How to Make AD Synced Users Online-Only in Office 365
As an Office 365 administrator, you may encounter situations where you need to convert AD-synced users to cloud-only accounts. This process can be necessary for various reasons, such as decommissioning on-premises Active Directory or simplifying user management. In this comprehensive guide, we’ll walk you through the steps to make AD-synced users online-only in Office 365, ensuring a smooth transition and minimal disruption to your users.
Understanding the Process
Converting AD-synced users to cloud-only accounts involves several steps and considerations. It’s crucial to approach this task methodically to avoid potential issues. Here’s an overview of what we’ll cover:
- Prerequisites and preparation
- Backing up user data
- Disabling directory synchronization
- Converting users to cloud-only accounts
- Verifying the conversion
- Re-enabling directory synchronization (if necessary)
- Troubleshooting common issues
Prerequisites and Preparation
Before beginning the conversion process, ensure you have the following:
- Global Administrator access to your Office 365 tenant
- Azure AD Connect installed and configured
- PowerShell modules: MSOnline and ExchangeOnlineManagement
- A list of users you want to convert
To install the necessary PowerShell modules, run the following commands:
Install-Module -Name MSOnline
Install-Module -Name ExchangeOnlineManagement
Backing Up User Data
Before making any changes, it’s crucial to back up user data. This includes mailboxes, OneDrive content, and any other relevant information. Here’s a PowerShell script to export mailbox information:
Connect-ExchangeOnline
$users = Get-Mailbox -ResultSize Unlimited
$exportPath = "C:\Temp\MailboxExport.csv"
$users | Select-Object DisplayName, PrimarySmtpAddress, RecipientTypeDetails, WhenCreated, LastLogonTime | Export-Csv -Path $exportPath -NoTypeInformation
Write-Host "Mailbox information exported to $exportPath"
Disabling Directory Synchronization
To convert AD-synced users to cloud-only accounts, you need to temporarily disable directory synchronization. This prevents any changes from being overwritten by on-premises AD. Follow these steps:
- Connect to Azure AD PowerShell:
Connect-MsolService
- Disable directory synchronization:
Set-MsolDirSyncEnabled -EnableDirSync $false
- Verify that directory synchronization is disabled:
(Get-MsolCompanyInformation).DirectorySynchronizationEnabled
The output should be “False” if directory synchronization is successfully disabled.
Converting Users to Cloud-Only Accounts
Now that directory synchronization is disabled, you can convert the AD-synced users to cloud-only accounts. Here’s a PowerShell script to accomplish this:
$users = @("user1@contoso.com", "user2@contoso.com", "user3@contoso.com")
foreach ($user in $users) {
try {
$immutableId = (Get-MsolUser -UserPrincipalName $user).ImmutableId
if ($immutableId) {
Set-MsolUser -UserPrincipalName $user -ImmutableId "$null"
Write-Host "Successfully converted $user to cloud-only account" -ForegroundColor Green
} else {
Write-Host "$user is already a cloud-only account" -ForegroundColor Yellow
}
} catch {
Write-Host "Error converting $user: $_" -ForegroundColor Red
}
}
This script loops through a list of users, removes their ImmutableId (which links them to on-premises AD), and effectively converts them to cloud-only accounts.
Verifying the Conversion
After converting the users, it’s important to verify that the process was successful. Use the following PowerShell script to check the status of the converted users:
$users = @("user1@contoso.com", "user2@contoso.com", "user3@contoso.com")
foreach ($user in $users) {
$userInfo = Get-MsolUser -UserPrincipalName $user | Select-Object UserPrincipalName, ImmutableId, LastDirSyncTime
if ($userInfo.ImmutableId -eq $null -and $userInfo.LastDirSyncTime -eq $null) {
Write-Host "$($userInfo.UserPrincipalName) is now a cloud-only account" -ForegroundColor Green
} else {
Write-Host "$($userInfo.UserPrincipalName) is still an AD-synced account" -ForegroundColor Red
}
}
Re-enabling Directory Synchronization (If Necessary)
If you need to re-enable directory synchronization for other users or objects, follow these steps:
- Connect to Azure AD PowerShell (if not already connected):
Connect-MsolService
- Re-enable directory synchronization:
Set-MsolDirSyncEnabled -EnableDirSync $true
- Verify that directory synchronization is enabled:
(Get-MsolCompanyInformation).DirectorySynchronizationEnabled
The output should be “True” if directory synchronization is successfully re-enabled.
Troubleshooting Common Issues
During the conversion process, you may encounter some issues. Here are a few common problems and their solutions:
1. License Assignment Errors
If you experience issues with license assignments after converting users, try reassigning licenses using PowerShell:
$user = "user@contoso.com"
$licenseSkuId = "contoso:ENTERPRISEPACK" # Replace with your actual license SKU
Set-MsolUserLicense -UserPrincipalName $user -AddLicenses $licenseSkuId
2. Mailbox Access Issues
If users experience mailbox access problems after conversion, try updating their Exchange attributes:
Connect-ExchangeOnline
$user = "user@contoso.com"
Set-Mailbox -Identity $user -EmailAddresses @{add="smtp:$user"}
3. OneDrive for Business Sync Issues
If users encounter OneDrive sync problems, you may need to reassign their OneDrive URL:
Connect-SPOService -Url https://contoso-admin.sharepoint.com
$user = "user@contoso.com"
Set-SPOUser -Site https://contoso-my.sharepoint.com/personal/user_contoso_com -LoginName $user
Conclusion
Converting AD-synced users to cloud-only accounts in Office 365 can be a complex process, but following this guide should help you navigate the transition smoothly. Remember to always back up user data before making any changes, and thoroughly test the converted accounts to ensure everything works as expected.
By leveraging PowerShell and following best practices, you can efficiently manage your Office 365 environment and provide a seamless experience for your users, whether they’re AD-synced or cloud-only accounts.
