diff --git a/support/entra/entra-id/user-prov-sync/cannot-manage-objects.md b/support/entra/entra-id/user-prov-sync/cannot-manage-objects.md index f6ee7548906..f3cbff37e78 100644 --- a/support/entra/entra-id/user-prov-sync/cannot-manage-objects.md +++ b/support/entra/entra-id/user-prov-sync/cannot-manage-objects.md @@ -4,7 +4,7 @@ description: Resolves an issue that you can't manage or remove objects created t ms.date: 08/30/2021 ms.reviewer: ms.service: entra-id -ms.custom: sap:Microsoft Entra Connect Sync, has-azure-ad-ps-ref +ms.custom: sap:Microsoft Entra Connect Sync, no-azure-ad-ps-ref --- # Can't manage or remove objects that were synchronized through the Azure Active Directory Sync tool @@ -34,27 +34,30 @@ This issue may occur if one or more of the following conditions are true: You want to manage objects in Office 365, Azure, or Intune and you no longer want to use directory synchronization. -[!INCLUDE [Azure AD PowerShell deprecation note](~/../support/reusable-content/msgraph-powershell/includes/aad-powershell-deprecation-note.md)] - -1. If you're not running Windows 10, install the 64-bit version of the Microsoft Online Services Sign-in Assistant: [Microsoft Online Services Sign-in Assistant for IT Professionals RTW](https://download.microsoft.com/download/7/1/E/71EF1D05-A42C-4A1F-8162-96494B5E615C/msoidcli_32bit.msi). -1. Install the Microsoft Azure Active Directory module for Windows PowerShell: - - 1. Open an elevated Windows PowerShell command prompt (run Windows PowerShell as an administrator). - 2. Run the `Install-Module MSOnline` command. - -1. Disable directory synchronization by running the following command: +1. Make sure that [Microsoft Graph PowerShell is installed](/powershell/microsoftgraph/installation). +2. Use the `Connect-MgGraph` command to sign in with the required scopes such as `Organization.ReadWrite.All`. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/powershell/microsoftgraph/get-started). +1. Disable directory synchronization by running the [update-mgorganization](/powershell/module/microsoft.graph.identity.directorymanagement/update-mgorganization) command. ```powershell - Set-MsolDirSyncEnabled -EnableDirSync $false + + $organizationId = (Get-MgOrganization).Id + + # Store the False value for the DirSyncEnabled Attribute + $params = @{ + onPremisesSyncEnabled = $False + } + + # Perform the update + Update-MgOrganization -OrganizationId $organizationId -BodyParameter $params ``` -1. Check that directory synchronization was fully disabled by using the Windows PowerShell. To do it, run the following command periodically: +1. Check that directory synchronization was fully disabled. To do it, run the following command: ```powershell - (Get-MSOLCompanyInformation).DirectorySynchronizationEnabled + Get-MgOrganization | Select OnPremisesSyncEnabled ``` - This command will return **True** or **False**. Continue to run this command periodically until it returns **False**, and then go to the next step. + This command will return **True** or ***False**. Continue to run this command periodically until it returns **False**, and then go to the next step. It may take 72 hours for deactivation to be completed. The time depends on the number of objects that are in your cloud service subscription account.