When you have Users Synced from your On-Premise Active Directory to Azure Active Directory (AAD) using Azure AD Connect Application, the user account sync status on office 365 will show as Synced from on-premises with this symbol . There are few steps which needs to be followed for converting a user account to In Cloud.
- Move the user (which you want to convert it to In-Cloud) to an OU (excluded from sync to AAD) in On-Perm Active Directory. Please make sure the OU is unchecked for Sync in Azure AD connect. (Note: If you have selected the option “Sync all domains and OUs” in Azure AD Connect then you can launch the Azure AD Connect -> Customize synchronization options -> In Domain and OU Filtering Page- > Select “Sync Selected domains and OUs” to configure the OU which you do not want to Sync to Azure AD.
- Once you moved the user to correct OU. You can wait for Azure AD Connect to Process the Next sync cycle or force the delta Sync on Azure AD Connect Server using below command. This will start the sync process between On-Premise Active Directory and Azure AD.
Start-ADSyncSyncCycle -PolicyType delta
- After the Delta Sync Completes, the link between this user and Azure AD will break and the user account on office365 will be moved to Deleted Users on Office365 (as shown in below screenshot). [Note: There will not be any loss to data when the user account is moved to Deleted Users, Microsoft Keeps the user account / data for 30 days if the user has been deleted, In our case we are going to restore it with-in short period of time, so not to worry on if the account is in deleted users. However, Please note that the when we restore the user in the next step the password of the user needs to be reset which will cause disruption to email access on PC or Mobile Phone and other office365 services will be impacted as well. You can share the new password with the user for updating in Outlook for Windows PC and on for Emails on Mobile Phone.]
- Select the User and click on Restore User, This will then ask to Auto Generate a user password or you can also provide your own password and reset the password. Additional you have the option to let the user change the password at first sign-in. In below screenshot, we can see the options you will get while restoring the user account. You can choose the options suitable to you and click on Restore button on the bottom of this page.
- Once you have restored the user account, this will now show in Users -> Active Users on Office365. Notice the Icon for the Sync Status Column is changed to cloud symbol which means that the user account is now a cloud only account.
- As a best practice update the Immutable ID for the user on office365 to $null using below command.
Set-MSOLUser -UserPrincipalName email@example.com -ImmutableID "$null"
Things to Note:
The Process will cause disruption to the users as the user account or identity management is now moved to Azure AD with New Password. So if the user was using Outlook on PC or Emails on Mobile phone then they will need to update the password in these services so that they can continue to work fine.