Migrating users from on-prem AD to Entra ID

Question

Hi,

Users and groups in the AD child domain in my forest don't sync properly to Entra ID anymore.

We want to phase out the AD child domain, but keep the users in Entra ID. I was hoping that unchecking the the child domain in the Entra ID sync properties would convert the on-prem users to cloud users in Entra ID, but this doesn't seem to work. Unchecking the child domain removes all users and groups of this domain from Entra ID.

Is there a way to convert the on-prem user accounts and groups of only the child domain to cloud accounts?

Thank you for your suggestions in advance.

Answer 1

Hi Romar,

If you are never planning to sync these accounts again, you could use MSOL to break the ImmutableId (just know that there is no going back after this).

Get-MsolUser -UserPrincipalName “user@email.com” | Set-MsolUser -ImmutableId $null

---

If this is helpful please accept as answer or upvote.

Best regards,

Dillon Silzer, Director | Cloudaen.com | Cloudaen Computing Solutions

Answer 2

Hi Dillon,

Thank you for your reply.
Is script you provided still working? I get the error below:
Set-MsolUser : Unable to update parameter. Parameter name: IMMUTABLEID.
" subdomain.onmicrosoft.com" | Set-MsolUser -ImmutableId "$null"

**+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

• CategoryInfo : OperationStopped: (:) [Set-MsolUser], MicrosoftOnlineException**

+ FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.PropertyNotSettableException,Microsoft.Online

.Administration.Automation.SetUser

I've read that this command is depreciated since March 2024 and that MS Graph should be used.

Best regards
Romar

Answer 3

@Romar

Thank you for posting this in Microsoft Q&A.

To move child domain users to cloud only, you will have to break the link between on-premises and Azure AD. Entra connect will not be functional to sync objects from Azure AD to cloud.

To stop the sync you will have stop the AD connect service on the on-premises server or you can run command "Set-ADSyncScheduler -SyncCycleEnabled $false" in PowerShell on Entra connect server.

Post this you will still not be able to manage previously synced user objects in Azure AD. To manage these users you will have to follow below steps,

• Open Windows PowerShell as administrator.
• Run command "Install-module msonline"
• Connect-Msolservice
• Above command will prompt for credentials. You can enter global admin credentials in the prompt.
• Post this you can run command Set-MsolDirSyncEnabled -EnableDirsync $False
• Above command will change all users as "cloud only" users. This will let you manage user objects in Azure AD itself.

Note: Above command will convert root domain users as well to cloud only.

Once this is done you have to remove the child domain from Entra connect sync by unchecking the domain from domain selection in on-premises connector, so that Entra connect will not sync child domain users again.

But once you run sync root domain users will again join back and the status of root domain users in Entra will show up as on-premises directory.

Note: Try this in your test environment first and then implement it in your PROD environment if this works.

Let us know if you have any further questions.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.