Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Convert On-Prem AD Users from Office 365/Azure AD to In-Cloud accounts

MVP

Hi

 

We have currently setup a ADConnect Sync to Office 365, this is working well.

 

We would like to start converting Sync'ed accounts in Office 365/Azure AD to "In Cloud" accounts. Can you advise or does anyone know how we might approach this? Or can point to alternative resources?

 

We need to ensure the accounts in Office 365/Azure AD remain active and usable.

 

Much appreciated

Paul

 

62 Replies

We ended up switching our Azure AD Connect Source anchor from Objectguid to ms-DS-consistencyGUID (as recommended by Support).  This works for us because it allows us to recover deleted accounts via hard linking to on-prem AD accounts.  Before we would control this by manipulating the immutableID of the Azure AD user.  Now we just manipulate it on the on-prem AD side.  Here is blog post which illustrates this process: https://blogs.technet.microsoft.com/latam/2018/03/27/using-the-consistencyguid/

I thought everyone else said -ImmutableID does not work anymore?
Can anyone confirm this? Or have you tried this?

@Jessie Hernandez seems to be answering to a totally different thing than what was asked. Yes, you can link the existing Azure AD user to a different on-prem AD user using the ms-DS-consitencyGUID attribute. But you cannot use it to make users cloud-only (which was the original question).

 

The method suggested by @RedRobot works, because you can change the ImmutableId when the sync is not enabled. However, this is a very heavy method if needs to be done daily. But as said, it works.

I have just logged a support ticket with Microsoft about this. The guy on the other end mentioned that they did remove the ability to change -ImmutableID but they reverted this change due to "customer feedback".
Running (set-msoluser -UserPrincipalName <name> -ImmutableID "$null") fixed my issue of the cloud user (that originated on-prem) being deleted on the next sync cycle.

I did log a ticket with MS last few weeks ago, they also said they will revert back the changes. I am wondering if they already did?

Anyone can confirm it is now working again? (I am too lazy to test..LOL).

It is working. I did so last night with 2 users. They were successfully converted to Azure AD users (cloud users) that used to be sync'd from on-prem by nulling the ImmutableID

The immutableID method worked for me as well.

I moved the user to an unsynced OU but it kept getting deleted every few minutes when dirsync ran.

Steps I did:
1. Move user to unsynced OU
2. Ensured AAD sync was not including that OU
3. User will be deleted from Azure AD
4. Connect to Azure AD via powershell
5. Run: Get-MsolUser -ReturnDeletedUsers | Restore-MsolUser
6. Run: Set-MsolUser -UserPrincipalName test.user@example.com -ImmutableID ""

no more being logged out every time sync runs

@crice011 We are getting an error "You must provide a required property:  Paramet name:  FeeratedUser.SourceAnchor"  So we have to set the domain to a managed domain domain.onmicrosoft.com then we can set the ImmutableID to Null, we can't change it back to the domain.com after.  

@Jamie Luce I don't think you can set the immutableID to null unless it is a managed domain so that is likely why you can't change back to federated.  

 

Maybe try this article and see if that fixes it

 

@Jamie Luce, I'm not quite sure why you need to convert federated users to in-cloud, as they are (typically) synchronized from on-prem AD and are depending on the federation server?

 

Anyways, there can also be cloud-only federated users, so you can change the UPN back to domain.com. You just need to give immutableId that matches the value your federation server is offering for the user when he/she logs in.

 

So, this is possible but not very practical and needs some setup to do in your federation server. If you'd like to give it a try, let me know and I'll give you detailed instructions.

@Nestori Syynimaa We have some resource rooms that need to be licensed and have a password, but the Resource Manager that we use cannot handle Multifactor Authentication.  We had these rooms syncing from on prem before but now we just need them to be cloud to take them out of Multifactor (Ping Federate).  We are creating all new Resources as cloud accounts directly but we didn't want to lose the info on the ones we were already using, so we deleted the AD account on prem, then restored it as a Cloud Account.  

 

Then ran into the sync problems with it being removed since it still thought it was a deleted account.  I'm interested in those instructions if you could PM them to me.  Thanks

@Jamie Luce, I'm sorry but that scenario is not possible.

 

If I understood correctly, you want to make resource rooms cloud-only so that you can authenticate directly to Office 365 (Azure AD). The authentication (managed/federated) is defined per domain, so despite that users can be cloud-only, the authentication remains the same. 

 

However, you can give these resource rooms (users) another domain (resource.domain.com etc.), which is not federated. Then give them an alias with original domain. With this scenario, you could sync them from on-prem AD and still use the original domain to reserve rooms.

 

For the AD-removal-deletion issue, I think you need to do the following:

  1. Remove the user from AD (or move to OU that is not synced)
  2. User gets deleted from Azure AD -> restore the user
  3. Change UPN to @domain.onmicrosoft.com
  4. Clear the immutableId and run the sync (or wait until it is run)
  5. Set immutableid to something unique, such as user's email address
  6. Change UPN back to original

 

I have tested this scenario half a year ago because I have a client who will need the same. Worked out well. Please try this in a lab environment first.

 

#Requirements: Managed domain, Global Administrator, Domain Admin, Active Directory Users and Computers, AD Connect, PowerShell-modules MSOnline & ADSync

 

#Connect with MSOL
$credential = Get-Credential
Connect-MsolService -Credential $credential

 

#Check DirSync status
Get-MSOLCompanyInformation | select DirectorySynchronizationStatus

 

#Backup all ImmutableIDs of federated users

Get-MsolUser | select userprincipalname,immutableid | sort userprincipalname | Export-Csv -Path $env:USERPROFILE\Desktop\ImmutableIDs.csv -NoTypeInformation -Force

 

#Migrate synced user to cloud only
Step 1: Disable DirSync
Set-MsolDirSyncEnabled -EnableDirSync $false
Step 2: Nullify ImmutableID !!! Make sure you add quotation marks to $null
Set-MsolUser -UserPrincipalName user@domain.com -ImmutableId "$null"
Step 3: Move nullified users to non-synced OU
Step 4: Enable DirSync
Set-MsolDirSyncEnabled -EnableDirSync $true
Step 5: Force AD Connect sync
Start-ADSyncSyncCycle -PolicyType Delta

 

#Revert migration of user
Step 1: Disable DirSync
Set-MsolDirSyncEnabled -EnableDirSync $false
Step 2: Move user to original OU
Step 3: Put back the ImmutableID of the user
Set-MsolUser -UserPrincipalName user@domain.com -ImmutableId "ID"
Step 4: Enable DirSync
Set-MsolDirSyncEnabled -EnableDirSync $true
Step 5: Force AD Connect sync
Start-ADSyncSyncCycle -PolicyType Delta

After converting an on-prem user to a cloud user, by nullifying the ImmutableId, has anyone been able to verify that the PowerShell command, whoami, returns AzureAD\username instead of ONPREM\username ?

 

This is the issue we're currently experiencing and we are concerned with any possible adverse affects it might cause to the AzureAD user object functionality and stability. We're currently not experiencing any visible issues at the moment, however. -Josh

@Josh-M Hi Josh, it's an interesting question and it comes up in my mind every now and then. I haven't had any trouble in my lab with users or Microsoft services. Though the lab did not run for long time and I cannot remember what whoami would return.

 

I have planned the conversion for my client in a few months. This is a 150 seat tenant with only saas apps and all data stored in sharepoint/onedrive. I don't foresee any issues in this scenario, but perhaps your infra is more complex.

Keep us posted, thanks.

@Josh-M 

 

I never thought about it until you mentioned it now.  whoami returns ONPREM\username for my converted user.  I would assume that is because the user is still in an on-prem OU. While that OU is not synced with ADSync, the metadata for that user is still there.

 

This computer was built from new and only using the AzureAD username so I'm sticking with it being the metadata.  

It’s a good question and I’ll double check in the morning on our tenant.

I do know though that after migrating users to on-cloud and removing the immutable ID, the authentication in tools like Outlook went from being domain\username to email address.

I’ll post back in the morning.

Whoami will always execute in the context of the account logged onto the desktop. If your computer is part of an AD domain and you'velogged on with a domain account, it will be DOMAIN\USER.

@Josh-M I tried looking into this as well, I did receive some information from Microsoft. I still don't know if this causes any issues, it doesn't seem to negatively impact anything in a sandbox environment. Also with one user in a production environment.

 

"This a known gap, that we're reviewing. Even though you have migrated the user from AD to Azure AD, the onprem SamAccountName is still intact on the user object, among other on-prem AD attributes. As a result, Azure AD picks those details and shows domain/user instead of AzureAD/user. This attribute cannot be modified or cleared through Graph APIs at this point, so there's no way to change the behavior. Please file a UserVoice suggestion on MS Graph for this so that our teams can get the feedback and prioritize it as needed"

 

Source:

https://github.com/MicrosoftDocs/azure-docs/issues/38048#issuecomment-528570435