When a user is synced from the On-Prem Active Directory to Entra ID via Entra connect, user account sync status shows as Synced from on-premises and shows a symbol 
on Microsoft 365 admin center. In the next sections of this blog post, we will see how you can convert Entra ID synced users to Cloud-only users.
✅Convert One Entra synced user to Cloud Only user on Microsoft 365.
✅Convert All Entra synced users to Cloud Only users on Microsoft 365.
Contents
Convert One Entra Synced user to Cloud Only User
- We will need an active directory OU which is not getting synced with Entra ID. If you already have one, you can use it. If not, then you can create an OU and then exclude it from synchronization.
- Launch Entra Connect > Customize synchronization options > In Domain and OU Filtering Page > Select Sync Selected domains and OUs to exclude an active directory OU from sync.
- Move the user account (that you want to convert to cloud only) to this OU.
- Run Entra ID delta Sync.
Run delta sync
Start-ADSyncSyncCycle -PolicyType delta
- After delta sync is completed, link between the user and Entra ID will break and it will be moved to Deleted users on Microsoft 365 admin center (refer to the below screenshot)
There is no data loss when a user account is moved to Deleted Users. Microsoft keeps deleted user account for 30 days before permanent deletion.
Note
- Select the User account from Deleted users page and click on Restore User. You will have to reset user’s password to restore the user.
- Once user account has been restored, it will now show in Users > Active Users on Microsoft 365 admin center. Notice the Icon for the Sync Status column will be changed to cloud
symbol which means that the user account is now a cloud only account.
symbol which means that the user account is now a cloud only account.- Update Immutable ID of the user on Microsoft 365 to $null using below command:
Set-MSOLUser -UserPrincipalName [email protected] -ImmutableID "$null"Please note once the user account is converted to Cloud only, its Identity provider will be changed to Entra ID. All user account management will need to be done from Entra admin center or Microsoft 365 admin center.
Note
Convert All Entra Synced Users to Cloud Only Users
In previous section of the blog post, I have demonstrated the steps to convert a single entra synced user account to cloud only account. The process is straightforward, however it does require the user to reset their password.
Now, we will look into the steps to convert All Entra synced users into Cloud Only Users at once. You can use this option in a scenario when you want to decommission Entra connect server and exclusively manage all users through Entra ID.
Before we get into the steps, let’s take a look at the current status of user accounts on Microsoft 365 admin center. As you can see from below screenshot, Sync status symbol shows that these users are synced from on-prem active directory.
Steps to convert all Entra synced users to Cloud only users.
- Login to the server where Entra Connect is Installed.
- Launch Powershell console as an administrator.
- Install MSOnline Powershell module using below command.
Install-module MSOnline- Connect to Entra ID using below powershell command.
connect-msolservice- Disable Entra ID Synchronization. This step will convert all synced users to Cloud only users. If you get any errors after running below command, refer to the next sections to get the guidance on fixing the errors.
Set-MsolDirSyncEnabled -EnableDirSync $falseSet-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization
You may get below error message after running Set-MsolDirSyncEnabled -EnableDirSync $false. Error message reads: Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization.
| Error after running Set-MsolDirSyncEnabled -EnableDirSync $false command |
|---|
| Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization. At line:1 char:1 Set-MsolDirSyncEnabled -EnableDirSync $false FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DirSyncStatusChangeNotAllowedException,Microsof d |
You can retry the command after waiting for couple of hours. I did tried to run this command in-between a few times and managed to disable directory synchronization after the third attempt.
Once directory synchronization has been disabled successfully. You can refresh Microsoft 365 admin center and check the Sync status of users. It should show a cloud symbol which means that the user accounts are cloud only and managed through Microsoft 365/Entra admin center.
Unable to download from URI
You may get an error Unable to download from URI after running Install-module MSOnline
| Error after running Install-module MSOnline |
|---|
| NuGet provider is required to continue PowerShellGet requires NuGet provider version ‘2.8.5.201’ or newer to interact with NuGet-based repositories. The NuGet provider must be available in ‘C:\Program Files\PackageManagement\ProviderAssemblies’ or ‘C:\Users\administrator.EXOIP\AppData\Local\PackageManagement\ProviderAssemblies’. You can also install the NuGet provider by running ‘Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force’. Do you want PowerShellGet to install and import the NuGet provider now? [Y] Yes [N] No [S] Suspend [?] Help (default is “Y”): Y WARNING: Unable to download from URI ‘https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409’ to ”. WARNING: Unable to download the list of available providers. Check your internet connection. PackageManagement\Install-PackageProvider : No match was found for the specified search criteria for the provider ‘NuGet’. The package provider requires ‘PackageManagement’ and ‘Provider’ tags. Please check if the specified package has the tags. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7405 char:21 + … $null = PackageManagement\Install-PackageProvider -Name $script:N … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (Microsoft.Power…PackageProvider:InstallPackageProvider) [Install-PackageProvider], Exception + FullyQualifiedErrorId : NoMatchFoundForProvider,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackageProvider PackageManagement\Import-PackageProvider : No match was found for the specified search criteria and provider name ‘NuGet’. Try ‘Get-PackageProvider -ListAvailable’ to see if the provider exists on the system. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7411 char:21 + … $null = PackageManagement\Import-PackageProvider -Name $script:Nu … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (NuGet:String) [Import-PackageProvider], Exception + FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.ImportPackageProvider WARNING: Unable to download from URI ‘https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409’ to ”. WARNING: Unable to download the list of available providers. Check your internet connection. PackageManagement\Get-PackageProvider : Unable to find package provider ‘NuGet’. It may not be imported yet. Try ‘Get-PackageProvider -ListAvailable’. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7415 char:30 + … tProvider = PackageManagement\Get-PackageProvider -Name $script:NuGet … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Microsoft.Power…PackageProvider:GetPackageProvider) [Get-PackageProvider], Exception + FullyQualifiedErrorId : UnknownProviderFromActivatedList,Microsoft.PowerShell.PackageManagement.Cmdlets.GetPackageProvider Install-Module : NuGet provider is required to interact with NuGet-based repositories. Please ensure that ‘2.8.5.201’ or newer version of NuGet provider is installed. At line:1 char:1 + Install-Module PowershellGet -Force + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Install-Module], InvalidOperationException + FullyQualifiedErrorId : CouldNotInstallNuGetProvider,Install-Module |
Fix Unable to download from URI Error
To Fix this error run below command first to set the security protocol to TLS 1.2 and then Install MSOnline Module.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12Install-Module MSOnline
Password Reset Required After Converting users to Cloud Only?
After running Set-MsolDirSyncEnabled -EnableDirSync $false command, All entra synced users will be converted to cloud only users. Password reset is not required after this conversion.
Good article – Does this need to be done if we were using an on-prem exchange server? All users have been migrated to the cloud and all computers have been removed from the domain and are now authenticating via AzureAD.
Microsoft states this is all that needs to be done to convert –
https://docs.microsoft.com/en-us/microsoft-365/enterprise/turn-off-directory-synchronization?view=o365-worldwide
Thanks!
Set-MsolDirSyncEnabled -EnableDirSync $false command is used to switch off directory sync and convert all synced users to In-Cloud users. When a user is converted to In-Cloud, it will be full managed via Azure AD and not on-prem AD.
Once all users are converted to In-Cloud Users, you can remove Azure AD Connect from On-Prem Server.
But will all the user accounts still showing the premise icon be deleted in 365 and then need to be restored? Think that is the piece I am missing.
Hi Lance, No the accounts will not be removed and need to be restored. It will be converted to In Cloud accounts once the command Set-MsolDirSyncEnabled -EnableDirSync $false is run.
I’m very curious about this part as well, also if their passwords will be reset or require an change.
Hi Wil, Password reset is not required after converting all user accounts to In Cloud user accounts. I have also updated the blog post related to this and some more information on it. Hope this helps.
Thanks so much!
I have some users I want to use Active Directory sync and some I want cloud only.
So far, I haven’t found a way to migrate mailboxes from on premise to a user that was manually created as cloud only.
After reading this post I’m wondering if I can;
Sync both OUs, the one for cloud only users and the one for users that will continue to sync.
Use the command in your post to disable sync.
Reconfigure Azure AD Connect and remove the OU for cloud only users from the configuration.
Re-enable directory sync and force a sync from Azure AD Connect.
Question is, what happens to the “cloud Only” users who are no longer syncing?
Will their accounts in the cloud be deleted?
That’s what normally happens to a sync’d account that is removed from the OU that is syncing.
Thank you! I converted a few users and everything seems to be good. Outlook, onedrive etc. But some users are missing teams channels after the change. When i login to the teams admin center, all the permissions are still the same, but no channels in teams. I fix this by deleting / add the user again and then the teams channel is back. But it is a lot of work to do this for all users!
Note: Some users had no issue.
Is this a sync issue? Can i force it? Or maybe i need to wait 24 hours+ ?
Any help would be great.
Thanks
I believe we are experiencing quite a huge issue after this migration. If you could provide some insight to our issue, that would be great.
After migrating all our users, some on-premesis attributes are still present. Most notably and the ones causing the issues are “On-premises SAM account name” and “On-premises domain name”. These properties are still respected even after Azure AD sync is turned off. For example, for my migrated users, if they Azure AD join a Windows device, the user will be created as OnPremDomain\OnPremSAM or company.local\jdoe. Compared to true Azure AD cloud only accounts, they are created like AzureAD\jdoe.
This has become a problem when someone changes their name. The “On-premises SAM account name” attribute does not change when changing the name of the Azure AD user. For example, let’s say Jane Doe’s last name is changed to Fox, making her last Name Jane Fox. The name change will be reflected on all Microsoft apps, but not on a Windows Azure AD device. The user will still be created as company.local\jdoe. This causes many issues with certificate validation and a lot more.
Is there any resolution for this?
Not sure about this, you could uncheck that attribute to be synced to Azure AD and then migrate the usre ? IF you have already completed migration then you could clear those unwanted attributes for all users in Azure AD using a powershell script ? Using cmdlet like Set-msoluser.
I unchecked the attributes on the AD side, but they still were present in Azure AD. I ended up opening a support ticket with Azure Identity and it looks like they are going to remove the attributes manually for all my users by collaborating with the engineer team.
Set-MSOLUser doesn’t work because the attributes are read-only.
During my support case they confirmed there’s no way for the attributes to be removed after the user is migrated, whether it’s migrating one by one or disabling sync to convert all users at once. There seems to be no ability to remove the attributes after AD sync.
I’ve opened a Feedback thread, so feel free to vote on it:
https://feedback.azure.com/d365community/idea/01186207-3cd9-ed11-a81c-000d3ae51e62
Just checking if the ALL User solution worked for someone without any issues?
I need to decommission our old DC (Cloud Only), all the devices are already all removed from DC and Azure joined.
Another question – SSO setup has nothing to do with this correct?
Thanks for this great article. What will happen to synced groups? Will they get migrated too?
Didn’t work for me. They get hard deleted and you cannot restore them from trashbin. Have you found any alternative?
I know this article is getting old, but I have 2 simple questions :
“Update Immutable ID of the user on Microsoft 365 to $null using below command”
Q1 : Why update this value if the user has stopped being synced?
“How to Convert All Entra ID Synced Users to Cloud Only Users?”
Q2 : Do users lose their on-prem attibutes value once this is done?
Attributes I’m talking about :
On-premises sync enabled
On-premises last sync date time
On-premises distinguished name
On-premises immutable ID
On-premises provisioning errors
On-premises SAM account name
On-premises security identifier
On-premises user principal name
On-premises domain name
We are migrating users from on-prem to cloud in phases. We have discovered an issue in Self-Service Password Reset. When a cloud user tries to change their password, they receive an error. The event from SSRP logs is this:
Synchronization Engine returned an error hr=80230405, message=The operation failed because the object cannot be found
When we set the ImmutableID to $null on the account, the password reset fails with “Internal Error”. I assume this is happening because some on-prem attributes are still attached to these accounts and we have write-back enabled.
Curious if you know of a work around for this problem?
I would love some help on this one. I have successfully converted a few accounts to cloud only. However, I have discovered that users of those accounts cannot change their passwords themselves (yes, another Entra admin can change it for them).
This has me concerned about moving the rest of the tenant to cloud only. Does this get resolved after converting all accounts? Has anyone else experienced this?
Maybe it’s a coincidence or maybe it’s because of a recent update, but I converted a few accounts earlier this year and password reset / sspr was working fine until recently.
Since our local AD isn’t used anymore, I’ll see if stopping password sync both ways fixes the problem until I entirely shut down the connector and have Microsoft delete On-Premises attributes.
Having the same issue…converted accounts cannot reset their own passwords. MS support was not that helpful. Any luck with a solution?
@Jatin Makhija
Has anything changed in this guide since 2022 when it was written?
Added question can this method be used on converting Groups to Online only Grousp maybe with some changes to the script?
/Karsten Vendler