Recently I found myself in need of repairing an Office 365 tenant where users were first created online only, aka ‘Cloud Users’, and then needed to become a user managed in an on premise Active Directory synced with AD Connect, aka ‘Synced Users‘, hence giving that user access to the services (mail, OneDrive for Business, …) of that cloud user. I could not find a clear and easy article on the web how to do this, so I hope now there is!
First off, this modification, or migration if you wish, should not be taken lightly, because you have to make sure first that the on premise AD user has all the same e-mail address(es), user principal name (UPN) and other properties as the cloud account he will be replacing.
Second, you should run it from a PowerShell session where you have access to your AD and the Active Directory module, and access to the PowerShell module version 1 of Azure AD, aka Office 365 PowerShell. (Install information for your reference: https://technet.microsoft.com/en-us/library/dn975125.aspx).
Now you can continue with these three lines of code (yes that’s all!):
1 2 3 |
$UPN= "cloud.test@yourdomain.com" $ID= [system.convert]::ToBase64String((Get-ADUser -filter {userprincipalname -eq $UPN}).objectGUid.ToByteArray()) Set-MsolUser -UserPrincipalName $upn -ImmutableId $ID |
The catch here is the ‘ImmutableID‘ property off course. That attribute was originally empty, but now contains the unique reference to the AD user. At the next sync sycle (or start-AdSyncSyncCycle) the AD account is ‘glued’ to AAD account making it a synced one. Repair work done!