1. Synced vs Cloud Managed
AD synced user accounts are very convenient as changes to the on-prem AD accounts are synced to Office365 automatically, for example password changes, name changes, etc. It is very handy in a user perspective, but because of these certain attributes cannot be edited in the cloud - like user passwords can only be reset on-prem - additional SMTP addresses only can be added using an Exchange server hosted on-prem that accesses the on-premises AD. Another option is editing the local AD manually with a tool like ADSIEdit, although that method is NOT supported by Microsoft.
If you want a user to be fully customizable, editable in the cloud you can convert it to cloud managed type. Note that if you do that, naturally no local AD changes will be synchronized to the cloud version of the user's profile!
2. Convert Individual Users to Cloud Managed
a. move the user to a non-syncing OU in the on-prem Active Directory. We move Alice from "alwayshotcafe.com/My Business/Users" (which is our only synchronized OU) to "alwayshotcafe.com/My Business/Not Syncing/Users".
Then trigger a sync cycle so we can proceed instantly.
PS C:\> Invoke-Command -ComputerName aad.alwayshotcafe.com -ScriptBlock {Start-ADSyncSyncCycle -PolicyType delta}
PSComputerName RunspaceId Result
-------------- ---------- ------
aad 637b8dbd-cbe4-46c6-a52f-f9787bb61817 Success
b. That put Alice in a soft deleted state. Simply use the Restore-MsolUser cmdlet to re-activate the user.
PS C:\> Get-MsolUser -ReturnDeletedUsers UserPrincipalName DisplayName isLicensed ----------------- ----------- ---------- Alice@AlwaysHotCafe.com Alice False PS C:\> Get-MsolUser -ReturnDeletedUsers | ? UserPrincipalName -like "Alice@AlwaysHotCafe.com" | Restore-MsolUser UserPrincipalName DisplayName isLicensed ----------------- ----------- ---------- Alice@AlwaysHotCafe.com Alice False
3. Verify User Connectivity
Alice should be able to use the cloud services just like before. The only difference now in an administrative perspective that her account is now fully managed in Office 365 (note that no LastDirSyncTime value is present in her account)
PS C:\> Get-MsolUser -all | Select UserPrincipalName,LastDirSyncTime | Sort LastDirSyncTime UserPrincipalName LastDirSyncTime ----------------- --------------- Sync_AAD_82b624986c30@alwayshotcafe2020.onmicrosoft.com Alice@AlwaysHotCafe.com admin@alwayshotcafe2020.onmicrosoft.com Allen.Anthony@alwayshotcafe.com 01/08/2020 07:27:12 Immanuel.Ortega@alwayshotcafe.com 01/08/2020 07:27:12 Abigail.Love@alwayshotcafe.com 01/08/2020 07:27:12 Pedro.Cruz@alwayshotcafe.com 01/08/2020 07:27:12 Greta.Krause@alwayshotcafe.com 01/08/2020 07:27:12 Dominic.Santiago@alwayshotcafe.com 01/08/2020 07:27:12 Ronan.Donovan@alwayshotcafe.com 01/08/2020 07:27:12 Elsie.Riley@alwayshotcafe.com 01/08/2020 07:27:12 Elias.Zuniga@alwayshotcafe.com 01/08/2020 07:27:12 Andy.Allison@alwayshotcafe.com 01/08/2020 07:27:12 Walker.Stafford@alwayshotcafe.com 01/08/2020 07:27:12 Crystal.Montes@alwayshotcafe.com 01/08/2020 07:27:12 Ivy.Pope@alwayshotcafe.com 01/08/2020 07:27:12 Tomas.Liu@alwayshotcafe.com 01/08/2020 07:27:12 Trey.Harper@alwayshotcafe.com 01/08/2020 07:27:12 Aaron.Mullen@alwayshotcafe.com 01/08/2020 07:27:12 …
Comments