Share tips from the IT field
Microsoft training
Photo by Alex Machado / Unsplash
Convert Microsoft 365 synced user to cloud only

Convert Microsoft 365 synced user to cloud only

Published on 19 Jul 2024
Bastien Perez
Bastien Perez

Clap

Synchronization process

In Microsoft 365, managing user identities across on-premises and cloud environments is crucial for seamless access and administration. One of the key concepts in this hybrid identity management is the ImmutableID.

The ImmutableID is a unique, unchanging identifier that links an on-premises Active Directory user with their Microsoft Entra ID (formerly know as Azure AD) counterpart. This immutability ensures consistent identity mapping, even if other user attributes change.

Microssoft Entra Connect Sync (ex Azure AD Connect) synchronizes on-premises directories with Microsoft Entra ID, utilizing the ImmutableID to accurately match users between environments. This prevents duplication and maintains consistent identities across both on-premises and cloud directories, ensuring a seamless hybrid identity management experience.

The diagram illustrates the process of how user identities are synchronized between an on-premises Active Directory (AD) and Microsoft Entra ID/Microsoft 365 using Microsoft Entra Connect Sync.

In Active Directory:

  • mS-DS-ConsistencyGuid: This attribute is typically the same as the objectGUID of the user object. However, in some cases, especially after an inter-forest migration, the mS-DS-ConsistencyGuid might contain the objectGUID from the original forest. This ensures consistency and compliance even after migration.

In Microsoft Entra Connect Sync Metaverse (SQL Express or SQL Database):

  • sourceAnchor = base64(mS-DS-ConsistencyGuid): During synchronization, Microsoft Entra Connect Sync converts the mS-DS-ConsistencyGuid into a base64-encoded string. This encoded string is known as the sourceAnchor .

In Microsoft Entra ID / Microsoft 365:

  • ImmutableID = sourceAnchor: sourceAnchor is then used as the ImmutableID in Microsoft Entra ID/Microsoft 365. This ImmutableID is a permanent, unchangeable identifier that ensures the user's identity remains consistent across both on-premises and cloud environments.

Convert synced user to cloud only user in Microsoft 365

This procedure has been validated with Microsoft.Graph 2.20.0 versions. If you need previous or later version, the step 5 may work differently.

As mentioned above, the immutableID is what binds an AD object to a cloud object. As the name implies, this link is normally immutable (=cannot be changed). However, there may be cases where you want to convert a synchronized user to a cloud-only user. It is therefore necessary to break this link, which means to delete this immutableID in the cloud.

  1. Exclude AD object from synchronization. There are several methods
    1. Either move the user object to a non-synchronized organization unit (OU).
    2. Or set the adminDescription attribute to the value User_. Some sites recommend using User_DoNotSync, but technically, any value starting with User_ is valid and triggers a default exclusion rule in Entra Connect Sync. Be careful with this method, because if you want to resynchronize the user later, you may encounter AttributeValueMustBeUnique errors, which will prevent you from linking the AD user to the cloud user, and you'll have to make a manual ImmutableID link. To be used only if you wish to convert the object to cloud definitively, with no possibility of going back.
  2. Wait for the Next Synchronization: Allow time for the next scheduled synchronization to occur. If you prefer, you can manually trigger synchronization using the Start-ADSyncSyncCycle command.
  3. Verify remove: Go to Microsoft Entra ID > Users > Deleted Users and check the user is deleted. If you prefer, you can use the Microsoft 365 admin > Deleted users
Check user removal
  1. Restore the User in Microsoft Entra ID: Navigate to the deleted user in Microsoft Entra ID (or Microsoft 365 Admin Center), click on the user, and select Restore.
  1. Convert the User: Use PowerShell and Microsoft Graph to set the OnPremisesImmutableID = $null. Ensure you have at least the following Microsoft Graph modules installed:Microsoft.Graph.Authentication and Microsoft.Graph.Users
Connect-MgGraph -Scopes 'User.ReadWrite.All'

# Fill with the user's UserPrincipalName 
$upn = '[email protected]'

Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/Users/$upn" -Body @{OnPremisesImmutableId = $null } -ErrorAction Stop
Please note we need to use Invoke-MgGraphRequest because the Update-MgUser CMDlet does not support $null value. More info in this Github issue:https://github.com/microsoftgraph/msgraph-sdk-powershell/issues/852
  1. Your user is now cloud-only.

Warning: If you move the AD user back to a synced OU or delete User_ in adminDescription (depending on the method you have chosen), Entra Connect Sync will recreate the link and redefine the ImmutableID.

Microsoft 365

Comments

banner-Bastien Perez
Bastien Perez

Bastien Perez

Freelance Microsoft 365 - Active Directory - Modern Workplace

France