When a user is synced from the On-Prem Active Directory to Entra ID via Entra ID connect, the user account Sync status shows as Synced from on-premises and shows a symbol on Microsoft 365 admin center.
In the next sections of this blog post, we will see how you can convert Entra ID synced users to Cloud-only users.
✅Convert One Entra ID synced user to Cloud Only user on Office 365
✅Convert All Entra ID synced users to Cloud Only users on Office 365.
Table of Contents
Convert one synced user to Cloud only user
Please follow below steps to convert one synced user to Cloud only user.
- We will need one Active directory OU which is not syncing to Entra ID. If you already have one, you can use it. If not then you can follow below steps to Exclude one OU from Entra ID sync:
- Launch Entra ID Connect > Customize synchronization options > In Domain and OU Filtering Page- > Select “Sync Selected domains and OUs” to exclude an Active Directory OU from Sync to Entra ID.
- Move the user to that OU.
- Run Entra ID delta Sync.
Start-ADSyncSyncCycle -PolicyType delta
- After Delta Sync Completes, link between that user and Entra ID will break and user account on office365 will be moved to Deleted Users on Microsoft 365 (as shown in the below screenshot).
Don’t worry, your data won’t be lost when you move a user account to Deleted Users. Microsoft keeps your account and data for 30 days after deletion. We’ll be restoring it shortly, but please be aware that when we do, you’ll need to reset your password.
This will temporarily disrupt users email access on your computer and mobile phone, as well as other Microsoft 365 services. You can update your new password in Outlook on your Windows PC and your email app on your mobile phone.
Please Note
- Select the User and click on Restore User. You will have to reset user’s password to restore the user.
- Once you have restored the user account, this will now show in Users > Active Users on Microsoft 365 admin center. Notice the Icon for the Sync Status column will be changed to cloud symbol which means that the user account is now a cloud-only account.
- Update Immutable ID of the user on Microsoft 365 to $null using below command:
Set-MSOLUser -UserPrincipalName [email protected] -ImmutableID "$null"
Please note:
During the conversion process, there will be some downtime for the user. Once the user’s status is changed to “cloud-only,” their Identity provider will be Azure Active Directory. From then on, all user account management must be carried out exclusively through Entra ID.
How to Convert All Entra ID Synced Users to Cloud Only Users?
In the earlier part of the blog post, we learned how to change a single On-Prem AD sync user into a Cloud Only user. This process is straightforward, involving just a few steps, but it does require that users reset their password during the conversion process.
In the following section, we’ll explore how to convert All Entra ID synced users into Cloud Only Users at once. This step is typically taken when you intend to decommission the Entra ID Connect server and exclusively manage all users through Entra ID. When we refer to Cloud Only users, it signifies that the user’s account and all its related attributes are administered solely through Azure Active Directory / Entra ID.
Before proceeding with the command to disable Directory Synchronization, let’s take a look at how our user accounts appear on the Microsoft 365 portal. As depicted in the screenshot below, the Sync status column displays the AD Sync Icon, indicating that these accounts are currently synchronized from the On-Premise Active Directory to Azure Active Directory.
Steps to convert All Active Directory Synced users to Cloud Only Users
Please follow these steps to change all Entra connect synchronized users into Cloud-only users.
- Login on the server where Entra ID Connect is Installed.
- Launch Powershell console on that server as an administrator.
- Install MSOnline Powershell module using below command.
Install-module MSOnline
- Connect to Entra ID using below powershell command.
connect-msolservice
- Disable Entra ID Synchronization. This step will convert all Synced users to Cloud Only users. If you get any error message after running this command, I have provided guidance on this in the next sections.
Set-MsolDirSyncEnabled -EnableDirSync $false
Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization
You may get below error message after running Set-MsolDirSyncEnabled -EnableDirSync $false
. Error message reads: Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization.
Error after running Set-MsolDirSyncEnabled -EnableDirSync $false command |
---|
Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization. At line:1 char:1 Set-MsolDirSyncEnabled -EnableDirSync $false FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DirSyncStatusChangeNotAllowedException,Microsof d |
You can retry the command to disable directory synchronization after waiting for couple of hours. I did tried to run this command in-between a few times and managed to Disable directory synchronization after the third attempt.
Once the directory synchronization has been disabled successfully. You can refresh Microsoft 365 admin center and check the Sync status of users.
After waiting for few minutes, all user accounts would be converted to Cloud-only accounts and Sync Status symbol will show a Cloud Icon next to it. This confirms that the accounts are no longer managed by On-Premise Active Directory.
Unable to download from URI
You may get an error Unable to download from URI after running Install-module MSOnline
Error after running Install-module MSOnline |
---|
NuGet provider is required to continue PowerShellGet requires NuGet provider version ‘2.8.5.201’ or newer to interact with NuGet-based repositories. The NuGet provider must be available in ‘C:\Program Files\PackageManagement\ProviderAssemblies’ or ‘C:\Users\administrator.EXOIP\AppData\Local\PackageManagement\ProviderAssemblies’. You can also install the NuGet provider by running ‘Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force’. Do you want PowerShellGet to install and import the NuGet provider now? [Y] Yes [N] No [S] Suspend [?] Help (default is “Y”): Y WARNING: Unable to download from URI ‘https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409’ to ”. WARNING: Unable to download the list of available providers. Check your internet connection. PackageManagement\Install-PackageProvider : No match was found for the specified search criteria for the provider ‘NuGet’. The package provider requires ‘PackageManagement’ and ‘Provider’ tags. Please check if the specified package has the tags. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7405 char:21 + … $null = PackageManagement\Install-PackageProvider -Name $script:N … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (Microsoft.Power…PackageProvider:InstallPackageProvider) [Install-PackageProvider], Exception + FullyQualifiedErrorId : NoMatchFoundForProvider,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackageProvider PackageManagement\Import-PackageProvider : No match was found for the specified search criteria and provider name ‘NuGet’. Try ‘Get-PackageProvider -ListAvailable’ to see if the provider exists on the system. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7411 char:21 + … $null = PackageManagement\Import-PackageProvider -Name $script:Nu … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (NuGet:String) [Import-PackageProvider], Exception + FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.ImportPackageProvider WARNING: Unable to download from URI ‘https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409’ to ”. WARNING: Unable to download the list of available providers. Check your internet connection. PackageManagement\Get-PackageProvider : Unable to find package provider ‘NuGet’. It may not be imported yet. Try ‘Get-PackageProvider -ListAvailable’. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7415 char:30 + … tProvider = PackageManagement\Get-PackageProvider -Name $script:NuGet … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Microsoft.Power…PackageProvider:GetPackageProvider) [Get-PackageProvider], Exception + FullyQualifiedErrorId : UnknownProviderFromActivatedList,Microsoft.PowerShell.PackageManagement.Cmdlets.GetPackageProvider Install-Module : NuGet provider is required to interact with NuGet-based repositories. Please ensure that ‘2.8.5.201’ or newer version of NuGet provider is installed. At line:1 char:1 + Install-Module PowershellGet -Force + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Install-Module], InvalidOperationException + FullyQualifiedErrorId : CouldNotInstallNuGetProvider,Install-Module |
How to Fix Unable to download from URI Error?
To Fix this error run below command first to set the security protocol to TLS 1.2 and then Install MSOnline Module.
1. [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
2. Install-Module MSOnline
Do user accounts need a password reset when converted to Cloud Only?
After running Set-MsolDirSyncEnabled -EnableDirSync $false
command, All AD-synced users will be converted to cloud-only users. Password reset is not required after this conversion.
Users can continue to use their existing password after converted to cloud-only account. However, from now on, Microsoft 365 / Entra ID will manage the user’s password and all related account properties.
For instance, if you’ve already converted all user accounts to Cloud-only, and you wish to change a user’s password, you’ll need to do so through the Microsoft 365 admin center, not the On-Premise Active Directory.
Conclusion
When converting a single on-premise user account to a Cloud-only user, we used a distinct method that involved relocating the user to a different Organizational Unit (OU), followed by deletion and restoration of the user account.
However, when we utilize the “Set-MsolDirSyncEnabled -EnableDirSync $false” command, we’re effectively disabling directory synchronization entirely. This process doesn’t necessitate restoring user accounts or resetting user passwords. The password hashes were already synchronized from the On-prem Active Directory before disabling the sync, enabling users to continue using the same password.
Discover more from TechPress
Subscribe to get the latest posts sent to your email.
Good article – Does this need to be done if we were using an on-prem exchange server? All users have been migrated to the cloud and all computers have been removed from the domain and are now authenticating via AzureAD.
Microsoft states this is all that needs to be done to convert –
https://docs.microsoft.com/en-us/microsoft-365/enterprise/turn-off-directory-synchronization?view=o365-worldwide
Thanks!
Set-MsolDirSyncEnabled -EnableDirSync $false command is used to switch off directory sync and convert all synced users to In-Cloud users. When a user is converted to In-Cloud, it will be full managed via Azure AD and not on-prem AD.
Once all users are converted to In-Cloud Users, you can remove Azure AD Connect from On-Prem Server.
But will all the user accounts still showing the premise icon be deleted in 365 and then need to be restored? Think that is the piece I am missing.
Hi Lance, No the accounts will not be removed and need to be restored. It will be converted to In Cloud accounts once the command Set-MsolDirSyncEnabled -EnableDirSync $false is run.
I’m very curious about this part as well, also if their passwords will be reset or require an change.
Hi Wil, Password reset is not required after converting all user accounts to In Cloud user accounts. I have also updated the blog post related to this and some more information on it. Hope this helps.
Thanks so much!
I have some users I want to use Active Directory sync and some I want cloud only.
So far, I haven’t found a way to migrate mailboxes from on premise to a user that was manually created as cloud only.
After reading this post I’m wondering if I can;
Sync both OUs, the one for cloud only users and the one for users that will continue to sync.
Use the command in your post to disable sync.
Reconfigure Azure AD Connect and remove the OU for cloud only users from the configuration.
Re-enable directory sync and force a sync from Azure AD Connect.
Question is, what happens to the “cloud Only” users who are no longer syncing?
Will their accounts in the cloud be deleted?
That’s what normally happens to a sync’d account that is removed from the OU that is syncing.
Thank you! I converted a few users and everything seems to be good. Outlook, onedrive etc. But some users are missing teams channels after the change. When i login to the teams admin center, all the permissions are still the same, but no channels in teams. I fix this by deleting / add the user again and then the teams channel is back. But it is a lot of work to do this for all users!
Note: Some users had no issue.
Is this a sync issue? Can i force it? Or maybe i need to wait 24 hours+ ?
Any help would be great.
Thanks
I believe we are experiencing quite a huge issue after this migration. If you could provide some insight to our issue, that would be great.
After migrating all our users, some on-premesis attributes are still present. Most notably and the ones causing the issues are “On-premises SAM account name” and “On-premises domain name”. These properties are still respected even after Azure AD sync is turned off. For example, for my migrated users, if they Azure AD join a Windows device, the user will be created as OnPremDomain\OnPremSAM or company.local\jdoe. Compared to true Azure AD cloud only accounts, they are created like AzureAD\jdoe.
This has become a problem when someone changes their name. The “On-premises SAM account name” attribute does not change when changing the name of the Azure AD user. For example, let’s say Jane Doe’s last name is changed to Fox, making her last Name Jane Fox. The name change will be reflected on all Microsoft apps, but not on a Windows Azure AD device. The user will still be created as company.local\jdoe. This causes many issues with certificate validation and a lot more.
Is there any resolution for this?
Not sure about this, you could uncheck that attribute to be synced to Azure AD and then migrate the usre ? IF you have already completed migration then you could clear those unwanted attributes for all users in Azure AD using a powershell script ? Using cmdlet like Set-msoluser.
I unchecked the attributes on the AD side, but they still were present in Azure AD. I ended up opening a support ticket with Azure Identity and it looks like they are going to remove the attributes manually for all my users by collaborating with the engineer team.
Set-MSOLUser doesn’t work because the attributes are read-only.
During my support case they confirmed there’s no way for the attributes to be removed after the user is migrated, whether it’s migrating one by one or disabling sync to convert all users at once. There seems to be no ability to remove the attributes after AD sync.
I’ve opened a Feedback thread, so feel free to vote on it:
https://feedback.azure.com/d365community/idea/01186207-3cd9-ed11-a81c-000d3ae51e62
Just checking if the ALL User solution worked for someone without any issues?
I need to decommission our old DC (Cloud Only), all the devices are already all removed from DC and Azure joined.
Another question – SSO setup has nothing to do with this correct?
Thanks for this great article. What will happen to synced groups? Will they get migrated too?
Didn’t work for me. They get hard deleted and you cannot restore them from trashbin. Have you found any alternative?
I know this article is getting old, but I have 2 simple questions :
“Update Immutable ID of the user on Microsoft 365 to $null using below command”
Q1 : Why update this value if the user has stopped being synced?
“How to Convert All Entra ID Synced Users to Cloud Only Users?”
Q2 : Do users lose their on-prem attibutes value once this is done?
Attributes I’m talking about :
On-premises sync enabled
On-premises last sync date time
On-premises distinguished name
On-premises immutable ID
On-premises provisioning errors
On-premises SAM account name
On-premises security identifier
On-premises user principal name
On-premises domain name