Forum Discussion
Disabling Directory Sync for Hybrid - Overthinking?
Hi all,
I am at the finish line for decommissioning On-Prem AD and moving from our Hybrid environment to managing our identities in Entra. About to cut off the Directory Sync.
Weirdly couldn't find a concrete answer on this question online, but I might just be overthinking this.
**Devices are Entra enrolled + Intune Managed, NOT Domain Joined.**
User profiles that originate from On-Prem AD on the endpoints still show as DOMAIN\username.
User profiles that originate from Cloud on the endpoints show as AzureAD\email address removed for privacy reasons.
What happens to these On-Prem User Profiles when we disable Directory Sync? Do they change over auto-magically to "AzureAD\email address removed for privacy reasons" on the endpoints?
Am I missing something here?
Thanks in advance.
2 Replies
Nothing should happen. They will still be able to access devices via DOMAIN\username. Keep in mind that login in this manner does NOT result in the user getting a primary refresh token/benefiting from the Entra join functionality, but that's also something that does not depend on whether you have dirsync enabled or not.
Did you change them to entra only account? If not, do not disable directory sync.
Not sure if it's still the best way, but one way I used to do was delete the account on AD, sync, sync again, sync again and again to make sure cloud account is deleted as well. Then, go to entra, and restore the account. By doing that, it became an entra account only and no more sync required.
I would suggest that you look up if there is better options now.
