0
votes

Background: Local/On-Premise Active Directory (2012) synced to Microsoft Azure Active Directory using Azure AD Connect. Was setup for Office 365 to use existing On-Premise identity. Office 365 Enterprise E3 is the O365 Business Plan we have, which includes Microsoft Azure AD as a IDaaS platform. Microsoft Azure AD was not setup to be a management console for the O365 tenant, it has since been connected and now to manage the identity, the O365 console can obviously still manage the identity as well. Right now we have a local domain controller which vast majority of computers authenticate with. If a computer (Windows 10) is removed from the domain and performs a "Join Azure AD" they can then login with their O365 credentials and no longer authenticates with local domain controller. Once this process is performed on users no one will authenticate with the local DC. The AD/DC is still being synced with AAD/O365 for identity but it cannot be fully managed from AAD/O365 there are limitations such as contact information and username cannot be changed from the web consoles, they have to changed from the local/On-Premise AD Users and Computers. If one of the synced users/groups is viewed from the web consoles some of the attributes are greyed out and state, "This user is synchronized with your local Active Directory. Some details can be edited only through your local Active Directory." as it should.

Question: I would like to know if it is possible to convert a locally synced user account to become Microsoft Azure Active Directory user Account? Meaning it would no longer sync to the local AD and could be deleted from the local AD is now fully managed from web consoles. Food for thought, if the sync was broken between the local AD and AAD/O365 would the identity still be seen as a local active directory identity? As shown below, this image is from the users section of the Azure portal for AAD.

AAD Sourced From

1
You requirement is possible by just disabling the directory synchronization between On-premises AD and Azure AD. After disabling, use the command: (Get-MSOLCompanyInformation).DirectorySynchronizationEnabled it should return False. After a while, all the local AD synced account should be converted to "In Cloud"Jimmy Sun

1 Answers

1
votes

If you would like to convert a synced account to cloud account,

NO RISK - TAKES TIME - AFFECTS ALL USERS: -De-activating the sync between the On-Premise AD and Azure AD (Office 365) should make ALL THE SYNCED ACCOUNTS as Cloud Users. (You can activate sync back again to join again with AD. It would take maximum 72 hours to deactivate/activate the SYNC) https://support.office.com/en-us/article/Turn-off-directory-synchronization-for-Office-365-ee5f861e-bd48-4267-83d1-a4ead4b4a00d

(or)

RISKY - SINGLE USER - QUICK -If you want to test with SINGLE USER, you could remove the user to a Non-Synced OU in AD, which after the sync process would delete the user in cloud after which you could restore back - then it would show that user as Cloud User. (Sometimes we would not be able to restore due to backend inconsistency for that user and please ensure litigation hold in mailbox is enabled/mailbox is backed up before moving the user to non-synced OU) https://support.office.com/en-us/article/Restore-a-user-in-Office-365-2c261e42-5dd1-48b0-845f-2a016d29cfc1?ui=en-US&rs=en-US&ad=US