Making accounts AAD only

Question

A few years ago we started using Azure AD, as the situation is now, new users are created in the AD and synchronized with the AAD. However, we also employ a large group of volunteers, only provided with an E1 license, who in the current situation are also created in the AD and synchronized with the AAD, this causes a problem with renewing their passwords, they only logon online on devices of their own or devices for general use, these devices are not on the domain. Due to this AD-AAD construction, they cannot renew their password unless a writeback license is purchased. We believe that this is not necessary and it would unnecessarily expensive.

The volunteers have an E1 account and are not in certain rights groups. If they were in the AAD only then the problem would be solved.

The question is how do we get these accounts out from the AD into the AAD. According to our softwareadministrator, everything must first be removed from the AD and then re-created in the AAD, can anyone say if this is correct?

Kind regards,

Roel Staarink

Answer 1

The licensing requirement depends on how you want to do the renewal. For SSPR password writeback you do need the Premium P1 license. But if the users just change their passwords rather than reset them (not using SSPR but via Office 365 portal, My Apps, or the Windows 10 sign in page), you can just enable the password writeback option in Azure AD Connect.

If you want to have cloud-only Azure AD accounts then yes, you will need to remove the on-prem accounts re-create them in Azure. There are some limitations though to the cloud-only approach since it's not a full replacement for an on-premises Active Directory.

https://learn.microsoft.com/en-us/microsoft-365/enterprise/cloud-only-identities?view=o365-worldwide

https://learn.microsoft.com/en-us/azure/active-directory-domain-services/scenarios