Overview
When you have Users Synced from your On-Premise Active Directory to Azure Active Directory (AAD) using Azure AD Connect application, the user account Sync status on office 365 will show as Synced from on-premises with this symbol 
.
In the next sections of this blog, we will see how you can convert One synced user to In Cloud only user and also if you want to convert all Syned user’s to In Cloud only users at once then you can jump to the section “How to Convert All AD Synced users to In Cloud Only Users”
✅Convert one Azure AD synced user to Cloud Only user on Office 365
✅Convert all Azure AD synced users to Cloud Only users on Office 365.
Convert one synced user to In Cloud only user
- Move the user (which you want to convert it to In-Cloud) to an OU (excluded from sync to AAD) in On-Perm Active Directory. Please make sure the OU is unchecked for Sync in Azure AD connect. (Note: If you have selected the option “Sync all domains and OUs” in Azure AD Connect then you can launch the Azure AD Connect -> Customize synchronization options -> In Domain and OU Filtering Page- > Select “Sync Selected domains and OUs” to configure the OU which you do not want to Sync to Azure AD.
Start-ADSyncSyncCycle -PolicyType delta
- After the Delta Sync Completes, the link between this user and Azure AD will break and the user account on office365 will be moved to Deleted Users on Office365 (as shown in below screenshot).
[Note: There will not be any loss to data when the user account is moved to Deleted Users, Microsoft Keeps the user account / data for 30 days if the user has been deleted, In our case we are going to restore it with-in short period of time, so not to worry on if the account is in deleted users. However, Please note that the when we restore the user in the next step the password of the user needs to be reset which will cause disruption to email access on PC or Mobile Phone and other office365 services will be impacted as well. You can share the new password with the user for updating in Outlook for Windows PC and on for Emails on Mobile Phone.]
- Select the User and click on Restore User, This will then ask to Auto Generate a user password or you can also provide your own password and reset the password. Additionally you have the option to let the user change the password at first sign-in. In below screenshot, we can see the options you will get while restoring the user account. You can choose the options suitable to you and click on Restore button on the bottom of this page.
- Once you have restored the user account, this will now show in Users -> Active Users on Office365. Notice the Icon for the Sync Status Column is changed to cloud
symbol which means that the user account is now a cloud only account.
- As a best practice update the Immutable ID for the user on office365 to $null using below command.
Set-MSOLUser -UserPrincipalName info@techpress.net -ImmutableID "$null"Things to Note:
The Process will cause disruption to the users as the user account or identity management is now moved to Azure AD with New Password. So if the user was using Outlook on PC or Emails on Mobile phone then they will need to update the password in these services so that they can continue to work fine.
How to Convert All AD Synced users to In Cloud Only Users
In the previous section of the blog post, we saw how to convert a single On-Prem AD sync user to In Cloud Only user. The process was simple and requires few steps but also requires users to reset password after the conversion.
In the next section, we will see how to convert All Azure AD synced users to In Cloud Only Users in one go. This step you would normally perform when you want to decommission Azure AD Connect server and manage all users from only from Azure AD. When we say In Cloud Only users, this means that the user’s account and all its associated properties are managed via Azure Active Directory.
Before running the command to disable Directory Synchronization, Let’s see how our user accounts look on Microsoft 365 portal. As you can see from below screenshot, the Sync status column shows the AD Sync Icon which means these accounts are getting synced from On-Premise Active Directory to Azure Active Directory.
Steps to convert All AD Synced users to Cloud Only Users
Please follow below steps to convert all Azure AD synced users to Cloud only users.
- Login on the server where Azure AD Connect is Installed.
- Launch Powershell console as an administrator.
- Install MSOnline Powershell module using below command.
Install-module MSOnline- Connect to Azure AD
connect-msolservice- Disable Active Directory Synchronization
Set-MsolDirSyncEnabled -EnableDirSync $falseYou may get below error message when running the above command. Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization.
| Error after running Set-MsolDirSyncEnabled -EnableDirSync $false command |
|---|
| Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization. At line:1 char:1 Set-MsolDirSyncEnabled -EnableDirSync $false FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DirSyncStatusChangeNotAllowedException,Microsof d |
You can retry the command to disable directory synchronization after sometime. I did tried to run it couple of times and managed to Disable directory synchronization after third attempt.
Below screenshot shows the commands I had run on the server to disable directory synchronization.
Once the directory synchronization has been disabled successfully. You can refresh Microsoft 365 admin center and check the Sync status of users. As you can see that within few minutes all user accounts are converted into Cloud only accounts and Sync Status symbol shows a cloud Icon next to it to confirm that the accounts are no longer managed by On-Premise Active Directory.
Troubleshooting
You may get error Unable to download from URI after running Install-module MSOnline
| Error after running Install-module MSOnline |
|---|
| NuGet provider is required to continue PowerShellGet requires NuGet provider version ‘2.8.5.201’ or newer to interact with NuGet-based repositories. The NuGet provider must be available in ‘C:\Program Files\PackageManagement\ProviderAssemblies’ or ‘C:\Users\administrator.EXOIP\AppData\Local\PackageManagement\ProviderAssemblies’. You can also install the NuGet provider by running ‘Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force’. Do you want PowerShellGet to install and import the NuGet provider now? [Y] Yes [N] No [S] Suspend [?] Help (default is “Y”): Y WARNING: Unable to download from URI ‘https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409’ to ”. WARNING: Unable to download the list of available providers. Check your internet connection. PackageManagement\Install-PackageProvider : No match was found for the specified search criteria for the provider ‘NuGet’. The package provider requires ‘PackageManagement’ and ‘Provider’ tags. Please check if the specified package has the tags. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7405 char:21 + … $null = PackageManagement\Install-PackageProvider -Name $script:N … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (Microsoft.Power…PackageProvider:InstallPackageProvider) [Install-PackageProvider], Exception + FullyQualifiedErrorId : NoMatchFoundForProvider,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackageProvider PackageManagement\Import-PackageProvider : No match was found for the specified search criteria and provider name ‘NuGet’. Try ‘Get-PackageProvider -ListAvailable’ to see if the provider exists on the system. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7411 char:21 + … $null = PackageManagement\Import-PackageProvider -Name $script:Nu … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (NuGet:String) [Import-PackageProvider], Exception + FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.ImportPackageProvider WARNING: Unable to download from URI ‘https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409’ to ”. WARNING: Unable to download the list of available providers. Check your internet connection. PackageManagement\Get-PackageProvider : Unable to find package provider ‘NuGet’. It may not be imported yet. Try ‘Get-PackageProvider -ListAvailable’. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7415 char:30 + … tProvider = PackageManagement\Get-PackageProvider -Name $script:NuGet … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Microsoft.Power…PackageProvider:GetPackageProvider) [Get-PackageProvider], Exception + FullyQualifiedErrorId : UnknownProviderFromActivatedList,Microsoft.PowerShell.PackageManagement.Cmdlets.GetPackageProvider Install-Module : NuGet provider is required to interact with NuGet-based repositories. Please ensure that ‘2.8.5.201’ or newer version of NuGet provider is installed. At line:1 char:1 + Install-Module PowershellGet -Force + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Install-Module], InvalidOperationException + FullyQualifiedErrorId : CouldNotInstallNuGetProvider,Install-Module |
How to Fix Unable to download from URI Error
To Fix this error run below command first to set the security protocol to TLS 1.2 and then Install MSOnline Module.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Install-Module MSOnline
Password reset required after converting user accounts to cloud Only ?
After running Set-MsolDirSyncEnabled -EnableDirSync $false command, All AD synced users will be converted to cloud only users. Password reset is not required after this conversion. Users can continue to use the same password which the user’s were using when the account was synced from On-premise Active Directory to Azure Active Directory.
However, Now and going forward user’s password and all its associated user account properties are managed via Microsoft 365 / Azure AD. For Example: After you have converted all user accounts to Cloud only user accounts and you want to change the password of any user account(s) then you will have to change the password via Microsoft 365 admin center not On-premise Active Directory.
Conclusion
When we converted a single on-premise user account to Cloud only user, we had used a different method of conversion which involves moving the user to a different OU and then deleting and restoring the user account but when we are using Set-MsolDirSyncEnabled -EnableDirSync $false command, we are disabling the directory synchronization completely which does not require restoration of user accounts or resetting of user’s password. The password hashes were already synced from On-prem AD before disabling he sync and therefore users can continue to use the same password.
Good article – Does this need to be done if we were using an on-prem exchange server? All users have been migrated to the cloud and all computers have been removed from the domain and are now authenticating via AzureAD.
Microsoft states this is all that needs to be done to convert –
https://docs.microsoft.com/en-us/microsoft-365/enterprise/turn-off-directory-synchronization?view=o365-worldwide
Thanks!
Set-MsolDirSyncEnabled -EnableDirSync $false command is used to switch off directory sync and convert all synced users to In-Cloud users. When a user is converted to In-Cloud, it will be full managed via Azure AD and not on-prem AD.
Once all users are converted to In-Cloud Users, you can remove Azure AD Connect from On-Prem Server.
But will all the user accounts still showing the premise icon be deleted in 365 and then need to be restored? Think that is the piece I am missing.
Hi Lance, No the accounts will not be removed and need to be restored. It will be converted to In Cloud accounts once the command Set-MsolDirSyncEnabled -EnableDirSync $false is run.
I’m very curious about this part as well, also if their passwords will be reset or require an change.
Hi Wil, Password reset is not required after converting all user accounts to In Cloud user accounts. I have also updated the blog post related to this and some more information on it. Hope this helps.
Thanks so much!
I have some users I want to use Active Directory sync and some I want cloud only.
So far, I haven’t found a way to migrate mailboxes from on premise to a user that was manually created as cloud only.
After reading this post I’m wondering if I can;
Sync both OUs, the one for cloud only users and the one for users that will continue to sync.
Use the command in your post to disable sync.
Reconfigure Azure AD Connect and remove the OU for cloud only users from the configuration.
Re-enable directory sync and force a sync from Azure AD Connect.
Question is, what happens to the “cloud Only” users who are no longer syncing?
Will their accounts in the cloud be deleted?
That’s what normally happens to a sync’d account that is removed from the OU that is syncing.
Thank you! I converted a few users and everything seems to be good. Outlook, onedrive etc. But some users are missing teams channels after the change. When i login to the teams admin center, all the permissions are still the same, but no channels in teams. I fix this by deleting / add the user again and then the teams channel is back. But it is a lot of work to do this for all users!
Note: Some users had no issue.
Is this a sync issue? Can i force it? Or maybe i need to wait 24 hours+ ?
Any help would be great.
Thanks
I believe we are experiencing quite a huge issue after this migration. If you could provide some insight to our issue, that would be great.
After migrating all our users, some on-premesis attributes are still present. Most notably and the ones causing the issues are “On-premises SAM account name” and “On-premises domain name”. These properties are still respected even after Azure AD sync is turned off. For example, for my migrated users, if they Azure AD join a Windows device, the user will be created as OnPremDomain\OnPremSAM or company.local\jdoe. Compared to true Azure AD cloud only accounts, they are created like AzureAD\jdoe.
This has become a problem when someone changes their name. The “On-premises SAM account name” attribute does not change when changing the name of the Azure AD user. For example, let’s say Jane Doe’s last name is changed to Fox, making her last Name Jane Fox. The name change will be reflected on all Microsoft apps, but not on a Windows Azure AD device. The user will still be created as company.local\jdoe. This causes many issues with certificate validation and a lot more.
Is there any resolution for this?
Not sure about this, you could uncheck that attribute to be synced to Azure AD and then migrate the usre ? IF you have already completed migration then you could clear those unwanted attributes for all users in Azure AD using a powershell script ? Using cmdlet like Set-msoluser.
I unchecked the attributes on the AD side, but they still were present in Azure AD. I ended up opening a support ticket with Azure Identity and it looks like they are going to remove the attributes manually for all my users by collaborating with the engineer team.
Set-MSOLUser doesn’t work because the attributes are read-only.
During my support case they confirmed there’s no way for the attributes to be removed after the user is migrated, whether it’s migrating one by one or disabling sync to convert all users at once. There seems to be no ability to remove the attributes after AD sync.
I’ve opened a Feedback thread, so feel free to vote on it:
https://feedback.azure.com/d365community/idea/01186207-3cd9-ed11-a81c-000d3ae51e62
Just checking if the ALL User solution worked for someone without any issues?
I need to decommission our old DC (Cloud Only), all the devices are already all removed from DC and Azure joined.
Another question – SSO setup has nothing to do with this correct?