Azure Active Directory Connect sync is a great tool. If you are using an on-premise domain environment along side Office 365, and you are not syncing between the two already, I highly recommended doing so! This article is for those who are using AAD Connect already and run into a situation where it makes more sense to have an account that was previously syncing to Office 365 from Active Directory, instead be a cloud only account. One use case for doing this is when a user moves to a limited role and needs to continue accessing their email but does not need access to any other network resources.
The first step you will want to take to break the accounts sync is create an OU that is not being synced via AAD Connect.
- Create the OU that will contain unsynced accounts.
- Launch the Synchronization Server Manager from the server that AAD Connect is installed on.
- Go to the Connectors tab and launch the properties of the connector for Active Directory Domain Services.
- Go to Configure Directory Partitions and select the Containers… button. You’ll need to re-authenticate with the account being used to authenticate AAD Connect with AD.
- Find the newly created OU from the list of containers and un-select it, this will prevent the contents of the OU form being synced to Office 365.
The next steps should be coordinated with the user of the synced account, as they will temporarily lose access to their email during this part.
Now that we have our OU created that is not syncing, we can move the account we want to un-sync to it and force a sync. Doing so will cause the account to be deleted from Office 365. Don’t panic! No data will be lost, as Office 365 retains deleted/unlicensed account data for 30 days. Complete the next part to restore the account in Office 365.
- Connect to your Office 365 tenant using the Microsoft Azure Active Directory Module for PowerShell. If you don’t already have this installed, see Microsoft’s documentation on how to get it configured here.
- Run the command Get-MsolUser -ReturnDeletedUsers. This will return the list of recently deleted mailboxes, you should see the account we are converting here.
- Run Restore-MsolUser -UserPrincipalName firstname.lastname@example.org. This will restore the user account.
- You should now be able to go back to your Office 365 portal and see the user again, showing as an In Cloud only account. You’ll want to verify their licensing and set a new password.
At this point, the account in AD is no longer needed. You can treat it like a terminated user account, based on your company’s policies. By using this method to convert an account to cloud only, when only mail access is needed, you will strengthen the security of your network by reducing the points of access.
How can we help you with your Office 365 solution? It’s time to maximize your IT investments.