Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

How to list users synced from onprem AD and cloud-only users?

Copper Contributor

Hello guys!

 

I was tasked to list users synced from onprem AD and cloud only users

 

I have downloaded and imported AzureAD PS module 2.0.2.16

 

Azure portal shows several users with source 'Azure Active Directory'.

 

I'm first trying to list these cloud-only users by running a command command  Get-AzureADUser | where {$_.dirsyncenabled -eq $false} but it yields only one user when there should be a lot more.

 

I also need to list users synced from onprem AD.

 

My command does not seem to do the trick. Can you help me out?

9 Replies
best response confirmed by Teijo Hämäläinen (Copper Contributor)
Solution

@Teijo Hämäläinen I would try following Get-MsolUser -All | ?{-not $_.lastdirsynctime}

There's also Get-MsolUser -Synchronized. Using the server-side filtering is faster approach, and also makes sure you don't get a trimmed list because of hitting the limit for number of objects returned (like when you have the Get-AzureADUser cmdlet above, without the -All switch, and filtering client-side).

thanks, definitely a better solution.

 

Martin

@Martin RublikThere is another easier option to use it. Cloud only and on prem users have big difference - Its called Immutable ID

 

So Get-MsolUser | where-Object {$_.ImmutableId -eq $null} -> for On prem users

Get-MsolUser | where-Object {$_.ImmutableId -ne $null} for Azure AD users ( Cloud users)

 

@Martin Rublik 

 

Thank you Martin (and Scorpio and Vasil), your solution help me forward.

 

@Scorpio69 

 

I think should be other way around :)

 

Get-MsolUser | where-Object {$_.ImmutableId -eq $null} -> for Azure AD cloud users;

Get-MsolUser | where-Object {$_.ImmutableId -ne $null} -> for On premise users;

@Scorpio69  Definitively need -All switch to get all users.

Get-MsolUser -All | where-Object {$_.ImmutableId -eq $null}

 

@Teijo Hämäläinen 

 

I would recommend using the AzureAD PowerShell Module. You can use the following command to get a list of all Cloud Only Accounts:

Get-AzureADUser -All $true | Where-Object {$_.ImmutableId -eq $null}

 

If you want a list with the Cloud Only Accounts without guests, you could use the following command:

Get-AzureADUser -All $true | Where-Object {$_.ImmutableId -eq $null -and $_.UserPrincipalName -notlike "*#EXT#*"}

 



You need to use the new Microsoft Graph PowerShell SDK to retrieve this information.

The below article has a script that will export that information and much more:

https://www.alitajran.com/export-azure-ad-users-to-csv-powershell/
1 best response

Accepted Solutions
best response confirmed by Teijo Hämäläinen (Copper Contributor)
Solution

@Teijo Hämäläinen I would try following Get-MsolUser -All | ?{-not $_.lastdirsynctime}

View solution in original post