Office 365 – Convert a Synced Azure User to Cloud Managed

1. Synced vs Cloud Managed

AD synced user accounts are very convenient as changes to the on-prem AD accounts are synced to Office365 automatically, for example password changes, name changes, etc. It is very handy in a user perspective, but because of these certain attributes cannot be edited in the cloud - like user passwords can only be reset on-prem - additional SMTP addresses only can be added using an Exchange server hosted on-prem that accesses the on-premises AD. Another option is editing the local AD manually with a tool like ADSIEdit, although that method is NOT supported by Microsoft.

If you want a user to be fully customizable, editable in the cloud you can convert it to cloud managed type. Note that if you do that, naturally no local AD changes will be synchronized to the cloud version of the user's profile!

2. Convert Individual Users to Cloud Managed

a. move the user to a non-syncing OU in the on-prem Active Directory. We move Alice from "alwayshotcafe.com/My Business/Users" (which is our only synchronized OU) to "alwayshotcafe.com/My Business/Not Syncing/Users".

Then trigger a sync cycle so we can proceed instantly.

PS C:\> Invoke-Command -ComputerName aad.alwayshotcafe.com -ScriptBlock {Start-ADSyncSyncCycle -PolicyType delta}

PSComputerName RunspaceId                           Result
-------------- ----------                           ------
aad            637b8dbd-cbe4-46c6-a52f-f9787bb61817 Success

b. That put Alice in a soft deleted state. Simply use the Restore-MsolUser cmdlet to re-activate the user.

PS C:\> Get-MsolUser -ReturnDeletedUsers

UserPrincipalName       DisplayName isLicensed
-----------------       ----------- ----------
Alice@AlwaysHotCafe.com Alice       False


PS C:\> Get-MsolUser -ReturnDeletedUsers | ? UserPrincipalName -like "Alice@AlwaysHotCafe.com" | Restore-MsolUser

UserPrincipalName       DisplayName isLicensed
-----------------       ----------- ----------
Alice@AlwaysHotCafe.com Alice       False

3. Verify User Connectivity

Alice should be able to use the cloud services just like before. The only difference now in an administrative perspective that her account is now fully managed in Office 365 (note that no LastDirSyncTime value is present in her account)

PS C:\> Get-MsolUser -all | Select UserPrincipalName,LastDirSyncTime | Sort LastDirSyncTime

UserPrincipalName                                       LastDirSyncTime
-----------------                                       ---------------
Sync_AAD_82b624986c30@alwayshotcafe2020.onmicrosoft.com
Alice@AlwaysHotCafe.com
admin@alwayshotcafe2020.onmicrosoft.com
Allen.Anthony@alwayshotcafe.com                         01/08/2020 07:27:12
Immanuel.Ortega@alwayshotcafe.com                       01/08/2020 07:27:12
Abigail.Love@alwayshotcafe.com                          01/08/2020 07:27:12
Pedro.Cruz@alwayshotcafe.com                            01/08/2020 07:27:12
Greta.Krause@alwayshotcafe.com                          01/08/2020 07:27:12
Dominic.Santiago@alwayshotcafe.com                      01/08/2020 07:27:12
Ronan.Donovan@alwayshotcafe.com                         01/08/2020 07:27:12
Elsie.Riley@alwayshotcafe.com                           01/08/2020 07:27:12
Elias.Zuniga@alwayshotcafe.com                          01/08/2020 07:27:12
Andy.Allison@alwayshotcafe.com                          01/08/2020 07:27:12
Walker.Stafford@alwayshotcafe.com                       01/08/2020 07:27:12
Crystal.Montes@alwayshotcafe.com                        01/08/2020 07:27:12
Ivy.Pope@alwayshotcafe.com                              01/08/2020 07:27:12
Tomas.Liu@alwayshotcafe.com                             01/08/2020 07:27:12
Trey.Harper@alwayshotcafe.com                           01/08/2020 07:27:12
Aaron.Mullen@alwayshotcafe.com                          01/08/2020 07:27:12
…