Office 365: Convert an Active Directory Synced Account to Cloud Only

Reading Time: 3 minutes

Share:

Share on facebook
Share on twitter
Share on linkedin

Azure Active Directory Connect sync is a great tool. If you are using an on-premise domain environment along side Office 365, and you are not syncing between the two already, I highly recommended doing so! This article is for those who are using AAD Connect already and run into a situation where it makes more sense to have an account that was previously syncing to Office 365 from Active Directory, instead be a cloud only account. One use case for doing this is when a user moves to a limited role and needs to continue accessing their email but does not need access to any other network resources.

The first step you will want to take to break the accounts sync is create an OU that is not being synced via AAD Connect.

  1. Create the OU that will contain unsynced accounts.
  2. Launch the Synchronization Server Manager from the server that AAD Connect is installed on.
  3. Go to the Connectors tab and launch the properties of the connector for Active Directory Domain Services.
  4. Go to Configure Directory Partitions and select the Containers… button. You’ll need to re-authenticate with the account being used to authenticate AAD Connect with AD.
  5. Find the newly created OU from the list of containers and un-select it, this will prevent the contents of the OU form being synced to Office 365.

The next steps should be coordinated with the user of the synced account, as they will temporarily lose access to their email during this part.

Now that we have our OU created that is not syncing, we can move the account we want to un-sync to it and force a sync. Doing so will cause the account to be deleted from Office 365. Don’t panic! No data will be lost, as Office 365 retains deleted/unlicensed account data for 30 days. Complete the next part to restore the account in Office 365.

  1. Connect to your Office 365 tenant using the Microsoft Azure Active Directory Module for PowerShell. If you don’t already have this installed, see Microsoft’s documentation on how to get it configured here.
  2. Run the command Get-MsolUser -ReturnDeletedUsers. This will return the list of recently deleted mailboxes, you should see the account we are converting here.
  3. Run Restore-MsolUser -UserPrincipalName user@domain.com. This will restore the user account.
  4. You should now be able to go back to your Office 365 portal and see the user again, showing as an In Cloud only account. You’ll want to verify their licensing and set a new password.

At this point, the account in AD is no longer needed. You can treat it like a terminated user account, based on your company’s policies. By using this method to convert an account to cloud only, when only mail access is needed, you will strengthen the security of your network by reducing the points of access.

How can we help you with your Office 365 solution? It’s time to maximize your IT investments.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

SIGN-UP FOR INSIGHTS

GET UPDATES FROM OUR EXPERTS
  • This field is for validation purposes and should be left unchanged.

Upcoming Events

  1. CPE Trainings: Tax Level 1

    July 28 @ 8:30 am - July 30 @ 5:00 pm CDT

  2. CPE Trainings: Tax Level 2

    August 5 @ 8:30 am - August 7 @ 5:00 pm CDT

  3. CPE Trainings: Tax Level 3

    August 26 @ 8:30 am - August 28 @ 5:00 pm CDT

View All Events

Latest Insights

View All Insights

About The Author

Jerad Cook

Jerad Cook

Jerad Cook is a Senior Network Consultant on Sikich’s Managed Services team. He acts as an escalation point for level 1 and level 2 resources in the Network Operations Center. Jerad has a Bachelor’s degree in Computer Information Systems and over seven years of experience in IT. He also holds several Microsoft certifications, giving him Microsoft Certified Solutions Expert (MCSE) status. While his day to day work gives him experience in varying aspects of system and network administration, his most recent studies focus on Microsoft’s cloud service offerings.