Convert Microsoft 365 synced user to cloud only

Introduction

In Microsoft 365, managing user identities across on-premises and cloud environments is crucial for seamless access and administration. One of the key concepts in this hybrid identity management is the ImmutableID.

The ImmutableID is a unique, unchanging identifier that links an on-premises Active Directory user with their Microsoft Entra ID (formerly know as Azure AD) counterpart. This immutability ensures consistent identity mapping, even if other user attributes change.

Concepts

Synchronization process with Entra Connect Sync

Microssoft Entra Connect Sync (ex Azure AD Connect) synchronizes on-premises directories with Microsoft Entra ID, utilizing the ImmutableID to accurately match users between environments. This prevents duplication and maintains consistent identities across both on-premises and cloud directories, ensuring a seamless hybrid identity management experience.

The diagram illustrates the process of how user identities are synchronized between an on-premises Active Directory (AD) and Microsoft Entra ID/Microsoft 365 using Microsoft Entra Connect Sync.

In Active Directory:

mS-DS-ConsistencyGuid: This attribute is typically the same as the objectGUID of the user object. The AD attribute ms-DS-ConsistencyGuid is populated by Entra Connect Sync during the synchronization cycle following object creation. However, in some cases, especially after an inter-forest migration, the mS-DS-ConsistencyGuid might contain the objectGUID from the original forest. This ensures consistency and compliance even after migration.

In Microsoft Entra Connect Sync Metaverse (SQL Express or SQL Database):

sourceAnchor = base64(mS-DS-ConsistencyGuid): During synchronization, Microsoft Entra Connect Sync converts the mS-DS-ConsistencyGuid into a base64-encoded string. This encoded string is known as the sourceAnchor .

In Microsoft Entra ID / Microsoft 365:

ImmutableID = sourceAnchor: sourceAnchor is then used as the ImmutableID in Microsoft Entra ID/Microsoft 365. This ImmutableID is a permanent, unchangeable identifier that ensures the user's identity remains consistent across both on-premises and cloud environments.

Synchronization process with Entra Cloud Sync

In Entra Cloud Sync, the OnPremisesImmutableId value in the cloud is derived directly from the user’s local objectGUID attribute. Since there is no metaverse or local database (unlike Entra Connect Sync), the service simply converts the objectGUID from Active Directory into an encoded value and writes it to OnPremisesImmutableId on the corresponding cloud object. This ensures a unique link between the on-premises and Entra ID objects without requiring a complex synchronization infrastructure.

See ImmutableID in Entra ID

Either in Microsoft Entra ID, on the user object record, in the On-premise section

or via PowerShell with the Microsoft.Graph.Users module :

Get-MgUgser -UserId xxx -Property UserPrincipalName, Id, OnPremisesImmutableId | Select-Object UserPrincipalName, Id, OnPremisesImmutableId

Convert synced user to cloud only user in Microsoft 365

This procedure has been validated with Microsoft.Graph 2.20.0 versions. If you need previous or later version, the step 5 may work differently. With few exceptions, most steps apply to both Entra Connect Sync and Entra Cloud Sync..

As mentioned above, the immutableID is what binds an AD object to a cloud object. As the name implies, this link is normally immutable (=cannot be changed). However, there may be cases where you want to convert a synchronized user to a cloud-only user. It is therefore necessary to break this link, which means to delete this immutableID in the cloud.

Exclude AD object from synchronization. There are several methods
1. Either move the user object to a non-synchronized organization unit (OU).
2. [only for Entra Connect Sync] Or set the adminDescription attribute to the value User_. Some sites recommend using User_DoNotSync, but technically, any value starting with User_ is valid and triggers a default exclusion rule in Entra Connect Sync. Be careful with this method, because if you want to resynchronize the user later, you may encounter AttributeValueMustBeUnique errors, which will prevent you from linking the AD user to the cloud user, and you'll have to make a manual ImmutableID link. To be used only if you wish to convert the object to cloud definitively, with no possibility of going back.
Wait for the next synchronization: Allow time for the next scheduled synchronization to occur. For Entra Connect Sync only, you can manually trigger synchronization using the Start-ADSyncSyncCycle command. For Entra Cloud Sync, you will need to wait for the next sync, which takes between 10 and 20 minutes.
Verify remove: Go to Microsoft Entra ID > Users > Deleted Users and check the user is deleted. If you prefer, you can use the Microsoft 365 admin > Deleted users

Restore the User in Microsoft Entra ID: Navigate to the deleted user in Microsoft Entra ID (or Microsoft 365 Admin Center), click on the user, and select Restore.

Convert the User: Use PowerShell and Microsoft Graph to set the OnPremisesImmutableID = $null. Ensure you have at least the following Microsoft Graph modules installed:Microsoft.Graph.Authentication and Microsoft.Graph.Users

Connect-MgGraph -Scopes 'User.ReadWrite.All'

# Fill with the user's UserPrincipalName 
$upn = '[email protected]'

Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/Users/$upn" -Body @{OnPremisesImmutableId = $null } -ErrorAction Stop

Please note we need to use Invoke-MgGraphRequest because the Update-MgUser CMDlet does not support $null value. More info in this Github issue:https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/852