Convert Microsoft 365 synced user to cloud only

Synchronization process

In Microsoft 365, managing user identities across on-premises and cloud environments is crucial for seamless access and administration. One of the key concepts in this hybrid identity management is the ImmutableID.

The ImmutableID is a unique, unchanging identifier that links an on-premises Active Directory user with their Microsoft Entra ID (formerly know as Azure AD) counterpart. This immutability ensures consistent identity mapping, even if other user attributes change.

Microssoft Entra Connect Sync (ex Azure AD Connect) synchronizes on-premises directories with Microsoft Entra ID, utilizing the ImmutableID to accurately match users between environments. This prevents duplication and maintains consistent identities across both on-premises and cloud directories, ensuring a seamless hybrid identity management experience.

The diagram illustrates the process of how user identities are synchronized between an on-premises Active Directory (AD) and Microsoft Entra ID/Microsoft 365 using Microsoft Entra Connect Sync.

1. In Active Directory:
   • mS-DS-ConsistencyGuid: This attribute is typically the same as the objectGUID of the user object. However, in some cases, especially after an inter-forest migration, the mS-DS-ConsistencyGuid might contain the objectGUID from the original forest. This ensures consistency and compliance even after migration.
2. In Microsoft Entra Connect Sync Metaverse (SQL Express or SQL Database):
   • sourceAnchor = base64(mS-DS-ConsistencyGuid): During synchronization, Microsoft Entra Connect Sync converts the mS-DS-ConsistencyGuid into a base64-encoded string. This encoded string is known as the sourceAnchor .
3. In Microsoft Entra ID / Microsoft 365:
   • ImmutableID = sourceAnchor: sourceAnchor is then used as the ImmutableID in Microsoft Entra ID/Microsoft 365. This ImmutableID is a permanent, unchangeable identifier that ensures the user's identity remains consistent across both on-premises and cloud environments.

Convert synced user to cloud only user in Microsoft 365

As mentioned above, the immutableID is what binds an AD object to a cloud object. As the name implies, this link is normally immutable (=cannot be changed). However, there may be cases where you want to convert a synchronized user to a cloud-only user. It is therefore necessary to break this link, which means to delete this immutableID in the cloud.

1. Move the AD Object Outside of Synchronization: Start by moving the user object to a non-synced Organizational Unit (OU).
2. Wait for the Next Synchronization: Allow time for the next scheduled synchronization to occur. If you prefer, you can manually trigger synchronization using the Start-ADSyncSyncCycle command.
3. Verify remove: Go to Microsoft Entra ID > Users > Deleted Users and check the user is deleted. If you prefer, you can use the Microsoft 365 admin > Deleted users

4. Restore the User in Microsoft Entra ID: Navigate to the deleted user in Microsoft Entra ID (or Microsoft 365 Admin Center), click on the user, and select Restore.

5. Convert the User: Use PowerShell and Microsoft Graph to set the OnPremisesImmutableID = $null. Ensure you have at least the following Microsoft Graph modules installed:Microsoft.Graph.Authentication and Microsoft.Graph.Users

Connect-MgGraph -Scopes 'User.ReadWrite.All'

# Fill with the user's UserPrincipalName 
$upn = [email protected]

Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/Users/$upn" -Body @{OnPremisesImmutableId = $null } -ErrorAction Stop

6. Your user is now cloud-only.

Warning: If you move the AD user back to a synced OU, Entra Connect Sync will recreate the link and redefine the ImmutableID.