When a user is synced from the On-Prem Active Directory to Entra ID via Entra ID connect, the user account Sync status shows as Synced from on-premises and shows a symbol on Microsoft 365 admin center.
In the next sections of this blog post, we will see how you can convert Entra ID synced users to Cloud-only users.
✅Convert One Entra ID synced user to Cloud Only user on Office 365
✅Convert All Entra ID synced users to Cloud Only users on Office 365.
Table of Contents
Convert one synced user to Cloud only user
Please follow below steps to convert one synced user to Cloud only user.
- We will need one Active directory OU which is not syncing to Entra ID. If you already have one, you can use it. If not then you can follow below steps to Exclude one OU from Entra ID sync:
- Launch Entra ID Connect > Customize synchronization options > In Domain and OU Filtering Page- > Select “Sync Selected domains and OUs” to exclude an Active Directory OU from Sync to Entra ID.
- Move the user to that OU.
- Run Entra ID delta Sync.
Start-ADSyncSyncCycle -PolicyType delta
- After Delta Sync Completes, link between that user and Entra ID will break and user account on office365 will be moved to Deleted Users on Microsoft 365 (as shown in the below screenshot).
Don’t worry, your data won’t be lost when you move a user account to Deleted Users. Microsoft keeps your account and data for 30 days after deletion. We’ll be restoring it shortly, but please be aware that when we do, you’ll need to reset your password.
This will temporarily disrupt users email access on your computer and mobile phone, as well as other Microsoft 365 services. You can update your new password in Outlook on your Windows PC and your email app on your mobile phone.Please Note
- Select the User and click on Restore User. You will have to reset user’s password to restore the user.
- Once you have restored the user account, this will now show in Users > Active Users on Microsoft 365 admin center. Notice the Icon for the Sync Status column will be changed to cloud symbol which means that the user account is now a cloud-only account.
- Update Immutable ID of the user on Microsoft 365 to $null using below command:
Set-MSOLUser -UserPrincipalName [email protected] -ImmutableID "$null"
During the conversion process, there will be some downtime for the user. Once the user’s status is changed to “cloud-only,” their Identity provider will be Azure Active Directory. From then on, all user account management must be carried out exclusively through Entra ID.
How to Convert All Entra ID Synced Users to Cloud Only Users?
In the earlier part of the blog post, we learned how to change a single On-Prem AD sync user into a Cloud Only user. This process is straightforward, involving just a few steps, but it does require that users reset their password during the conversion process.
In the following section, we’ll explore how to convert All Entra ID synced users into Cloud Only Users at once. This step is typically taken when you intend to decommission the Entra ID Connect server and exclusively manage all users through Entra ID. When we refer to Cloud Only users, it signifies that the user’s account and all its related attributes are administered solely through Azure Active Directory / Entra ID.
Before proceeding with the command to disable Directory Synchronization, let’s take a look at how our user accounts appear on the Microsoft 365 portal. As depicted in the screenshot below, the Sync status column displays the AD Sync Icon, indicating that these accounts are currently synchronized from the On-Premise Active Directory to Azure Active Directory.
Steps to convert All Active Directory Synced users to Cloud Only Users
Please follow these steps to change all Entra connect synchronized users into Cloud-only users.
- Login on the server where Entra ID Connect is Installed.
- Launch Powershell console on that server as an administrator.
- Install MSOnline Powershell module using below command.
- Connect to Entra ID using below powershell command.
- Disable Entra ID Synchronization. This step will convert all Synced users to Cloud Only users. If you get any error message after running this command, I have provided guidance on this in the next sections.
Set-MsolDirSyncEnabled -EnableDirSync $false
Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization
You may get below error message after running
Set-MsolDirSyncEnabled -EnableDirSync $false. Error message reads: Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization.
|Error after running Set-MsolDirSyncEnabled -EnableDirSync $false command|
|Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization.|
At line:1 char:1
Set-MsolDirSyncEnabled -EnableDirSync $false
FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DirSyncStatusChangeNotAllowedException,Microsof
You can retry the command to disable directory synchronization after waiting for couple of hours. I did tried to run this command in-between a few times and managed to Disable directory synchronization after the third attempt.
Once the directory synchronization has been disabled successfully. You can refresh Microsoft 365 admin center and check the Sync status of users.
After waiting for few minutes, all user accounts would be converted to Cloud-only accounts and Sync Status symbol will show a Cloud Icon next to it. This confirms that the accounts are no longer managed by On-Premise Active Directory.
Unable to download from URI
You may get an error Unable to download from URI after running
|Error after running Install-module MSOnline|
|NuGet provider is required to continue PowerShellGet requires NuGet provider version ‘188.8.131.52’ or newer to interact with NuGet-based repositories. The NuGet provider must be available in ‘C:\Program Files\PackageManagement\ProviderAssemblies’ or ‘C:\Users\administrator.EXOIP\AppData\Local\PackageManagement\ProviderAssemblies’. You can also install the NuGet provider by running ‘Install-PackageProvider -Name NuGet -MinimumVersion 184.108.40.206 -Force’. Do you want PowerShellGet to install and import the NuGet provider now? [Y] Yes [N] No [S] Suspend [?] Help (default is “Y”): Y|
WARNING: Unable to download from URI ‘https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409’ to ”. WARNING: Unable to download the list of available providers. Check your internet connection. PackageManagement\Install-PackageProvider : No match was found for the specified search criteria for the provider ‘NuGet’. The package provider requires ‘PackageManagement’ and ‘Provider’ tags. Please check if the specified package has the tags. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\220.127.116.11\PSModule.psm1:7405 char:21 + … $null = PackageManagement\Install-PackageProvider -Name $script:N … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (Microsoft.Power…PackageProvider:InstallPackageProvider) [Install-PackageProvider], Exception + FullyQualifiedErrorId : NoMatchFoundForProvider,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackageProvider PackageManagement\Import-PackageProvider : No match was found for the specified search criteria and provider name ‘NuGet’. Try ‘Get-PackageProvider -ListAvailable’ to see if the provider exists on the system. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\18.104.22.168\PSModule.psm1:7411 char:21 + … $null = PackageManagement\Import-PackageProvider -Name $script:Nu … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (NuGet:String) [Import-PackageProvider], Exception + FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.ImportPackageProvider WARNING: Unable to download from URI ‘https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409’ to ”. WARNING: Unable to download the list of available providers. Check your internet connection. PackageManagement\Get-PackageProvider : Unable to find package provider ‘NuGet’. It may not be imported yet. Try ‘Get-PackageProvider -ListAvailable’. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\22.214.171.124\PSModule.psm1:7415 char:30 + … tProvider = PackageManagement\Get-PackageProvider -Name $script:NuGet … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Microsoft.Power…PackageProvider:GetPackageProvider) [Get-PackageProvider], Exception + FullyQualifiedErrorId : UnknownProviderFromActivatedList,Microsoft.PowerShell.PackageManagement.Cmdlets.GetPackageProvider Install-Module : NuGet provider is required to interact with NuGet-based repositories. Please ensure that ‘126.96.36.199’ or newer version of NuGet provider is installed. At line:1 char:1 + Install-Module PowershellGet -Force + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Install-Module], InvalidOperationException + FullyQualifiedErrorId : CouldNotInstallNuGetProvider,Install-Module
How to Fix Unable to download from URI Error?
To Fix this error run below command first to set the security protocol to TLS 1.2 and then Install MSOnline Module.
1. [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 2. Install-Module MSOnline
Do user accounts need a password reset when converted to Cloud Only?
Set-MsolDirSyncEnabled -EnableDirSync $false command, All AD-synced users will be converted to cloud-only users. Password reset is not required after this conversion.
Users can continue to use their existing password after converted to cloud-only account. However, from now on, Microsoft 365 / Entra ID will manage the user’s password and all related account properties.
For instance, if you’ve already converted all user accounts to Cloud-only, and you wish to change a user’s password, you’ll need to do so through the Microsoft 365 admin center, not the On-Premise Active Directory.
When converting a single on-premise user account to a Cloud-only user, we used a distinct method that involved relocating the user to a different Organizational Unit (OU), followed by deletion and restoration of the user account.
However, when we utilize the “Set-MsolDirSyncEnabled -EnableDirSync $false” command, we’re effectively disabling directory synchronization entirely. This process doesn’t necessitate restoring user accounts or resetting user passwords. The password hashes were already synchronized from the On-prem Active Directory before disabling the sync, enabling users to continue using the same password.