How to Migrate DirSync to Azure AD Connect to New Active Directory Forest

DirSync provides synchronisation between on-premise Active Directory to Office 365 Azure AD.

So here is the scenario where will migrate Dirsync to Azure AD Connect  in new Active Directory Forest. We have one of our customers using DirSync on old Active Directory domain. Users & Computers have been migrated to new Active Directory Forest. Now, it was the time to move from DirSync to Azure AD Connet onto the new forest. During the transition, we kept legacy domain dirsync turned on.

The high-level plan is as follow

  • Stop DirSync
  • In Office 365, clear ImmutableID on Synced Users
  • Setup Azure AD Connect
  • Sync pilot users, gauge the success
  • Sync rest of the users.

Stop DirSync

On the DirSync server, stop the DirSync Services and set them to disable.

Stop DirSync service

Disabled the DirSync tasks.

disable dirsyn schedule tasks

Connect to Office 365 online using PowerShell. Use the following command to get the status of Directory Synchronization


Check DirSync status office 365 powershell

Login to Office 365 Admin Portal with Global Admin account.

Go to Health Report > Directory Sync Status

Dirsync status office 365 portal

You would notice that you don’t see an option to Deactivate the Sync in New Admin Centre Preview. Instead, you need to go under Azure AD > Active Directory > YourDomain > Directory Integration

Dirsync status office 365 new admin portal

Important: Before you deactivate the sync, make sure you download the user data.

You can use the following Office365 powerShell command to dump the data.

Get-MsolUser | Where-Object{$_.immutableID -ne $null} | Select * | Sort-Object -Property userPrincipalName | Export-Csv -Path %UserProfile%\Documents\Temp\SyncedUsers.csv -NoTypeInformation

It would come handy if you want to go back and check which users were syncing initially.

Going forward, I am using Classic Admin Console for Deactivating the Dir Sync.

Switch to Classic Admin Console

deactivate dirsync office 365 portal

deactivate dirsync office 365 portal message

You can cross check the same in Azure AD portal.

deactivate dirsync office 365 new admin portal

And via Office 365 PowerShell command

As per Microsoft, deactivation of DirSync may take between 24 – 72 hours, however, usually it’s much earlier.

Clear ImmutableID on Synced Users

ImmutableID attribute is responsible for linking your on-premise AD users objects to Office 365. If you don’t clear the immutableID, you will not be able to re-sync on-premise AD users with Office 365. Office 365 will perform a soft match and hence able to sync users.

You can use the following simple Office 365 PowerShell script to clear the ImmutableID.

$O365Users = import-csv %userprofile%\Documents\Temp\SyncedUsers.csv

foreach($usr in $O365Users) {

Set-MsolUser -UserPrincipalName $usr.userprincipalName -ImmutableId $null


Setup Azure AD Connect

Under the New Forest, use the appropriate server that will be hosting Azure AD Connect. I am not going into detailed requirements of AD Connect, however, some of the important things to keep in mind are Service Account Permission.

You need to a service account which a member of domain admin in local on premise and global admin on Office 365.

Download Microsoft Azure AD Connect and lets start the installation

Azure AD Connect Setup

Azure AD Connect Setup Customize settings

Use Customize for custom settings as we will be syncing users selectively.

Azure AD Connect Setup wizard

Enter Office 365 AD Connect Service account.

Azure AD Connect Connect to directory

Use on-premise service account.

Azure AD sign-in settings

Leave the options default, Make sure your userPrincipalName UPN suffix is internet routable domain, verified in Office 365. In most of the cases, it’s same as email address to keep things simple.

Use default options, Don’t change Source Anchor to anything else if you have only single AD forest to deal with.

Azure AD Connect setup wizard complete

Once Installation and Initial Sync have been completed, you can see the status under Office 365 Admin portal.

Azure AD Connect Sync Status

By default, the Sync runs every 30 mins.


In case, you don’t want to wait for the Sync Schedule and would like to force the Sync. You can use the following command

Start-ADSyncSyncCycle -PolicyType Initial/Delta

Azure AD Connect sync schedule can be adjusted using the PowerShell commands, and you can also specify your custom sync schedule if needed.

That’s it. Hope you find it useful.


Access Windows File Server with Alternate Names


Step by Step Install Office 365 on Remote Desktop Server


  1. RayL

    Very good article. A question for you – I am migrating 15k users (all synced to O365 for Skype). Can I create a Group in my new AD (say AzureADSync) and only add users that I want to sync from the new domain (for testing). This way I can delete the ImmutableID for only a test group of users. I would then place the users in the group that I want to sync and do a soft match on email address and let it create the new ImmutableID. If all testing goes well then I could delete the rest of the ImmutableIDs and then add the rest of the users to the Synced Group or Re-Run the Azure AD Connect Tool and select the domain to sync all the users. What I am looking for is a way to fail back to the old domain if I have to.

    • Hi Ray,
      You can use group to sync specific identities. You would need to use transform rules within AzureADConnect and bit of testing.

  2. Erik N

    Nice article! I was wondering, what does connecting to a new AD do to the permissions assigned to mailboxes using AD groups?

    • Alivebits

      Hi Erik, The mailbox permissions specified via AD Group (synced groups) should remain as is. Though you can manually add in-cloud identities/group to the mailbox permissions.

Comments are closed.

Copyright © 2021, All Rights Reserved.