Forum Discussion
Convert On-Prem AD Users from Office 365/Azure AD to In-Cloud accounts
I moved the user to an unsynced OU but it kept getting deleted every few minutes when dirsync ran.
Steps I did:
1. Move user to unsynced OU
2. Ensured AAD sync was not including that OU
3. User will be deleted from Azure AD
4. Connect to Azure AD via powershell
5. Run: Get-MsolUser -ReturnDeletedUsers | Restore-MsolUser
6. Run: Set-MsolUser -UserPrincipalName test.user@example.com -ImmutableID ""
no more being logged out every time sync runs
crice011 We are getting an error "You must provide a required property: Paramet name: FeeratedUser.SourceAnchor" So we have to set the domain to a managed domain domain.onmicrosoft.com then we can set the ImmutableID to Null, we can't change it back to the domain.com after.
Jamie Luce, I'm sorry but that scenario is not possible.
If I understood correctly, you want to make resource rooms cloud-only so that you can authenticate directly to Office 365 (Azure AD). The authentication (managed/federated) is defined per domain, so despite that users can be cloud-only, the authentication remains the same.
However, you can give these resource rooms (users) another domain (resource.domain.com etc.), which is not federated. Then give them an alias with original domain. With this scenario, you could sync them from on-prem AD and still use the original domain to reserve rooms.
For the AD-removal-deletion issue, I think you need to do the following:
- Remove the user from AD (or move to OU that is not synced)
- User gets deleted from Azure AD -> restore the user
- Change UPN to @domain.onmicrosoft.com
- Clear the immutableId and run the sync (or wait until it is run)
- Set immutableid to something unique, such as user's email address
- Change UPN back to original
Nestori Syynimaa We have some resource rooms that need to be licensed and have a password, but the Resource Manager that we use cannot handle Multifactor Authentication. We had these rooms syncing from on prem before but now we just need them to be cloud to take them out of Multifactor (Ping Federate). We are creating all new Resources as cloud accounts directly but we didn't want to lose the info on the ones we were already using, so we deleted the AD account on prem, then restored it as a Cloud Account.
Then ran into the sync problems with it being removed since it still thought it was a deleted account. I'm interested in those instructions if you could PM them to me. Thanks
Jamie Luce, I'm not quite sure why you need to convert federated users to in-cloud, as they are (typically) synchronized from on-prem AD and are depending on the federation server?
Anyways, there can also be cloud-only federated users, so you can change the UPN back to domain.com. You just need to give immutableId that matches the value your federation server is offering for the user when he/she logs in.
So, this is possible but not very practical and needs some setup to do in your federation server. If you'd like to give it a try, let me know and I'll give you detailed instructions.
Jamie Luce I don't think you can set the immutableID to null unless it is a managed domain so that is likely why you can't change back to federated.
Maybe try https://answers.microsoft.com/en-us/msoffice/forum/msoffice_o365admin/matching-on-premises-user-to-cloud-user/f2a52719-24d2-4436-a257-fc3e60714c65 and see if that fixes it
