![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(182.40000000000003, 70%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEA%3C/text%3E%3C/svg%3E)
Microsoft 365 and Office | Other
Miscellaneous topics that do not fit into specific categories.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
When you remove a user from Entra Connect Sync scope by changing their OU and letting the sync engine process the deletion, Entra ID treats that as a hard delete of the synced object. When you later restore the user from Deleted Users, you are not “converting” the original object. You are creating a new cloud-only object with a new Entra ObjectId. Even if the UPN, SMTP address, and display name are identical, it is a different identity internally.
That is why you are seeing private channel access loss, Teams phone number removal, Azure Virtual Desktop access issues, and profile recreation. All of those workloads bind to the Entra ObjectId, not the UPN. When the ObjectId changes, permissions, role assignments, and workload bindings that referenced the original object no longer apply.
If instead you permanently disable Entra Connect Sync at the tenant level, the behavior is different. When you turn off directory synchronization globally, existing synced users are converted in place from “synced” to “cloud-managed.” The objects are not deleted and recreated. Their Entra ObjectId remains the same. Because the identity object is preserved, private channel membership, Teams voice assignments, RBAC role assignments, AVD access, and other bindings remain intact.
So the technical difference is this: removing users from sync scope causes object deletion and recreation, resulting in a new ObjectId. Disabling Entra Connect Sync tenant-wide changes the source-of-authority flag but preserves the same object and ObjectId.
If your long-term goal is to be fully cloud-managed, tenant-wide sync disablement is significantly less disruptive than converting users individually by OU removal. The per-user removal method will consistently produce the identity break you are observing because each user effectively becomes a new Entra object.
Before disabling sync, you should confirm that no attributes still require on-premises authority, such as Exchange hybrid attributes, msDS consistency requirements, or applications depending on on-prem AD. But strictly from an identity continuity standpoint in Entra ID and Microsoft 365 workloads, disabling Entra Connect Sync globally preserves identity integrity, while per-user descope and restore does not.
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin