How to clear all On-premises attributes from previously synchronized Azure AD users

Question

Hi,

Three years ago, we made a cut over to an on-premises domain with our Azure AD in order to have a cloud-only setup. Now we need to synchronize with the new Active Directory infrastructure and the new on-premises domain. Users in Azure AD that were synchronized from the old domain still have on-premises attributes, and Azure AD cannot synchronize them with users in the new on-premises domain because it obviously sees them as if they are already synchronized with a domain. I was trying to merge users, but it just tells me The fix process failed to update the values without any additional explanation. I also tried to make a hard match, but it just created a cloned user for me. Is there a way to delete those on-premises attributes or somehow force the merging of those users? Disputed attributes whose value still points to the wrong domain:

On-premises distinguished name

Extension attributes

On-premises immutable ID (changed after hard match attempt)

On-premises SAM account name

On-premises domain name

Answer 1

Hi Denis Debijađi ,

Thanks for your posting in our Q&A forum. Unfortunately, this information cannot be cleared using PowerShell or Graph. You can create an Azure AD Support ticket requesting to clear all On-Premises Attributes from previously synchronized users on your tenant. Support Team should be able to contact product group with your tenant information and help you achieve this.

Related thread: https://learn.microsoft.com/en-us/answers/questions/1058618/leftover-items-from-azure-ad-sync

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

I have just discussed with Microsoft engineer about this issue.

It's true that it's possible to request deletion of these attributes from microsoft but only if dirsync is turned off.

So if you're converting users to cloud only by deleting and restoring from azure ad, keep in mind that it's not officially supported way to do so.

What needs to be done is turning of dirsync, that's the proper way of converting users to cloud only. But in this case it will happen for all users, so you can't convert users to cloud only one by one. it has to be all or none.

By the way, new graph beta can finally see these attributes but can't delete because they're read only.

This script will show the attributes and then fail to delete

Update-MgBetaUser_UpdateExpanded: Property 'onPremisesSamAccountName' is read-only and cannot be set. Status: 400 (BadRequest) ErrorCode: Request_BadRequest Date: 2024-07-23T21:40:28 Headers: Cache-Control : no-cache Vary : Accept-Encoding Strict-Transport-Security : max-age=31536000

# Install the experimental Graph SDK module
Install-Module -Name Microsoft.Graph.Beta -AllowClobber
# Import the module
Import-Module Microsoft.Graph.Beta
# Connect to the Graph Beta environment
Connect-MgGraph -Scopes "User.ReadWrite.All"

$user = Get-MgBetaUser -UserId "user@domain.com"
$user | Select-Object -Property OnPremisesSamAccountName, OnPremisesUserPrincipalName, OnPremisesDomainName, OnPremisesSecurityIdentifier, OnPremisesImmutableId


# Update the user attributes
Update-MgBetaUser -UserId $userId -OnPremisesSamAccountName $null -OnPremisesUserPrincipalName $null -OnPremisesSecurityIdentifier $null