In this example I have local Active Directory with AAD Connect installed one of the Azure Region, which sync users and password hash to Office 365. I have now decided to migrate the authentication from local Active Directory to Office 365 and decommission on-premises Active Directory.
In order to transition from on-premises “Synced Identity” to “In Cloud Identity”, we will need to complete the following process.
IMPORTANT NOTE!!!!!
When deactivating Directory Sync it may take up to 72 hours before it can reenable depending on the size of your production network. All users will keep their current password but all synchronized objects are removed from Azure AD, please keep this in mind.
To check if you can reenable Directory Sync you will need to run Get-MSOLCompanyInformation. This will show you the detailed information. and the last four fields are the most important in this scenario as this will indicate if Directory Sync can be reenabled as the status is False.
DirectorySynchronizationEnabled
LastDirSyncTime
LastPasswordSyncTime
PasswordSynchronizationEnabled
In my scenario, Directory Sync was able to be reactivated after 8 hours. The customer I was working with accepted the potential risk in order to complete this work.
Sign into the AAD Connect Server and Sync the Delta
The following command performs a sync of all AD Objects before attempting to convert into Cloud Only.
Start-ADSyncSyncCycle Delta
Turn off AAD Connect Sync
The following command turns off Azure Active Directory Connector while we perform all the following tasks. In this post I have outlined all steps which can be taken to convert AD Users account into Cloud Only.
Set-MsolDirSyncEnabled -EnableDirSync $false
Convert Single User to Cloud Only
The following command converts a single user into a Cloud Only account
Get-MsolUser -UserPrincipalName thewatchernode@blogabout.cloud | Set-MsolUser -ImmutableId "$null"
Remove Immutable ID of all users
The following command removes the Immutable ID for all users
Get-MsolUser | Set-MsolUser -ImmutableId "$null"
Remove Immutable ID for Bulk users
The following scripts allows you to modify users at bulk
$Filepath = $env:userprofile\desktop\file.csv
$csv = Import-Csv -Path $filepath
$immutableID=$null
Foreach($user in $csv)
{
Set-MsolUser -UserPrincipalName $user.UserPrincipalName -ImmutableID $immutableID
}
Turn on Azure Active Directory Connect Sync
Once you have completed all the required conversions of AD accounts to Cloud. Head back to your local Active Directory, move user(s) to an OU that isn’t synchronized using AADC.
This helps you as an IT Pro understand who has been converted at a quick glance now not worry about using PowerShell to discovery who is or isn’t.
The following command turns on Azure Active Directory Connector now that we have converted the
Set-MsolDirSyncEnabled -EnableDirSync $true
Enable Force Sync if the Sync didn’t work
Start-ADSyncSyncCycle -PolicyType Initial
If you are using an ADFS Server there is an additional step providing you have
Convert-MsolDomainToStandard -DomainName blogabout.cloud -WhatIf
Convert-MsolDomainToStandard -DomainName blogabout.cloud -Confirm
All that is left now is to log in as one of the converted users to prove Single Sign-On is working and logon as a Global Admin into Office 365 to check the sync status of the users has a pretty cloud for “In-Cloud”
Regards
The Author – Blogabout.Cloud
Great tutorial! A couple of minor techincal details might be improved to help others get around the roadblocks I came across.
– Setting the ImmutableID to NULL:
— To get this to work for me, I had to surround $null with quotation marks.
— Doesn’t work: Set-MsolUser -ImmutableId $null
— Does work: Set-MsolUser -ImmutableId “$null”
– The command referenced “Get-MSLCompanyInformation” doesn’t exist. The command you’re looking for is “Get-MsolCompanyInformation”
— A before and after screenshot of when it toggles to ready to be re-enabled would be helpful.
— What to expect if you try to re-enable it too soon would also go a long way.
Despite the constructive feedback, thank you very much for this.
Hi Ryan, thank you for your feedback. I will look at the above and modify accordingly.
This is correct – you need the quotation marks on
Set-MsolUser -ImmutableId “$null”
Would be good to update the article to reflect this.
Hi there,
First question is why retire your on-prem AD?
Playing devils advocate now, How would you device get an IP address is the DC located in the cloud? When an IP is required to access the internet?
Network equipment can provide DHCP addresses.
Thanks for a good post. But the commands are all for the old, now deprecated, modules. It would be nice if the command examples were updated to the newer modules.
Thank you for letting me know Ill look at updating soon
Thank you for the great Article. When disabling the synchronization, I noticed that it converted all my identities into cloud only
You may want to revisit this. Looks like MS no longer allows the ImmutableID to be set to $null.
This process worked back in December 2020 for me but not now.
Hi Andrew!
This is a really good bit of info, question: Are the commands updated and up to date?
I havent checked the commands for a while