Forum Discussion
Bulk change users from synced to cloud only
You can disable DirSync, move the users (domain) outside of the DirSync scope, clear their ImmutableIDs in the cloud and force a Full Sync. Another variation of the process, and one that does not involve disabling DirSync, is to delete them in O365, then restore them from the recycle bin. If you do it fast enough, no services will be impacted and the objects will be provisioned as "disconnectors", allowing you to manage them in the cloud. Newly created objects will steal sync from the on-premised AD though, so you should still configure filtering.
Hi Vasil,
Thanks for your reply. Am I correct that these would be the steps to follow?
1) disable DirSync via Set-ADSyncScheduler SyncCycleEnabled $false
2) Clear the immutableIDs of the accounts via Set-MSOLUser -UserPrincipalName username -ImmutableID "$null"
3) Run Azure AD Connect setup and remove the domain from the config
4) Re-enable the sync scheduler and run a full sync
Expected result: all accounts are now cloud accounts and have retained their last known password with no impact on user experience (no need to re-sign in in Outlook client, other office apps or outlook mobile app on Android)
Kind regards
Steve
No, step 1 should be disable DirSync on O365 side. Whether it's enabled on the AAD Connect server it makes no difference.
Oh wow that's quite an impact then seeing as this applies to about 50 users out of almost 2000... :-)
Also If I am not mistaken, you need to wait 72 hours to be sure it's really off and then re-enable it which can also, in theory, take up to 72 hours.
I tried the other way, to delete the user via O365 portal but system refuses since the account is still labeled 'synced with active directory'. The O365 portal tells me to delete user from on-prem AD which would be pointless since I can no longer reach that company's on-prem AD.
Would it work if I do it via powershell?
