given that we have to use local AD to manage things like SMTP attributes and what not)
-
font Provided you are using AADSync, you can use this guide. There are some prerequisites but they are easy to satisfy
Removing Hybrid Exchange - Agile IT
Removing hybrid exchange is a critical final step to a cloud migration, but it is challenging and not without risks.
(www.agileit.com)
-
BillyScott Correct. See above post..
-
P phenomlab referenced this topic on
