This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 9%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGV%3C/text%3E%3C/svg%3E)
Hi, Is it possible to convert a synced user to a cloud only user when disabling the account in the on premise environment? in some cases the mailbox will be made available for a certain time as a shared mailbox, but we would like to remove unnecessary on-prem user accounts. But stopping the sync for a single user is (by my knowledge) not that straightforward. if it would be possible when a user is disabled to convert the synced online account to cloud only with logon disabled that would be ideal. Similar question:
https://learn.microsoft.com/en-us/answers/questions/839405/convert-synced-to-cloud?source=docs
@Glenn Vanderborght
I just wanted to check in and see if you had any other questions or if you were able to resolve this issue?
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 5%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEI%3C/text%3E%3C/svg%3E)
Shot MS, still no process to get this done. Gee, who would have thought there'd be demand for such a process.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Unfortunately, converting a synced user object to a cloud-only still not supported at this time. The only method to convert a synced object to cloud-only is to disable directory synchronisation, but this action will convert also all synced objects.
Please don't forget to accept helpful answer
Just checking if there is any other question or progress ?
Please don't forget to accept helpful answer
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 78%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMK%3C/text%3E%3C/svg%3E)
Does this method also require us to wait for 15-20 mins and then move the user from deleted container to user's container in Azure manually?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Thank you for posting this in Microsoft Q&A.
As Thameur mentioned above, changing the user status for particular user to cloud only is not available at this moment.
However, you can perform below steps which will help you in changing the user status for particular to In Cloud in Azure.
This method works but incurs a delay of 10-20 minutes per user while Azure processes the restoration.
Apart from this you can also use the option that Thameur has mentioned above in his answer.
Let me know if you have any further questions.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(160, 40%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
This all good but there is one important item to also consider. You still need to clear the unmutable ID field, and after you are still left with 3 additional ones (onPremisesSamAccountName, onPremisesSecurityIdentifier, onPremisesDistinguishedName) they will prevent the correct cloud only SSPR because they are read only fields. These can only be done by Microsoft Support. So if you dont clear those the SSPR logs will show Status InternalError and the OnPremisesAgent will be showing as AADConnect.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 69%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
I would also not recommend this procedure since it creates problems with SSPR and, in some cases, hard to troubleshoot toast notifications related to Windows Hello.
What I'm in the process of doing is shut down the connector once our local AD is not needed anymore and communicate with Microsoft to remove On-Premises attributes from our users in Entra ID.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 38%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKI%3C/text%3E%3C/svg%3E)
@Sandeep G-MSFT
I know this is "old" but my question is still, is this then supported? by Microsoft, as this is a need all us that still have a Hybrid setup going do have.
/Karsten Vendler
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 68%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Yes please, me too, I am hybrid and the need to convert an account to cloud only is arising. Warning to anyone attempting those steps above, they leave out a detail. I performed the steps above, and it works in making the account Cloud only. Except that during the restore process it prompts you to reset the password, and it succeeds in restoring the account but fails in resetting the password. I attempted multiple times to reset the password, either auto gen, or set it myself, with and without clikcing the require user to change on first sign in. Every attempt to reset the password fails. I did not contact MS support to clear out those onprem attributes listed by Szilvia and Mike. So SSPR not working, since they are probably still read only. :(
@RADnyc We use SSO and MFA you think it will have the seme "result"?
/Karsten Vendler
I got onto Microsoft and after about 3 weeks or so this was no longer the case. I can do the above steps "Migrate users to the cloud" and the SSPR and Admin password reset from Azure AD works fine. Let me know if anyone needs the exact steps.
@Szilvia Walsh You please post it, for all to see incl. me ;-)
Warning:
1, VDI access after account migration
cloud only Microsoft Entra ID accounts are not tied to an Active Directory to authenticate against it. [example : if you have azure servers (e.g. VDIs) joined to the on-prem domain you are migrating your users from, the accounts wont be able to authenticate against them. So you have to use something like Microsoft Entra Domain Services to use for authentication, you need new VMs created and joined to this, so they can connected to them, to get granular with ME DS you will need a DC built too. (FYI , ME DS only has a one way sync from Azure AD so you wont be able to modify accounts there, the DC is handy only for access control)
2, Azure File Shares access after account migration
If you have File Shares in Azure and the Identity -based access is configured as Active Directory Domain Services then this will have to change, then you will have to change this. but the users on either side wont have access if this is a phased migration.
(So you might have to replicate it off peak time and then configure the new with access to everyone (with ME DS it should work for on-prem and cloud users too because it replicates everything from Microsoft Entra ID)
3, Price
Don't forget to weigh up costs and it its worth it for your company, Active Directory Domain Services is not free.
Migration scenario:
This result is based on the following set up:
Migration steps we used:
Create a bin in the On-Prem AD and name it something like "Migrated users", or "not synced users", then in the AD Connect server, configure this folder for no sync.
Create a test account in the on prem AD, run a delta sync and assign a license (if you have O365 licenses from the admin center, send a few emails, create some documents in OneDrive, and set up authentication for the test account (so it is like a real one with data)
Move the test user account to the "Migrated users", or "not synced users" bin
Open PowerShell as am admin on a server that has connection to MSOl
run the following commands:
Connect to MSol Service: Connect-MsOlSerive
Restore-MsolUser -UserPrincipalName ******@yourdomain.com
Check ImmutableID with this command:
Get-MsolUser -UserPrincipalName ******@yourdomain.com -ImmutableID
Delete the ImmutableID with the following script:
Set-MsolUser -UserPrincipalName ******@yourdomain.com -ImmutableID "$null"
Once the account is restored in Azure AD try and login to it and see if the emails are still there and files. They should be.
the password reset should from from Azure AD for admins but it is system controlled and picked so you cannot set a specific one as admin for a user.
(it will just show what to share with a user as a onetime password)
SSPR: we used this link and had no issues changing passwords as a user for these test cloud migrated users: https://aka.ms/sspr
If the SSPR does not work, you need to get onto MS, they said they had a good few clients who reported what we did about not being able to reset PW for migrated accounts, they had to work client by client on it, so i don't think a world wide fix for this was rolled out to help everyone.
Also the above is only something that we figured out and what worked for us, might not suit everyone's scenario and needs.
Thank you Szilvia Walsh for this thorough guide as you used it, and I appreciate the warnings you give us, but it is good to know that “others” have the same struggles with this, and yes every setup is different so one can not just copy from each other 😉
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 54%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
The easiest way is to delete the user from on-premises and then perform a sync. After that, you'll find the user in the cloud under "Deleted Users" — restoring them will create a cloud-only user.
