Converting Hybrid Exchange Accounts to Cloud-Only

Migrating on-premises AD accounts to accounts managed entirely on Office 365

Background

When you create an Office 365 tenant with a Hybrid Exchange, your AD accounts continue to live and be managed on-premises. There may be scenarios that require you to convert your on-premises synchronized accounts to “Cloud Only” accounts that live only in Azure Active Directory (AAD). Converting these accounts allows you to entirely delete the accounts from your on-premises Active Directory (AD). The best part is that it’s virtually invisible to the end-user. They continue to authenticate with their same username and password.

As an example, I had hundreds of accounts that were exclusively used for email. Their on-premises AD accounts were not used to authenticate to any other service. All of these accounts lived in a child-domain, and added a lot of unnecessary complexity to the environment. Converting these accounts to “cloud only” allowed for the removal of unnecessary legacy infrastructure.

Prep Work

The first step in this process is to move the account in question to a non-synchronized OU. If you’re synchronizing all of your OUs with Azure AD Connect, you’ll have to change this. Log into Azure AD Connect, and change to “Sync selected domains and OUs” instead of synchronizing all domains and OUs. Select the appropriate domains and OUs, then be sure to deselect your “Non-Sync OU”. Wait for a synchronization cycle if it doesn’t appear in the list.

Conversion

Now that your account is moved to a non-sync’d OU, we will have to wait for the next AAD Sync cycle to complete. You can force a delta sync for changes by opening PowerShell as an admin on the server that has AAD Connect installed on it, then type the following command: Start-ADSyncSyncCycle -PolicyType Delta

There are multiple approaches you can take to converting accounts. Personally, I converted the synchronized accounts to cloud only after their exchange mailbox migrations were completed. The biggest downside of this approach is that you end up managing the accounts in two different places if you’re not doing a full cutover migration. Your converted accounts will have their passwords reset in Office 365 Admin Center, and your non-migrated will remain manage in your on-premises AD.

Now, let’s get to the fun part: converting the account. First, make sure you connect PowerShell to Office 365. Once you un-sync the OU, all the accounts in the non-synchronized OU will show as deleted in Office 365’s Admin Center. Once you’ve confirmed that, we’ll run two commands. The first, Get-MsolUser -UserPrincipalName [email protected] -ReturnDeletedUsers | Restore-MsolUser will restore the account. The next, Get-MsolUser -UserPrincipalName [email protected] | Set-MsolUser -ImmutableId “” will convert the account to “cloud-only”.

That’s it! Once you perform those steps, the account is now an entirely cloud-managed account, and it’s safe to delete the account in on-premises AD.

Advertisement

Leave a Reply

Your email address will not be published. Required fields are marked *