Convert Synced user to In Cloud Only User Account on Office365

Table of Contents

Office 365 Icon

Overview

When you have Users Synced from your On-Premise Active Directory to Azure Active Directory (AAD) using Azure AD Connect Application, the user account sync status on office 365 will show as Synced from on-premises with this symbol . In the next sections of this blog, we will see how you can convert One synced user to In Cloud only user and also if you want to convert all Syned user’s to In Cloud only users at once then you can jump to the section “How to Convert All AD Synced users to In Cloud Only Users”

Convert one synced user to In Cloud only user

  • Move the user (which you want to convert it to In-Cloud) to an OU (excluded from sync to AAD) in On-Perm Active Directory. Please make sure the OU is unchecked for Sync in Azure AD connect. (Note: If you have selected the option “Sync all domains and OUs” in Azure AD Connect then you can launch the Azure AD Connect -> Customize synchronization options -> In Domain and OU Filtering Page- > Select “Sync Selected domains and OUs” to configure the OU which you do not want to Sync to Azure AD.
Start-ADSyncSyncCycle -PolicyType delta
Start-ADSyncSyncCycle -PolicyType delta

Also Read: How to configure Office 365 SMTP Relay for Multi Functional Devices (Printers, Scanners etc.)

  • After the Delta Sync Completes, the link between this user and Azure AD will break and the user account on office365 will be moved to Deleted Users on Office365 (as shown in below screenshot). [Note: There will not be any loss to data when the user account is moved to Deleted Users, Microsoft Keeps the user account / data for 30 days if the user has been deleted, In our case we are going to restore it with-in short period of time, so not to worry on if the account is in deleted users. However, Please note that the when we restore the user in the next step the password of the user needs to be reset which will cause disruption to email access on PC or Mobile Phone and other office365 services will be impacted as well. You can share the new password with the user for updating in Outlook for Windows PC and on for Emails on Mobile Phone.]
Convert Synced user to In Cloud Only
  • Select the User and click on Restore User, This will then ask to Auto Generate a user password or you can also provide your own password and reset the password. Additional you have the option to let the user change the password at first sign-in. In below screenshot, we can see the options you will get while restoring the user account. You can choose the options suitable to you and click on Restore button on the bottom of this page.
Convert Synced user to In Cloud Only
  • Once you have restored the user account, this will now show in Users -> Active Users on Office365. Notice the Icon for the Sync Status Column is changed to cloud symbol which means that the user account is now a cloud only account.
  • As a best practice update the Immutable ID for the user on office365 to $null using below command.
Set-MSOLUser -UserPrincipalName info@techpress.net -ImmutableID "$null"

Things to Note:

The Process will cause disruption to the users as the user account or identity management is now moved to Azure AD with New Password. So if the user was using Outlook on PC or Emails on Mobile phone then they will need to update the password in these services so that they can continue to work fine.


How to Convert All AD Synced users to In Cloud Only Users

In the last section of this blog post, we saw how to convert a single On-Prem AD sync user to In Cloud Only user. The process was simple and requires few steps but also requires users to reset password after the conversion. In the next section, we will see how to convert all synced users to In Cloud Only Users at once. This step you would normally perform when you want to decommission Azure AD Connect server and manage all users from only from Azure AD. When we say In Cloud Only users, this means that the user’s account and all its associated properties are managed via Azure Active Directory.

Before running the command to disable Directory Synchronization, Let’s see how our user accounts look on Microsoft 365 portal and if we are able to login using one of the user’s account to confirm the password. As you can see from below screenshot, the Sync status column shows the AD Sync Icon which means these accounts are getting synced from On-Premise Active Directory to Azure Active Directory. I also tried to login to https://portal.office.com URL using the credentials of one of the user account to confirm that I am able to login successfully using the user’s credentials.

For Converting All AD Synced Users to In-Cloud Users, you need to run command Set-MsolDirSyncEnabled -EnableDirSync $false on the on-premise server where you have installed Azure AD Connect. Before running this command you need to Install MSOnline Powershell module, otherwise this command will not be recognized. To Install MSOnline module, run below powershell command.

Install-module MSOnline

You may get below error after running Install-module MSOnline. If you do not get this error and have already Installed MSOnline module on your system then jump to section Disable Directory Synchronization.

You may get this error after running Install-module MSOnline
NuGet provider is required to continue PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or 'C:\Users\administrator.EXOIP\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and import the NuGet provider now? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y

WARNING: Unable to download from URI 'https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409' to ''. WARNING: Unable to download the list of available providers. Check your internet connection. PackageManagement\Install-PackageProvider : No match was found for the specified search criteria for the provider 'NuGet'. The package provider requires 'PackageManagement' and 'Provider' tags. Please check if the specified package has the tags. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7405 char:21 + ... $null = PackageManagement\Install-PackageProvider -Name $script:N ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (Microsoft.Power...PackageProvider:InstallPackageProvider) [Install-PackageProvider], Exception + FullyQualifiedErrorId : NoMatchFoundForProvider,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackageProvider PackageManagement\Import-PackageProvider : No match was found for the specified search criteria and provider name 'NuGet'. Try 'Get-PackageProvider -ListAvailable' to see if the provider exists on the system. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7411 char:21 + ... $null = PackageManagement\Import-PackageProvider -Name $script:Nu ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidData: (NuGet:String) [Import-PackageProvider], Exception + FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.ImportPackageProvider WARNING: Unable to download from URI 'https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409' to ''. WARNING: Unable to download the list of available providers. Check your internet connection. PackageManagement\Get-PackageProvider : Unable to find package provider 'NuGet'. It may not be imported yet. Try 'Get-PackageProvider -ListAvailable'. At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7415 char:30 + ... tProvider = PackageManagement\Get-PackageProvider -Name $script:NuGet ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Microsoft.Power...PackageProvider:GetPackageProvider) [Get-PackageProvider], Exception + FullyQualifiedErrorId : UnknownProviderFromActivatedList,Microsoft.PowerShell.PackageManagement.Cmdlets.GetPackageProvider Install-Module : NuGet provider is required to interact with NuGet-based repositories. Please ensure that '2.8.5.201' or newer version of NuGet provider is installed. At line:1 char:1 + Install-Module PowershellGet -Force + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidOperation: (:) [Install-Module], InvalidOperationException + FullyQualifiedErrorId : CouldNotInstallNuGetProvider,Install-Module

How to Fix Unable to download from URI Error

To Fix this rrror run below command first to set the security protocol to TLS 1.2 and then Install MSOnline Module.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Install-Module MSOnline

Disable Directory Synchronization

Set-MsolDirSyncEnabled -EnableDirSync $false

You may get below error message when running the above command. Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization. There is nothing I have done to resolve this issue except waiting for 1 hour and running the command again as shown in below screenshot. It may take more or less for you depending upon the backend Azure AD Sync status, there is no action required from your end, you can try the command after 1 hour and if it still does not work then keep trying in 1-2 hour intervals and the command will eventually work.

Error after running Set-MsolDirSyncEnabled -EnableDirSync $false command
Set-MsolDirSyncEnabled : You cannot turn off Active Directory synchronization.
At line:1 char:1
Set-MsolDirSyncEnabled -EnableDirSync $false
~~~~~~~~~~~~ CategoryInfo : OperationStopped: (:) [Set-MsolDirSyncEnabled], MicrosoftOnlineException
FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.DirSyncStatusChangeNotAllowedException,Microsof
d

Let’s now check the sync status of our user accounts on Microsoft 365 admin console. As you can see that within few minutes all user accounts are converted into In Cloud account and Sync Status symbol shows a cloud Icon next to it to confirm that the accounts are no longer managed by On-Premise Active Directory.

Do Users have to reset their Password after converting Synced user accounts to In Cloud Users ?

The answer to this question is No. The users does not have to reset the password after conversion to In-Cloud user account. Users can continue to use the same password which the user’s were using when the account was synced from On-premise Active Directory to Azure Active Directory. However, Now and going forward user’s password and all its associated user account properties are managed via Microsoft 365 / Azure AD. For Example: After you have converted all user accounts to In Cloud user accounts and you want to change the password of any user account(s) then you will have to change the password via Microsoft 365 admin center or Azure Active Directory not On-premise Active Directory.

Conclusion

When we converted one on-premise user account to In Cloud only user in the begining of this blog, we had used a different method of conversion which involves moving the user to a different OU and then deleting and restoring the user account but when we are using Set-MsolDirSyncEnabled -EnableDirSync $false command, we are disabling the directory synchronization completely which does not require restoration of user accounts or resetting of user’s password. The password hashes were already synced from On-prem AD before disabling he sync and therefore users can continue to use the same password.

7 thoughts on “Convert Synced user to In Cloud Only User Account on Office365”

    • Set-MsolDirSyncEnabled -EnableDirSync $false command is used to switch off directory sync and convert all synced users to In-Cloud users. When a user is converted to In-Cloud, it will be full managed via Azure AD and not on-prem AD.
      Once all users are converted to In-Cloud Users, you can remove Azure AD Connect from On-Prem Server.

      • But will all the user accounts still showing the premise icon be deleted in 365 and then need to be restored? Think that is the piece I am missing.

        • Hi Lance, No the accounts will not be removed and need to be restored. It will be converted to In Cloud accounts once the command Set-MsolDirSyncEnabled -EnableDirSync $false is run.

          • Hi Wil, Password reset is not required after converting all user accounts to In Cloud user accounts. I have also updated the blog post related to this and some more information on it. Hope this helps.

Comments are closed.