Convert selected (not all users) On Prem users to cloud only without changing their password

auspal 0 Reputation points
2024-04-04T22:45:22.7766667+00:00

Hi,

We want to convert some of the users in on-prem AD to cloud only without having to change/reset their password and retain their existing password.

We got the idea to move user object to OU that is not synced and restore from AAD which asks to reset/create password but we want to retain password minimising disturbance on user-end.

We do not want to convert all users on AD as well so it will be selected users. Is there a way to convert on-prem users to cloud only without changing their password. Any recommendations on third party migration tool will be highly appreciated as well.

Thank You!

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,160 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,886 questions
Windows 365 Enterprise
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,534 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,951 Reputation points Microsoft Employee
    2024-04-04T23:31:21.3233333+00:00

    Hi @auspal ,

    If you need to restore the specific users, it is a requirement to recreate the passwords. I'm not aware of a third party tool that would remove this dependency.

    Otherwise if you have Password Hash Sync (PHS) enabled, users will directly authenticate from Entra ID and you don't need to perform any additional steps for the password to be synchronized for the cloud-only users. You could configure selective password hash sync to exclude specific users from password hash sync if you needed to.

    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/how-to-connect-selective-password-hash-synchronization