Share via

Migrate user account to AAD and decom on prem AD account?

Giles Phillips 0 Reputation points
2026-03-06T16:27:19.56+00:00

how can I migrate a users account from onprimise AD to AAD only?

Microsoft Security | Microsoft Entra | Other
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-06T16:28:02.6+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    To move a user from on-premises Active Directory (AD) to Microsoft Entra ID (Azure AD) as a cloud-only account and then decommission the on-premises account, follow a staged approach:

    1. Plan the source of authority change
    • Decide whether the organization is moving broadly from on-premises identity to cloud identity (for example, decommissioning AD FS, Exchange, Skype for Business, or even AD DS itself) or just handling a single user.
    • If the long-term goal is to decommission on-premises identity infrastructure, plan for:
      • Migrating authentication from AD FS or other federation to cloud authentication in Microsoft Entra ID.
      • Migrating applications and groups to Microsoft Entra ID.
    1. Ensure the user is fully represented in Microsoft Entra ID
    • If directory synchronization is still enabled (Entra Connect or Cloud Sync), the user object in Entra ID is typically mastered on-premises.
    • Before turning the user into a cloud-only identity, ensure:
      • All required attributes and group memberships are known.
      • Any application provisioning flows that depend on on-premises AD are identified and, where possible, moved to Entra ID–based provisioning.
    1. Move group and application provisioning logic to Entra ID
    • For groups used only for cloud access, transfer the group Source of Authority (SOA) to the cloud and manage membership in Entra ID:
      • For groups that no longer need an on-premises footprint, use Group SOA transfer to make them cloud-only and then delete the corresponding group from AD DS.
      • For groups that still need an on-premises footprint, convert them to universal groups, use Group SOA to make them cloud-editable, and configure group provisioning back to AD DS so on-premises membership stays in sync.
    • Where possible, replace on-premises business logic that assigns users to groups with:
      • Dynamic membership groups in Entra ID.
      • Self-service group management instead of Microsoft Identity Manager–based self-managed groups.
    • For application provisioning:
      • Prefer apps that integrate with the Microsoft Entra application gallery.
      • Use SCIM 2.0–based provisioning for compatible SaaS apps.
      • Use Microsoft Entra on-premises application provisioning for on-premises apps that support ECMA connectors.
    1. Convert the user to cloud-only
    • When ready to remove on-premises dependency for the user:
      1. Turn off directory synchronization for the tenant only when the broader migration is complete and the organization is ready to manage users directly in Entra ID.
      2. After sync is disabled and the user object is no longer mastered on-premises, the user becomes manageable as a cloud-only object.
    1. Clear legacy on-premises attributes on the user
    • After the user is cloud-only and sync is disabled, clear on-premises attributes that can cause issues in Windows, Intune, Outlook, and hybrid device join scenarios.
    • Use Microsoft Graph (beta) Update User to set the following attributes to null for the migrated user:
      • onPremisesDistinguishedName
      • onPremisesDomainName
      • onPremisesImmutableId
      • onPremisesSamAccountName
      • onPremisesSecurityIdentifier
      • onPremisesUserPrincipalName
    • Required roles in Entra ID to update these attributes:
      • User Administrator, or
      • Hybrid Identity Administrator
    • Required application permission for automation:
      • User.ReadWrite.All
    1. Decommission or disable the on-premises AD account
    • Once the user is fully functional as a cloud-only identity and all required access is provided via Entra ID:
      • Disable the corresponding on-premises AD account first and monitor for any breakage (line-of-business apps, legacy file shares, etc.).
      • If no dependencies remain and the broader strategy is to remove on-premises identity, delete the on-premises account as part of decommissioning AD DS.
    1. Broader decommissioning considerations (optional but related)
    • If the environment also uses AD FS, Exchange, or Skype for Business, align the user migration with:
      • Migration from AD FS to cloud authentication in Microsoft Entra ID.
      • Migration of applications from AD FS to Microsoft Entra ID.
      • Cleanup of Skype for Business or other hybrid attributes and decommissioning of those on-premises services.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.