Here is the scenario:
Synced ID: Specifies the immutable ID of the federated identity of the user. This should be omitted for users with standard identities.
You have local Active Directory with AAD Connect installed, which sync users and password hash to Office 365. Now you have decided to migrate the authentication from local Active Directory to Office 365 and decommission on-premises Active Directory. The purpose of this exercise to demote on-premises AD, use Office 365 as office productivity tools and Azure AD as the IDaaS.
The following are the steps to transition from on-premises “Synced Identity” to “In Cloud Identity”.
Step1: Sign into the AAD Connect Server and Sync the Delta
Start-ADSyncSyncCycle -PolicyType Delta
Step2: Turn off AAD Connect Sync
Set-MsolDirSyncEnabled -EnableDirSync $false
Step3: Transition a Single Test User from on-premises “Synced Identity” to “In Cloud Identity”.
Get-MsolUser -UserPrincipalName john.doe@domain.com | Set-MsolUser -ImmutableId $null
Step4: Remove Immutable ID of all users
Get-MsolUser | Set-MsolUser -ImmutableId $null
Step5 (Optional): Alternative Scripts
$users=Get-MSOLUser
$immutableID=$null
Foreach($user in $users)
{Set-MsolUser -UserPrincipalName $user.UserPrincipalName -ImmutableID $immutableID}
Step5: Turn o AAD Connect Sync
Now go to local Active Directory, move user out of sync scope. In best practice when you have configured sync, you target a specific OU in active directory to sync users from, moving user to different OU will take user out of sync scope. If you have targeted the sync to all users then you have delete user from your local active directory.
Step6: Turn on AAD Connect Sync
Set-MsolDirSyncEnabled -EnableDirSync $true
Step7: Enable Force Sync if the Sync didn’t work
Import-Module ADSyn
Start-ADSyncSyncCycle -PolicyType Initial
Step8: Change the Federated Domain to Standard Domain if you have ADFS Server
Convert-MsolDomainToStandard -DomainName domain.com -WhatIf
Convert-MsolDomainToStandard -DomainName domain.com -Confim
Step9: Test SSO using Azure AD
Now, last step is to login into Office365 with the same password, it should work.
Also, you will see that in Office365 the user sync status will be shown as Incloud instead of Synced with local AD.