Convert Synced User to In-Cloud User


Here is the scenario:

Synced ID: Specifies the immutable ID of the federated identity of the user. This should be omitted for users with standard identities.

You have local Active Directory with AAD Connect installed, which sync users and password hash to Office 365. Now you have decided to migrate the authentication from local Active Directory to Office 365 and decommission on-premises Active Directory. The purpose of this exercise to demote on-premises AD, use Office 365 as office productivity tools and Azure AD as the IDaaS.

The following are the steps to transition from on-premises “Synced Identity” to “In Cloud Identity”.

Step1: Sign into the AAD Connect Server and Sync the Delta

Start-ADSyncSyncCycle -PolicyType Delta

Step2: Turn off AAD Connect Sync

Set-MsolDirSyncEnabled -EnableDirSync $false

Step3: Transition a Single Test User from on-premises “Synced Identity” to “In Cloud Identity”.

Get-MsolUser -UserPrincipalName john.doe@domain.com | Set-MsolUser -ImmutableId $null

Step4: Remove Immutable ID of all users

Get-MsolUser | Set-MsolUser -ImmutableId $null

Step5 (Optional): Alternative Scripts

$users=Get-MSOLUser

$immutableID=$null

Foreach($user in $users)

{Set-MsolUser -UserPrincipalName $user.UserPrincipalName -ImmutableID $immutableID}

Step5: Turn o AAD Connect Sync

Now go to local Active Directory, move user out of sync scope. In best practice when you have configured sync, you target a specific OU in active directory to sync users from, moving user to different OU will take user out of sync scope. If you have targeted the sync to all users then you have delete user from your local active directory.

Step6: Turn on AAD Connect Sync

Set-MsolDirSyncEnabled -EnableDirSync $true

Step7: Enable Force Sync if the Sync didn’t work

Import-Module ADSyn
Start-ADSyncSyncCycle -PolicyType Initial

Step8: Change the Federated Domain to Standard Domain if you have ADFS Server

Convert-MsolDomainToStandard -DomainName domain.com -WhatIf
Convert-MsolDomainToStandard -DomainName domain.com -Confim

Step9: Test SSO using Azure AD

Now, last step is to login into Office365 with the same password, it should work.
Also, you will see that in Office365 the user sync status will be shown as Incloud instead of Synced with local AD.

 

Author: LM Publications

This is me.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.