Forum Discussion

Steve Hernou's avatar
Steve Hernou
Iron Contributor
Apr 10, 2018

Bulk change users from synced to cloud only

Good afternoon

 

We have Azure AD connect setup and it syncs about 10 different forests into 1 O365 tenant.

Now there is 1 company that wants to switch to pure cloud users but I'm not sure how to proceed to switch them all from 'synced with ad'to 'cloud user'.

If I understand correctly, if I just remove their domain from Azure AD by rerunning setup and changing the sync options, the users won't become cloud users but will instead be deleted.

To make matters worse, the company already broke the VPN link to our AAD so the domain is currently no longer syncing and I cannot for example create a separate OU in their on-prem AD and make sure that one does not sync and put the users in there ( I think that would solve it as well).

 

Any ideas on how to obtain our goal without having all user accounts end up in deleted users and having to restore them 1 by 1 and assigning a new password?

 

Kind regards

Steve

  • You can disable DirSync, move the users (domain) outside of the DirSync scope, clear their ImmutableIDs in the cloud and force a Full Sync. Another variation of the process, and one that does not involve disabling DirSync, is to delete them in O365, then restore them from the recycle bin. If you do it fast enough, no services will be impacted and the objects will be provisioned as "disconnectors", allowing you to manage them in the cloud. Newly created objects will steal sync from the on-premised AD though, so you should still configure filtering.

    • Steve Hernou's avatar
      Steve Hernou
      Iron Contributor

      Hi Vasil,

       

      Thanks for your reply. Am I correct that these would be the steps to follow?

      1) disable DirSync via Set-ADSyncScheduler SyncCycleEnabled $false

      2) Clear the immutableIDs of the accounts via Set-MSOLUser -UserPrincipalName username -ImmutableID "$null"

      3) Run Azure AD Connect setup and remove the domain from the config

      4) Re-enable the sync scheduler and run a full sync

       

      Expected result: all accounts are now cloud accounts and have retained their last known password with no impact on user experience (no need to re-sign in in Outlook client, other office apps or outlook mobile app on Android)

       

      Kind regards

      Steve

      • VasilMichev's avatar
        VasilMichev
        MVP

        No, step 1 should be disable DirSync on O365 side. Whether it's enabled on the AAD Connect server it makes no difference.

Resources