Separate On-Prem Account from Sync' Office 365 Account

New Contributor

Hi, I have a company that has some users that are on-prem, and have an account in Active Directory.  This company ALSO has a lot of mobile users that do NOT have\need an on-prem Active Directory Account, but they do have an Office 365 account.  (I'm not sure this is optimal setup, but it is what it is for now).

There is a user that no longer needs an on-prem AD account, but she needs to keep her Office 365 account.  Is there any way I can delete her on-prem account, and have it not 'break' her Office 365 account?  Essentially, I need to separate her from the on-prem AD, but keep her Office 365 account working properly.

Thanks for any advice

6 Replies
The only supported way to do this is to disable dirsync, move her user outside of the sync scope, re-enable dirsync. A faster, albeit unsupported method is to temporary delete the account in Office 365 then recover it from the Recycle bin therein. Once that's done, the account is considered a "disconnector" and you can remove the on-premises user. But again, not a supported scenario, use at your own risk.

Thanks, that's awesome.

The first option you mentioned seems by far the most efficient, and almost 'too easy'.

I could easily move that user account out of the OU that is being synchronized.

Then, presumably the account could be deleted.

Why do I have to disable dirsync as part of this process, as opposed to simply moving the account to a non-synchronized OU?  Sorry if that is a dumb question - I'm new to this process.

 

 

@Vasil Michev 

Just moving the object to a different (out of scope) OU won't break the link with O365, in fact it will result in the O365 object being deleted. And to "break the link", the only supported method is disabling dirsync altogether.
OK, so let me make sure I understand:
1. Moving the user out of the 'sync' OU to a 'non-sync' OU will result in the O365 object being deleted.
2. Stopping dirsync, then moving the user like in step #1, and then starting dirsync, will result in the user link being broken?

I think I am missing something but I want to confirm. Thanks so much @Vasil Michev
Yes. Technically, in scenario 2 the user will still be stamped with the ImmutableID of the on-premises object, but that's only "cosmetic".
Thanks. I never thought there would have been a difference between moving the object while dirsync was active, and when it was disabled. I would have guessed that dirsync would have simply detected the missing account upon startup, and O365 would have proceeded with the delete of the account. Your explanation is certainly a learning experience for me!