Migrating users from on-prem AD to Entra ID

Romar 106 Reputation points
2024-07-19T17:05:46.4966667+00:00

Hi,

Users and groups in the AD child domain in my forest don't sync properly to Entra ID anymore.

We want to phase out the AD child domain, but keep the users in Entra ID. I was hoping that unchecking the the child domain in the Entra ID sync properties would convert the on-prem users to cloud users in Entra ID, but this doesn't seem to work. Unchecking the child domain removes all users and groups of this domain from Entra ID.

Is there a way to convert the on-prem user accounts and groups of only the child domain to cloud accounts?

Thank you for your suggestions in advance.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,197 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dillon Silzer 57,231 Reputation points
    2024-07-21T14:47:26.6333333+00:00

    Hi Romar,

    If you are never planning to sync these accounts again, you could use MSOL to break the ImmutableId (just know that there is no going back after this).

    Get-MsolUser -UserPrincipalName “user@email.com” | Set-MsolUser -ImmutableId $null

    If this is helpful please accept as answer or upvote.

    Best regards,

    Dillon Silzer, Director | Cloudaen.com | Cloudaen Computing Solutions

    0 comments
  2. Romar 106 Reputation points
    2024-07-22T12:42:54.5966667+00:00

    Hi Dillon,

    Thank you for your reply.
    Is script you provided still working? I get the error below:
    Set-MsolUser : Unable to update parameter. Parameter name: IMMUTABLEID.
    " subdomain.onmicrosoft.com" | Set-MsolUser -ImmutableId "$null"

    **+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    • CategoryInfo : OperationStopped: (:) [Set-MsolUser], MicrosoftOnlineException**

    + FullyQualifiedErrorId : Microsoft.Online.Administration.Automation.PropertyNotSettableException,Microsoft.Online

    .Administration.Automation.SetUser

    I've read that this command is depreciated since March 2024 and that MS Graph should be used.

    Best regards
    Romar

    0 comments
  3. Sandeep G-MSFT 17,961 Reputation points Microsoft Employee
    2024-07-23T11:59:42.05+00:00

    @Romar

    Thank you for posting this in Microsoft Q&A.

    To move child domain users to cloud only, you will have to break the link between on-premises and Azure AD. Entra connect will not be functional to sync objects from Azure AD to cloud.

    To stop the sync you will have stop the AD connect service on the on-premises server or you can run command "Set-ADSyncScheduler -SyncCycleEnabled $false" in PowerShell on Entra connect server.

    Post this you will still not be able to manage previously synced user objects in Azure AD. To manage these users you will have to follow below steps,

    • Open Windows PowerShell as administrator.
    • Run command "Install-module msonline"
    • Connect-Msolservice
    • Above command will prompt for credentials. You can enter global admin credentials in the prompt.
    • Post this you can run command Set-MsolDirSyncEnabled -EnableDirsync $False
    • Above command will change all users as "cloud only" users. This will let you manage user objects in Azure AD itself.

    Note: Above command will convert root domain users as well to cloud only.

    Once this is done you have to remove the child domain from Entra connect sync by unchecking the domain from domain selection in on-premises connector, so that Entra connect will not sync child domain users again.

    But once you run sync root domain users will again join back and the status of root domain users in Entra will show up as on-premises directory.

    Note: Try this in your test environment first and then implement it in your PROD environment if this works.

    Let us know if you have any further questions.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.