Table of Contents
- Convert one synced user to In Cloud only user
- Things to Note:
- How to Convert All AD Synced users to In Cloud Only Users
- How to Fix Unable to download from URI Error
- Disable Directory Synchronization
- Do Users have to reset their Password after converting Synced user accounts to In Cloud Users ?
When you have Users Synced from your On-Premise Active Directory to Azure Active Directory (AAD) using Azure AD Connect Application, the user account sync status on office 365 will show as Synced from on-premises with this symbol . In the next sections of this blog, we will see how you can convert One synced user to In Cloud only user and also if you want to convert all Syned user’s to In Cloud only users at once then you can jump to the section “How to Convert All AD Synced users to In Cloud Only Users”
Convert one synced user to In Cloud only user
- Move the user (which you want to convert it to In-Cloud) to an OU (excluded from sync to AAD) in On-Perm Active Directory. Please make sure the OU is unchecked for Sync in Azure AD connect. (Note: If you have selected the option “Sync all domains and OUs” in Azure AD Connect then you can launch the Azure AD Connect -> Customize synchronization options -> In Domain and OU Filtering Page- > Select “Sync Selected domains and OUs” to configure the OU which you do not want to Sync to Azure AD.
Start-ADSyncSyncCycle -PolicyType delta
- After the Delta Sync Completes, the link between this user and Azure AD will break and the user account on office365 will be moved to Deleted Users on Office365 (as shown in below screenshot). [Note: There will not be any loss to data when the user account is moved to Deleted Users, Microsoft Keeps the user account / data for 30 days if the user has been deleted, In our case we are going to restore it with-in short period of time, so not to worry on if the account is in deleted users. However, Please note that the when we restore the user in the next step the password of the user needs to be reset which will cause disruption to email access on PC or Mobile Phone and other office365 services will be impacted as well. You can share the new password with the user for updating in Outlook for Windows PC and on for Emails on Mobile Phone.]
- Select the User and click on Restore User, This will then ask to Auto Generate a user password or you can also provide your own password and reset the password. Additional you have the option to let the user change the password at first sign-in. In below screenshot, we can see the options you will get while restoring the user account. You can choose the options suitable to you and click on Restore button on the bottom of this page.
- Once you have restored the user account, this will now show in Users -> Active Users on Office365. Notice the Icon for the Sync Status Column is changed to cloud symbol which means that the user account is now a cloud only account.
- As a best practice update the Immutable ID for the user on office365 to $null using below command.
Set-MSOLUser -UserPrincipalName firstname.lastname@example.org -ImmutableID "$null"
Things to Note:
The Process will cause disruption to the users as the user account or identity management is now moved to Azure AD with New Password. So if the user was using Outlook on PC or Emails on Mobile phone then they will need to update the password in these services so that they can continue to work fine.
How to Convert All AD Synced users to In Cloud Only Users
In the last section of this blog post, we saw how to convert a single On-Prem AD sync user to In Cloud Only user. The process was simple and requires few steps but also requires users to reset password after the conversion. In the next section, we will see how to convert all synced users to In Cloud Only Users at once. This step you would normally perform when you want to decommission Azure AD Connect server and manage all users from only from Azure AD. When we say In Cloud Only users, this means that the user’s account and all its associated properties are managed via Azure Active Directory.
Before running the command to disable Directory Synchronization, Let’s see how our user accounts look on Microsoft 365 portal and if we are able to login using one of the user’s account to confirm the password. As you can see from below screenshot, the Sync status column shows the AD Sync Icon which means these accounts are getting synced from On-Premise Active Directory to Azure Active Directory. I also tried to login to https://portal.office.com URL using the credentials of one of the user account to confirm that I am able to login successfully using the user’s credentials.
For Converting All AD Synced Users to In-Cloud Users, you need to run command Set-MsolDirSyncEnabled -EnableDirSync $false on the on-premise server where you have installed Azure AD Connect. Before running this command you need to Install MSOnline Powershell module, otherwise this command will not be recognized. To Install MSOnline module, run below powershell command.
You may get below error after running Install-module MSOnline. If you do not get this error and have already Installed MSOnline module on your system then jump to section Disable Directory Synchronization.
|You may get this error after running Install-module MSOnline|
How to Fix Unable to download from URI Error
To Fix this rrror run below command first to set the security protocol to TLS 1.2 and then Install MSOnline Module.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Install-Module MSOnline
Disable Directory Synchronization
Set-MsolDirSyncEnabled -EnableDirSync $false
You may get below error message when running the above command. Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization. There is nothing I have done to resolve this issue except waiting for 1 hour and running the command again as shown in below screenshot. It may take more or less for you depending upon the backend Azure AD Sync status, there is no action required from your end, you can try the command after 1 hour and if it still does not work then keep trying in 1-2 hour intervals and the command will eventually work.
|Error after running Set-MsolDirSyncEnabled -EnableDirSync $false command|
|Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization.|
At line:1 char:1
Set-MsolDirSyncEnabled -EnableDirSync $false
FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DirSyncStatusChangeNotAllowedException,Microsof
Let’s now check the sync status of our user accounts on Microsoft 365 admin console. As you can see that within few minutes all user accounts are converted into In Cloud account and Sync Status symbol shows a cloud Icon next to it to confirm that the accounts are no longer managed by On-Premise Active Directory.
Do Users have to reset their Password after converting Synced user accounts to In Cloud Users ?
The answer to this question is No. The users does not have to reset the password after conversion to In-Cloud user account. Users can continue to use the same password which the user’s were using when the account was synced from On-premise Active Directory to Azure Active Directory. However, Now and going forward user’s password and all its associated user account properties are managed via Microsoft 365 / Azure AD. For Example: After you have converted all user accounts to In Cloud user accounts and you want to change the password of any user account(s) then you will have to change the password via Microsoft 365 admin center or Azure Active Directory not On-premise Active Directory.
When we converted one on-premise user account to In Cloud only user in the begining of this blog, we had used a different method of conversion which involves moving the user to a different OU and then deleting and restoring the user account but when we are using Set-MsolDirSyncEnabled -EnableDirSync $false command, we are disabling the directory synchronization completely which does not require restoration of user accounts or resetting of user’s password. The password hashes were already synced from On-prem AD before disabling he sync and therefore users can continue to use the same password.