Hi We have currently setup a ADConnect Sync to Office 365, this is working well. We would like to start converting Sync'ed accounts in Office 365/Azure AD to "In Cloud" accounts. Can you advise or does anyone know how we might approach this? Or can point to alternative resources? We need to ensure the accounts in Office 365/Azure AD remain active and usable. Much appreciatedPaul

If you only need to do this for a subset of accounts, you can simply move users to an OU which is not synced (assuming that you've configured to sync only selected OUs). After the sync runs, users are "deleted" from cloud. Run the following command to restore the users.Get-MsolUser -ReturnDeletedUsers | Restore-MsolUserWith this scenario, users are restored "as they were", so there is no need to give a new password. However, you should notice that if users are changing their passwords, they must follow the Office 365 password policy (8-16 characters etc.).

The authority for an AD Synced account will always be Active Directory, which means that management happens in AD. To make accounts (and that means ALL synced accounts at once) cloud managed accounts, you will need to disable directory syncing. I have not done this so you MUST test this before implementation. Disabling and re-enabling will result in duplicate accounts. The command to use would be Set-MsolDirSyncEnabled –EnableDirSync $false.

I have tested this scenario half a year ago because I have a client who will need the same. Worked out well. Please try this in a lab environment first. #Requirements: Managed domain, Global Administrator, Domain Admin, Active Directory Users and Computers, AD Connect, PowerShell-modules MSOnline & ADSync #Connect with MSOL$credential = Get-CredentialConnect-MsolService -Credential $credential #Check DirSync statusGet-MSOLCompanyInformation | select DirectorySynchronizationStatus #Backup all ImmutableIDs of federated usersGet-MsolUser | select userprincipalname,immutableid | sort userprincipalname | Export-Csv -Path $env:USERPROFILE\Desktop\ImmutableIDs.csv -NoTypeInformation -Force #Migrate synced user to cloud onlyStep 1: Disable DirSyncSet-MsolDirSyncEnabled -EnableDirSync $falseStep 2: Nullify ImmutableID !!! Make sure you add quotation marks to $nullSet-MsolUser -UserPrincipalName user@domain.com -ImmutableId "$null"Step 3: Move nullified users to non-synced OUStep 4: Enable DirSyncSet-MsolDirSyncEnabled -EnableDirSync $trueStep 5: Force AD Connect syncStart-ADSyncSyncCycle -PolicyType Delta #Revert migration of userStep 1: Disable DirSyncSet-MsolDirSyncEnabled -EnableDirSync $falseStep 2: Move user to original OUStep 3: Put back the ImmutableID of the userSet-MsolUser -UserPrincipalName user@domain.com -ImmutableId "ID"Step 4: Enable DirSyncSet-MsolDirSyncEnabled -EnableDirSync $trueStep 5: Force AD Connect syncStart-ADSyncSyncCycle -PolicyType Delta

Hi I have tried removing the user and re-adding however, this prompts me for a new password. Is there a way to move the user account from On-Prem AD to Azure AD? Currently the users i want are using AD Connect, however most of the users do not need full AD accounts just email which is in Office 365. So we want to remove them from the local network only but keep in Azure AD. Any ideas? Paul

This will work just fine. When you execute the command Set-MsolDirSyncEnabled –EnableDirSync $false. You disable the Dirsync (when you execute it can take up to 72 hours to get it done). After this all the users in the office365 tenant will keep there password what they have at that moment. Visualy it just removes the collum where it now says In Cloud/ Synchronized with active directory. When you have done this you can execute the command get-msolcompanyinformation to check if the sync is really gone. *note: the azure ad connect is still on the server so when you reboot that server there is a chance that the Sync will be enabled.

Convert On-Prem AD Users from Office 365/Azure AD to In-Cloud accounts

Coert Kastelein
Brass Contributor
May 09, 2019
I have tested this scenario half a year ago because I have a client who will need the same. Worked out well. Please try this in a lab environment first.

#Requirements: Managed domain, Global Administrator, Domain Admin, Active Directory Users and Computers, AD Connect, PowerShell-modules MSOnline & ADSync

#Connect with MSOL
$credential = Get-Credential
Connect-MsolService -Credential $credential

#Check DirSync status
Get-MSOLCompanyInformation | select DirectorySynchronizationStatus

#Backup all ImmutableIDs of federated users
Get-MsolUser | select userprincipalname,immutableid | sort userprincipalname | Export-Csv -Path $env:USERPROFILE\Desktop\ImmutableIDs.csv -NoTypeInformation -Force

#Migrate synced user to cloud only
Step 1: Disable DirSync
Set-MsolDirSyncEnabled -EnableDirSync $false
Step 2: Nullify ImmutableID !!! Make sure you add quotation marks to $null
Set-MsolUser -UserPrincipalName user@domain.com -ImmutableId "$null"
Step 3: Move nullified users to non-synced OU
Step 4: Enable DirSync
Set-MsolDirSyncEnabled -EnableDirSync $true
Step 5: Force AD Connect sync
Start-ADSyncSyncCycle -PolicyType Delta

#Revert migration of user
Step 1: Disable DirSync
Set-MsolDirSyncEnabled -EnableDirSync $false
Step 2: Move user to original OU
Step 3: Put back the ImmutableID of the user
Set-MsolUser -UserPrincipalName user@domain.com -ImmutableId "ID"
Step 4: Enable DirSync
Set-MsolDirSyncEnabled -EnableDirSync $true
Step 5: Force AD Connect sync
Start-ADSyncSyncCycle -PolicyType Delta
- Josh-M
  Copper Contributor
  Sep 04, 2019
  After converting an on-prem user to a cloud user, by nullifying the ImmutableId, has anyone been able to verify that the PowerShell command, whoami, returns AzureAD\username instead of ONPREM\username ?
  
  This is the issue we're currently experiencing and we are concerned with any possible adverse affects it might cause to the AzureAD user object functionality and stability. We're currently not experiencing any visible issues at the moment, however. -Josh
  - Erikc
    Copper Contributor
    Sep 06, 2019
    Josh-M I tried looking into this as well, I did receive some information from Microsoft. I still don't know if this causes any issues, it doesn't seem to negatively impact anything in a sandbox environment. Also with one user in a production environment.
    
    "This a known gap, that we're reviewing. Even though you have migrated the user from AD to Azure AD, the onprem SamAccountName is still intact on the user object, among other on-prem AD attributes. As a result, Azure AD picks those details and shows domain/user instead of AzureAD/user. This attribute cannot be modified or cleared through Graph APIs at this point, so there's no way to change the behavior. Please file a UserVoice suggestion on MS Graph for this so that our teams can get the feedback and prioritize it as needed"
    
    Source:
    https://github.com/MicrosoftDocs/azure-docs/issues/38048#issuecomment-528570435
sagarleo1
Copper Contributor
Jan 04, 2019

Paul Bullock wrote:
Hi

We have currently setup a ADConnect Sync to Office 365, this is working well.

We would like to start converting Sync'ed accounts in Office 365/Azure AD to "In Cloud" accounts. Can you advise or does anyone know how we might approach this? Or can point to alternative resources?

We need to ensure the accounts in Office 365/Azure AD remain active and usable.

Much appreciated
Paul

Okay.., Let me try this one and then I will give you some feedback
Brent Ellis
Silver Contributor
Feb 01, 2017
You could terminate the account in Active Directory (which would terminate the account in AAD/O365) after forcing a delta sync, then login to O365 admin center and "reactivate" / "undelete" the account and assign it a license (if it doesnt remember the license it had).

There may be other routes, but I know that should accomplish what you need.
- Paul Bullock
  MVP
  Feb 01, 2017
  Thanks Brent, I will try this out.
  
  Paul
  - Paul Bullock
    MVP
    Feb 06, 2017
    Hi
    
    I have tried removing the user and re-adding however, this prompts me for a new password. Is there a way to move the user account from On-Prem AD to Azure AD?
    
    Currently the users i want are using AD Connect, however most of the users do not need full AD accounts just email which is in Office 365. So we want to remove them from the local network only but keep in Azure AD.
    
    Any ideas?
    
    Paul

Forum Discussion

Convert On-Prem AD Users from Office 365/Azure AD to In-Cloud accounts

Share

Resources