When you have Users Synced from your On-Premise Active Directory to Azure Active Directory (AAD) using Azure AD Connect application, the user account Sync status on office 365 will show as Synced from on-premises with this symbol .
In the next sections of this blog, we will see how you can convert One synced user to In Cloud only user and also if you want to convert all Syned user’s to In Cloud only users at once then you can jump to the section “How to Convert All AD Synced users to In Cloud Only Users”
✅Convert one Azure AD synced user to Cloud Only user on Office 365
✅Convert all Azure AD synced users to Cloud Only users on Office 365.
Convert one synced user to In Cloud only user
- Move the user (which you want to convert it to In-Cloud) to an OU (excluded from sync to AAD) in On-Perm Active Directory. Please make sure the OU is unchecked for Sync in Azure AD connect. (Note: If you have selected the option “Sync all domains and OUs” in Azure AD Connect then you can launch the Azure AD Connect -> Customize synchronization options -> In Domain and OU Filtering Page- > Select “Sync Selected domains and OUs” to configure the OU which you do not want to Sync to Azure AD.
Start-ADSyncSyncCycle -PolicyType delta
- After the Delta Sync Completes, the link between this user and Azure AD will break and the user account on office365 will be moved to Deleted Users on Office365 (as shown in below screenshot).
[Note: There will not be any loss to data when the user account is moved to Deleted Users, Microsoft Keeps the user account / data for 30 days if the user has been deleted, In our case we are going to restore it with-in short period of time, so not to worry on if the account is in deleted users. However, Please note that the when we restore the user in the next step the password of the user needs to be reset which will cause disruption to email access on PC or Mobile Phone and other office365 services will be impacted as well. You can share the new password with the user for updating in Outlook for Windows PC and on for Emails on Mobile Phone.]
- Select the User and click on Restore User, This will then ask to Auto Generate a user password or you can also provide your own password and reset the password. Additionally you have the option to let the user change the password at first sign-in. In below screenshot, we can see the options you will get while restoring the user account. You can choose the options suitable to you and click on Restore button on the bottom of this page.
- Once you have restored the user account, this will now show in Users -> Active Users on Office365. Notice the Icon for the Sync Status Column is changed to cloud symbol which means that the user account is now a cloud only account.
- As a best practice update the Immutable ID for the user on office365 to $null using below command.
Set-MSOLUser -UserPrincipalName firstname.lastname@example.org -ImmutableID "$null"
Things to Note:
The Process will cause disruption to the users as the user account or identity management is now moved to Azure AD with New Password. So if the user was using Outlook on PC or Emails on Mobile phone then they will need to update the password in these services so that they can continue to work fine.
How to Convert All AD Synced users to In Cloud Only Users
In the previous section of the blog post, we saw how to convert a single On-Prem AD sync user to In Cloud Only user. The process was simple and requires few steps but also requires users to reset password after the conversion.
In the next section, we will see how to convert All Azure AD synced users to In Cloud Only Users in one go. This step you would normally perform when you want to decommission Azure AD Connect server and manage all users from only from Azure AD. When we say In Cloud Only users, this means that the user’s account and all its associated properties are managed via Azure Active Directory.
Before running the command to disable Directory Synchronization, Let’s see how our user accounts look on Microsoft 365 portal. As you can see from below screenshot, the Sync status column shows the AD Sync Icon which means these accounts are getting synced from On-Premise Active Directory to Azure Active Directory.
Steps to convert All AD Synced users to Cloud Only Users
Please follow below steps to convert all Azure AD synced users to Cloud only users.
- Login on the server where Azure AD Connect is Installed.
- Launch Powershell console as an administrator.
- Install MSOnline Powershell module using below command.
- Connect to Azure AD
- Disable Active Directory Synchronization
Set-MsolDirSyncEnabled -EnableDirSync $false
You may get below error message when running the above command. Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization.
|Error after running Set-MsolDirSyncEnabled -EnableDirSync $false command|
|Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization.|
At line:1 char:1
Set-MsolDirSyncEnabled -EnableDirSync $false
FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DirSyncStatusChangeNotAllowedException,Microsof
You can retry the command to disable directory synchronization after sometime. I did tried to run it couple of times and managed to Disable directory synchronization after third attempt.
Below screenshot shows the commands I had run on the server to disable directory synchronization.
Once the directory synchronization has been disabled successfully. You can refresh Microsoft 365 admin center and check the Sync status of users. As you can see that within few minutes all user accounts are converted into Cloud only accounts and Sync Status symbol shows a cloud Icon next to it to confirm that the accounts are no longer managed by On-Premise Active Directory.
You may get error Unable to download from URI after running
|Error after running Install-module MSOnline|
|NuGet provider is required to continue PowerShellGet requires NuGet provider version ‘220.127.116.11’ or newer to interact with NuGet-based repositories. The NuGet provider must be available in ‘C:\Program Files\PackageManagement\ProviderAssemblies’ or ‘C:\Users\administrator.EXOIP\AppData\Local\PackageManagement\ProviderAssemblies’. You can also install the NuGet provider by running ‘Install-PackageProvider -Name NuGet -MinimumVersion 18.104.22.168 -Force’. Do you want PowerShellGet to install and import the NuGet provider now? [Y] Yes [N] No [S] Suspend [?] Help (default is “Y”): Y|
WARNING: Unable to download from URI ‘https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409’ to ”. WARNING: Unable to download the list of available providers. Check your internet connection. PackageManagement\Install-PackageProvider : No match was found for the specified search criteria for the provider ‘NuGet’. The package provider requires ‘PackageManagement’ and ‘Provider’ tags. Please check if the specified package has the tags. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\22.214.171.124\PSModule.psm1:7405 char:21 + … $null = PackageManagement\Install-PackageProvider -Name $script:N … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (Microsoft.Power…PackageProvider:InstallPackageProvider) [Install-PackageProvider], Exception + FullyQualifiedErrorId : NoMatchFoundForProvider,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackageProvider PackageManagement\Import-PackageProvider : No match was found for the specified search criteria and provider name ‘NuGet’. Try ‘Get-PackageProvider -ListAvailable’ to see if the provider exists on the system. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\126.96.36.199\PSModule.psm1:7411 char:21 + … $null = PackageManagement\Import-PackageProvider -Name $script:Nu … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (NuGet:String) [Import-PackageProvider], Exception + FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.ImportPackageProvider WARNING: Unable to download from URI ‘https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409’ to ”. WARNING: Unable to download the list of available providers. Check your internet connection. PackageManagement\Get-PackageProvider : Unable to find package provider ‘NuGet’. It may not be imported yet. Try ‘Get-PackageProvider -ListAvailable’. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\188.8.131.52\PSModule.psm1:7415 char:30 + … tProvider = PackageManagement\Get-PackageProvider -Name $script:NuGet … + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Microsoft.Power…PackageProvider:GetPackageProvider) [Get-PackageProvider], Exception + FullyQualifiedErrorId : UnknownProviderFromActivatedList,Microsoft.PowerShell.PackageManagement.Cmdlets.GetPackageProvider Install-Module : NuGet provider is required to interact with NuGet-based repositories. Please ensure that ‘184.108.40.206’ or newer version of NuGet provider is installed. At line:1 char:1 + Install-Module PowershellGet -Force + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Install-Module], InvalidOperationException + FullyQualifiedErrorId : CouldNotInstallNuGetProvider,Install-Module
How to Fix Unable to download from URI Error
To Fix this error run below command first to set the security protocol to TLS 1.2 and then Install MSOnline Module.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 Install-Module MSOnline
Password reset required after converting user accounts to cloud Only ?
Set-MsolDirSyncEnabled -EnableDirSync $false command, All AD synced users will be converted to cloud only users. Password reset is not required after this conversion. Users can continue to use the same password which the user’s were using when the account was synced from On-premise Active Directory to Azure Active Directory.
However, Now and going forward user’s password and all its associated user account properties are managed via Microsoft 365 / Azure AD. For Example: After you have converted all user accounts to Cloud only user accounts and you want to change the password of any user account(s) then you will have to change the password via Microsoft 365 admin center not On-premise Active Directory.
When we converted a single on-premise user account to Cloud only user, we had used a different method of conversion which involves moving the user to a different OU and then deleting and restoring the user account but when we are using
Set-MsolDirSyncEnabled -EnableDirSync $false command, we are disabling the directory synchronization completely which does not require restoration of user accounts or resetting of user’s password. The password hashes were already synced from On-prem AD before disabling he sync and therefore users can continue to use the same password.