Convert On-Prem AD Users from Office 365/Azure AD to In-Cloud accounts

Jamie Luce, I'm sorry but that scenario is not possible.

If I understood correctly, you want to make resource rooms cloud-only so that you can authenticate directly to Office 365 (Azure AD). The authentication (managed/federated) is defined per domain, so despite that users can be cloud-only, the authentication remains the same. 

However, you can give these resource rooms (users) another domain (resource.domain.com etc.), which is not federated. Then give them an alias with original domain. With this scenario, you could sync them from on-prem AD and still use the original domain to reserve rooms.

For the AD-removal-deletion issue, I think you need to do the following:

1. Remove the user from AD (or move to OU that is not synced)
2. User gets deleted from Azure AD -> restore the user
3. Change UPN to @domain.onmicrosoft.com
4. Clear the immutableId and run the sync (or wait until it is run)
5. Set immutableid to something unique, such as user's email address
6. Change UPN back to original

Nestori Syynimaa We have some resource rooms that need to be licensed and have a password, but the Resource Manager that we use cannot handle Multifactor Authentication.  We had these rooms syncing from on prem before but now we just need them to be cloud to take them out of Multifactor (Ping Federate).  We are creating all new Resources as cloud accounts directly but we didn't want to lose the info on the ones we were already using, so we deleted the AD account on prem, then restored it as a Cloud Account.  

Then ran into the sync problems with it being removed since it still thought it was a deleted account.  I'm interested in those instructions if you could PM them to me.  Thanks

Jamie Luce, I'm not quite sure why you need to convert federated users to in-cloud, as they are (typically) synchronized from on-prem AD and are depending on the federation server?

Anyways, there can also be cloud-only federated users, so you can change the UPN back to domain.com. You just need to give immutableId that matches the value your federation server is offering for the user when he/she logs in.

So, this is possible but not very practical and needs some setup to do in your federation server. If you'd like to give it a try, let me know and I'll give you detailed instructions.

Jamie Luce I don't think you can set the immutableID to null unless it is a managed domain so that is likely why you can't change back to federated.  

Maybe try https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin/matching-on-premises-user-to-cloud-user/f2a52719-24d2-4436-a257-fc3e60714c65 and see if that fixes it

crice011 We are getting an error "You must provide a required property:  Paramet name:  FeeratedUser.SourceAnchor"  So we have to set the domain to a managed domain domain.onmicrosoft.com then we can set the ImmutableID to Null, we can't change it back to the domain.com after.  

Thats good news...!

It is working. I did so last night with 2 users. They were successfully converted to Azure AD users (cloud users) that used to be sync'd from on-prem by nulling the ImmutableID

I did log a ticket with MS last few weeks ago, they also said they will revert back the changes. I am wondering if they already did?

Anyone can confirm it is now working again? (I am too lazy to test..LOL).

Jessie_Hernandez seems to be answering to a totally different thing than what was asked. Yes, you can link the existing Azure AD user to a different on-prem AD user using the ms-DS-consitencyGUID attribute. But you cannot use it to make users cloud-only (which was the original question).

The method suggested by RedRobot works, because you can change the ImmutableId when the sync is not enabled. However, this is a very heavy method if needs to be done daily. But as said, it works.

I thought everyone else said -ImmutableID does not work anymore?
Can anyone confirm this? Or have you tried this?