Forum Discussion
Convert On-Prem AD Users from Office 365/Azure AD to In-Cloud accounts
Hi
I have tried removing the user and re-adding however, this prompts me for a new password. Is there a way to move the user account from On-Prem AD to Azure AD?
Currently the users i want are using AD Connect, however most of the users do not need full AD accounts just email which is in Office 365. So we want to remove them from the local network only but keep in Azure AD.
Any ideas?
Paul
Brent is correct if you only need to convert a few accounts. When you recover the deleted user, it will ask you to set a new password since it is now "In Cloud" and not managed by your local AD sync.
It should also reconnect to the previously associated mailbox. You will have to provide the new temp password to your user and have them change at first logon.
If you need to convert all to cloud, then the disabling of AAD Sync is the way to go.
Hi,
we have been using that method succesfully in the past.
Weirdly, now some users get deleted and need to be recovered repeatedly (within 10-30 minutes).
Unfortunately I haven't been able to identify what made these deletions stop.
Anyone experiencing this?
Thanks
Rocky
- This is happening for me as well, only tried it today for the first time.
The user re-deletes when the dirsync runs, happened twice in a row.The latest batch I did, I blocked the credential immediately after undeleting the account. I did this yesterday and the accounts are still there. I would be interested in knowing if this works for anyone else.
Get-MsolUser -UserPrincipalName <useraccount> |Set-MsolUser -BlockCredential $true
I had the same thing happen. They quickly restored. Oddly enough, these were shared mailboxes. For a regular user, I could see this happening if there were no license; in fact I think this is designed behavior.
I am especially concerned about mailboxes that hit the 30 day deletion time. Have you had any go that long? This is why I haven't yet done a large implementation-still testing.
Hi,
I had it stop within the day. I've tried to reproduce the behavior.
It seems, that it stops when I do the following:
1) On the local server, remove the user from the Azure Synchronization group
2) reactivate on Office365 (user now "in cloud")
- User keeps being deleted
3) rejoin the user to the sync group on the local server (user is now "AD synced")
4) remove from sync group
5) reactivate on Office365 (user now "in cloud").
- So far it works for the latest user I have been moving today.
Edit: I guess I jinxed it, user is deleted again .
If you only need to do this for a subset of accounts, you can simply move users to an OU which is not synced (assuming that you've configured to sync only selected OUs). After the sync runs, users are "deleted" from cloud. Run the following command to restore the users.
Get-MsolUser -ReturnDeletedUsers | Restore-MsolUser
With this scenario, users are restored "as they were", so there is no need to give a new password. However, you should notice that if users are changing their passwords, they must follow the Office 365 password policy (8-16 characters etc.).
We used the procedure to 'move AD users to an OU which was not selected for sync in ADSync utility; hence deleting the user and restoring them on AzureAD through the Admin portal.
As each user was migrated, ADSync uitility (as expected) had an error for each user:
This error indicates that a deleted object was recovered from the recycle bin in Azure AD before Azure AD Connect was able to confirm its deletion. Please delete the recovered object in Azure AD to fix this issue.I imagine this is for each user in AzureAD for which the compliment account was not found in AD.
Is there a solution to this issue?
- Prior to restoring the deleted user you have to do one more Delta Run in AAD Connect. The Delta run will import the AAD directory with the user in a deleted state. After that run you can then safely restore the user in AAD.
This method worked great for me. We are converting our shared mailboxes to be native in the cloud (for a lack of a better. It pulls over everything...email aliases, forwarders, delegations etc. Great stuff!
