How to Convert AD Connect Synchronized Users To Cloud Managed Identities

If you’re using AD connect and you’re planning to eliminate Active Directory, you’ll eventually need to remove AD connect and convert all users to cloud managed identities. Azure AD Connect synchronizes your AD identities with Azure AD, giving the users a cloud identity in addition to their on-prem identity. However, AD remains the source of authority for management. Users and groups synchronized with AD Connect need to be managed in Active Directory, and changes to those accounts get synchronized to Azure AD. So, when you want to transition your identities to be cloud managed, you have two options – perform over time for small groups of users, or bulk convert all your users.  

The easy way to do one-off conversions is to move target users to an OU AD Connect is not syncing. On the next sync cycle, that user will be deleted in Azure AD (since it thinks the user was deleted from AD). If you restore the user in Azure AD, the identity becomes cloud managed. This method is fine for small groups of users, but if you want to convert all your users in bulk, we can use the steps below.  

Prior to doing these steps, AD Connect should be removed or have its services stopped. You wouldn’t want someone to mistakenly turn dirsync for the tenant back on, and have a rogue AD connect server still trying to sync identities. 

If you’re using AD connect, you will have user identities and groups showing synced from AD, like the below screenshot. We want them to have the nice little cloud icon, so they can be fully managed cloud identities.  

The same management restrictions exist for synchronized distribution and security groups. You can see below that this example synchronized distribution group can only be managed by Active Directory or Exchange. If we want to add a user to this distribution group, we need to do it in AD as long as the group is synchronized.  

Converting all synchronized object to be cloud managed is rather easy. Open powershell and install the MSOnline Module, then connect to your tenant with connect-msolservice: 

Install-Module MSOnline
Connect-msolservice 

To convert all synchronized users to cloud users, we need to disable Directory Synchronization in the tenant. We can check the current value with Get-MSOLCompanyInformation, shown below. You can see its set to True.  

To disable it, and convert all synchronized users to cloud managed users, we issue Set-MsolDirDyncEnabled -EnableDirSync $false, like below.  

We can confirm directory sync is disabled by using Get-MSOLCompanyInformation, and we can see the value is now false.  

If you happen to still have AD connect running, which I don’t recommend, and you run a delta sync from the ad-connect server. It will say success. However, if you open the synchronization service, you’ll see that the Azure AD server shows stopped-server-down, failing to complete the synchronization tasks. This is why you need to decommission your AD connect. If someone mistakenly re-enables DirSync for the tenant, AD connect will pick up where it left off and start syncing identities again.

If we return to our M365 admin portal, we can see our users are all cloud managed: 

And our Groups are also cloud managed, while still retaining the members.  The Groups will have no group owners, but that’s a minor issue since the members are still retained.  

Now that its cloud managed, we can add members.

Same is true for security groups: 

Optionally, you can clear the ImmutableID’s from the cloud users who were previously synchronized from AD Connect. The immutable ID is the source anchor that linked the on-prem identity to the cloud identity, (the attribute in AD is the mS-DS-ConsistencyGUID). Clearing the ImmutableID will make it appear as if this cloud was never synchronized with AD Connect.   

Here is an example User created by AD connect with a value for ImmutableID: 

A native Cloud Created User does not have a value: 

You can also pull all users with an Immutable ID with this command: 

Get-MSOLUser | Select DisplayName,ImmutableID 

We can clear the Immutable IDs with the below PowerShell command: 

Get-MsolUser -All | Set-MsolUser -ImmutableId "$null" 

Notice all immutable ID’s have been removed: 

If you ever need to AD connect the tenant again (hopefully not), remember to first re-enable dirsync in the tenant: 

Connect-msolservice 
Set-MsolDirSyncEnabled -EnableDirSync $true