On-Premise AD Account Convert to M365 Account

Question

On-Premise AD Account Convert to M365 Account

Jin 0

Hi,

I have an Azure VM running Server 2012 and it's performing AAD sync to an M365 tenant.

Currently, the AD server is outdated and we plan to decommission it. Before doing so, I need to convert the on-premises accounts to M365 cloud accounts.

I found the following command from the M365 community:

Set-MsolDirSyncEnabled -EnableDirSync $False

Could any experts please advise on this? I’m concerned that running this PowerShell command might delete the on-premises accounts from the M365 tenant.

Thanks

Jin

2 answers

Your answer

Answer 1

Hello JIn,

Thanks for contacting MS Q&A. I will assist you with resolving your issues regarding decommissioning the on-premises server users' accounts and making the users' accounts cloud-only.

You're absolutely right to proceed with caution — disabling directory synchronization (DirSync) without proper preparation can result in loss of user management capabilities or even account deletions, depending on how things are configured.

What Set-MsolDirSyncEnabled -EnableDirSync $False Does:

This command disables Azure AD Connect synchronization between your on-premises Active Directory and Microsoft 365 (Azure AD). Once disabled:

Existing users synced from on-premises become “cloud-managed” accounts — meaning you can now edit them directly in Microsoft 365 (Azure AD).
However, if not done correctly, there's a risk those synced accounts may get deleted or deactivated.

Safe Steps to Convert Synced Users to Cloud-Only Accounts

To safely decommission your on-prem AD and retain the M365 accounts, follow these best practices:

Confirm All Users Are in Sync and Stable: Ensure no sync issues exist: Start-ADSyncSyncCycle -PolicyType Delta. Then verify in the Microsoft 365 Admin Center or Azure AD that all users have source = Windows Server AD
Export a Backup of User Details: Use PowerShell or Azure AD to export all user objects as a precaution: Get-MsolUser | Select-Object DisplayName, UserPrincipalName, ImmutableId | Export-Csv users-backup.csv -NoTypeInformation
Clear ImmutableId (Optional But Safer): If you want users to become native cloud accounts, it’s highly recommended to clear their ImmutableId first, before disabling DirSync: Get-MsolUser -All | where {$_.ImmutableId -ne $null} | ForEach-Object {
```
Set-MsolUser -UserPrincipalName $_.UserPrincipalName -ImmutableId $null
```
} This breaks the sync link for each user while keeping their cloud account intact.
Disable DirSync: Once all accounts are cleared of ImmutableId, run: Set-MsolDirSyncEnabled -EnableDirSync $false This tells Microsoft 365 that you're no longer syncing users from on-prem.
Wait for Sync Disable to Take Effect: This may take up to 72 hours but is usually done within 24 hours. You can check status with: (Get-MsolCompanyInformation).DirectorySynchronizationEnabled
Confirm Accounts Are Now Cloud-Managed: Check in Azure AD or M365 Admin Center — accounts should now be editable in the cloud, and source should change to "Azure Active Directory". Note: Do Not Just Disable DirSync Without Clearing ImmutableId If you run the command without first clearing ImmutableId, Azure AD may see those users as orphaned and could soft-delete them. I hope this helps.

Jin 0 Reputation points

2025-05-20T08:53:13.3133333+00:00

Hi Akpesiri,

Thanks for your step-by-step guidance. Is there any way to test this on a single user first before rolling it out to the entire tenant?
Akpesiri Ogbebor 2,530 Reputation points

2025-05-20T11:11:25.4333333+00:00

yes, you can absolutely test this process on a single user before applying it tenant-wide. This is a smart approach to avoid risk.

Here’s how to safely test the conversion on a single user:

Identify a Test User, e.g.: ******@yourdomain.com

Back Up User Properties (Optional but Recommended): Get-MsolUser -UserPrincipalName ******@yourdomain.com | Select DisplayName, UserPrincipalName, ImmutableId

Remove ImmutableId for Just That User: Set-MsolUser -UserPrincipalName ******@yourdomain.com -ImmutableId $null This tells Microsoft 365: "This account is no longer linked to on-prem AD."

Validate the Change, After 15–30 minutes: Get-MsolUser -UserPrincipalName ******@yourdomain.com | Select-Object DisplayName, ImmutableId, LastDirSyncTime Expected Results:

ImmutableId = null

LastDirSyncTime = blank or very old

Also, in Microsoft 365 Admin Center:

The "Source" column for the user should change from Windows Server AD to Azure Active Directory

The account should now be editable (e.g., reset password, assign roles directly)

Final Checks Login to the test account via https://portal.office.com Confirm email, Teams, OneDrive, SharePoint access still works
Attempt to reset the password via the portal (cloud-based password reset now applies)
Jin 0 Reputation points

2025-05-20T12:36:16.9433333+00:00

Hi Akpesiri,

I tried your steps but encountered an error at step 3. I ran the script using a Global Administrator account, but I'm not sure if any additional roles are required to run the script.

Thanks

Jin
Akpesiri Ogbebor 2,530 Reputation points

2025-05-20T13:10:48.7333333+00:00

Jin!

Kindly confirm if your account is federated, or run the code.

Connect-MsolService reauthenticate

Get-MsolUser -UserPrincipalName ******@domain.com to confirm your role.

Set-MsolUser -UserPrincipalName ******@domain.com -ImmutableId $null - then try again.

Answer 2

Hello Jin,

Disabling Directory Synchronization applies at the domain level and cannot be targeted at individual users.

Currently, converting a single user to cloud-only through a direct command is not supported.

However, if you need to a specific user to a cloud-only , you can follow this alternative approach:

1. Move the user to an Organizational Unit (OU) that is not included in the sync scope.

2. Run a delta synchronization (Start-ADSyncSyncCycle -PolicyType Delta).

3. After the sync, the user will appear in the Deleted Users section of the Entra ID portal.

4. Restore the user from the Deleted Users list. Upon restoration, you'll notice the on-premises property is set to “No”, indicating that the user is now cloud-only.

Recommendation: Please test this process with a non-production user account first and also recommended to perform these changes outside business hours to avoid service interruptions.

Regarding error of "Access denied" is because MSOL has been depreciated try using the Graph API or the mggraph cmdlets.

Action required: MSOnline and AzureAD PowerShell retirement - 2025 info and resources | Microsoft Community Hub

If you want to clear the immutable ID here are the commands below-:

Install-Module Microsoft.Graph -Scope CurrentUser
Import-Module Microsoft.Graph.Users
Connect-MgGraph -Scopes "User.ReadWrite.All"
Invoke-MgGraphRequest -Method PATCH -Uri "https://graph.microsoft.com/v1.0/Users/******@xxxx.xxxx" -body '{"OnPremisesImmutableId": null}'

User's image

Need to restore the user from deleted section After moving the user to Non Sync OU-:
User's image

After using the above commands-:
User's image

Moosa Khan 595 Reputation points Microsoft External Staff Moderator

2025-05-21T20:36:25.1233333+00:00

Hello Jin,

I just wanted to follow up and see if the information I shared was helpful. Let me know if you have any questions!
Moosa Khan 595 Reputation points Microsoft External Staff Moderator

2025-05-22T18:58:02.8333333+00:00

Hello Jin,

I just wanted to follow up and see if the information I shared was helpful. Let me know if you have any questions!

Share via

On-Premise AD Account Convert to M365 Account

2 answers

Your answer