How to change User Account Type in Azure AD / Entra

Question

We are trying to sync office 365 with an outside app (3cx) using sso. About 85% of the org syncs correctly and can use sso. But the users that we cant sync have one thing in common. After digging though everything possible, I found that the user type for these accounts is blank where it should say Member. I have full global admin permissions in office 365, but it isn't allowing me to change their user type from nothing to Member. We have a local ad server that syncs to office 365. So from what I'm guessing something must be changed locally on our AD server to resolve this as the option for me to change their account type is grey out.

Answer 1

Hi @Nicholas Henry , to change the UserType attribute for users in Azure AD, you need to follow the steps mentioned in this document. However, before enabling synchronization of the UserType attribute, you must first decide how the attribute is derived from on-premises Active Directory. The following are the most common approaches:

Designate an unused on-premises AD attribute (such as extensionAttribute1) to be used as the source attribute. The designated on-premises AD attribute should be of the type string, be single-valued, and contain the value Member or Guest.

If you choose this approach, you must ensure that the designated attribute is populated with the correct value for all existing user objects in on-premises Active Directory that are synchronized to Azure AD before enabling synchronization of the UserType attribute.

Alternatively, you can derive the value for the UserType attribute from other properties. For example, you want to synchronize all users as Guest if their on-premises AD userPrincipalName attribute ends with domain part @partners.fabrikam123.org.

Once you have decided how the attribute is derived from on-premises Active Directory, you can add the UserType attribute mapping in Azure AD Connect.

If you are unable to change the user type from nothing to Member in Office 365, it is likely because the UserType attribute is not enabled for synchronization in Azure AD Connect. You can check if the UserType attribute is enabled for synchronization by following the steps mentioned in the document "Azure AD Connect sync: Make a change to the default configuration". If the UserType attribute is not enabled for synchronization, you can enable it by following the steps mentioned in the document.

If you are still unable to change the user type after enabling synchronization of the UserType attribute, it is possible that the attribute is being overwritten by another attribute in your local AD server. You can check the attribute values in your local AD server and ensure that the UserType attribute is not being overwritten by another attribute.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James

Answer 2

Powershell

install-module -name AzureADPreview -Scope CurrentUser

Get-AzureADUser -Top 1000

Set-AzureADUser -objectid (Use the objectID from the list populated above without parenthesis) -UserType “Member”