Convert Users from AD Synced to Cloud-Only Objects

How to Convert Singular Users from AD Synced objects to Cloud-Only Objects #

PROMPT: You have one/several users that you no longer need in your local domain, but still need access to Microsoft 365 services. You are also attempting to use the MS Graph PowerShell module since the MSOL & AzureAD modules are deprecated.

Resources: #

Reddit Thread on Topic

Notes: #

  • This process is rather destructive and should ideally not be done for live users unless completely necessary.
  • This will de-authenticate the user on all live sessions since it moves the user to the Entra recycling bin (deleted users).
  • Since at the time of writing, the MS Graph PowerShell module does not support nulling an attribute, we need to invoke a graph request instead.

Steps: #

  1. Move the AD object outside the scope of the AADConnect OU or security group dependant on your filtering configuration.
  2. Run a delta sync on the AADConnect server and wait for the user to be deleted from Entra.
    • The command to delta sync is Start-ADSyncSyncCycle -PolicyType Delta
  3. Once the user is deleted from the Entra tenant, use the Entra Admin Center to bring the user out of the recycling bin.
    • This process servers to unlock the ImmutableId property on the object, which was locked until we brought the object out of scope.
  4. Now that the ImmutableId is unlocked, we can use PowerShell to set the value to null. Use Connect-MgGraph to establish a new session, with at least the ‘User.ReadWrite.All’ scope.
    • If you do not have the MS Graph PowerShell module, use an elevated window to run Install-Module Microsoft.Graph
  5. Get the UPN of the user and then run this command to dump the user object into this variable: $user = Get-MgUser -UserId 'insert-upn-here'
  6. Set this variable to the ObjectId: $objectid = $user.Id
  7. Run this Graph request to update the ImmutableId property: Invoke-MgGraphRequest -Method PATCH -Uri 'https://graph.microsoft.com/v1.0/Users/$objectid' -Body @{OnPremisesImmutableId =$null}