The World According to Mitch

Because I do not always run my demo environments following industry best practices, I occationally find myself in a situation where things might be… horked. That is to say, my on-prem lab (including the Active Directory domain) gets wiped, and I rebuild it from scratch. It is something that I usually enjoy doing, and until I actually connect my local domain to my Entra ID, there are very few hiccoughs. It gets a bit more complicated when we have federated the two environments, mainly because there isn’t really published guidance on how to un-federate… especially if the domain and all associated servers have been wiped.

Four years ago I wrote an article called AD Connect: Starting Over. This covered how to accomplish the task quite easily. The problem is that not only has Microsoft rebranded Azure Active Directory to Entra ID, but they have also retired all of the PowerShell modules that I referenced in that article. As I find myself again in this situation, I decided to figure it out again… and why not write a new article for for the benefit of my readers?

The first step is to install the new Microsoft Graph PowerShell module. In their eternal wisdom (hic) Microsoft has decided that all cloud management should be done through this module. so:

Install-Module -Name Microsoft.Graph -Scope AllUsers

(I am not going to walk you through the different scope options… but remember that if you are not the only person who uses the computer on which you are installing it, you should look into this)

We now need to connect to our organization, but before we do you might have to import the Microsoft Graph Authentication module:

Import-Module Microsoft.Graph.Authentication

And then…

Connect-MgGraph -scopes Organization.ReadWrite.All

(NOTE: When I first installed the Microsoft Graph PowerShell module it would not connect… it would continue to error out. I needed to reboot my computer for it to work.

A window will pop up for you to log in. Make sure that you log in with an account that is a member of the Global Administrator role. You will then be asked for permissions between your Microsoft Graph Command Line Tools and the cloud… ensure you check the box marned Connect on behalf of your organization before clicking Accept.

You need to make sure you are connected to the correct organization, so let’s go ahead and check that out in a formatted list…

Get-MgOrganization | fl

We can see all sorts of information about your organization… but to check if our org is actually configured to sync to on-prem, let’s run this cmdlet that will give us a much more refined result:

Get-MgOrganization | Select OnPremisesSyncEnabled

We are now going to run the following script:

# Copy From Here

$OrgID = (Get-MgOrganization).id
$uri = “https://graph.microsoft.com/v1.0/organization/$orgid”
$body = @’
{
“onPremisesSyncEnabled”: ‘false’
}
‘@
invoke-MgGraphRequest -uri $uri -Body $body -Method PATCH

# Copy Until Here

My suggestion is that you copy and paste this script in its entirety… it is just going to make your life easier.

At this point we can run the following cmdlet again, but we are going to get a slightly different result:

Get-MgOrganization | Select OnPremisesSyncEnabled

I am paranoid, so I wanted to check it in the Entra portal. From https://entra.microsoft.com I expanded Entra ID, then scrolled to Entra Connect, and in the main window I click on Connect Sync. I can see that the status is Not Installed.

While there are other indicators on the same screen, once I see that there is nothing more that I need… it is completely disconnected, as if it had never happened, and I am ready to start again.

Conclusion

Seldom in the real world is an organization going to need to disconnect their on premises Active Directory domain from their cloud Entra ID. This is something that we would most likely only need in a demo or test/dev environment. With that said, it is something that might occasionally be needed (I cannot think of a reason a corporation might need it, but I am not so arrogant as to think that I can imagine every possible scenario. Whether you need it for the enterprise or for the lab, these steps should guide you through without too many headaches.