Link to home
Start Free TrialLog in
Avatar of charles sims
charles simsFlag for United States of America

asked on

Convert On-prem 365 users to cloud only

What is the best way to convert users to cloud only from being synced with on-prem?

I've done this in the past and had issues with users getting blocked even if we move them out of synced containers in AD.
ASKER CERTIFIED SOLUTION
Avatar of Vasil Michev (MVP)
Vasil Michev (MVP)
Flag of Bulgaria image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Adam Drayer
Adam Drayer
Flag of United States of America image
Vasil is correct, but if you ever re-enable DirSync (Azure AD Connect) and the user is not in scope, Office 365 may try to delete the user because it the accounts might still be linked.  You need to remove the value from the Azure users’ ImmutableID.  This will un-link the accounts.  Then if the user is removed from the dirsync scope it will have no effect on the cloud user when dirsync is re-enabled.

Set-MsolUser -UserPrincipalName user@domain.com -ImmutableId ""

If you want to do this without turning off DirSync, then you can remove the user from scope or filter them out, (this will soft-delete the user in Office 365, blocking them from login temporarily).  Then you can then restore the users to active and run the command above to remove the ImmutableID.  As mentioned this method will result in a temporary sign-in blockage.
Avatar of Mre Martin
Mre Martin
uninstall AD connect from on-prem,

Remove federation between on-prem and your tenant by following ps command as below;

get-OrganizationRelationship | Remove-OrganizationRelationship