Changing an AAD (Office 365) cloud user to a synced one

Recently I found myself in need of repairing an Office 365 tenant where users were first created online only, aka ‘Cloud Users’, and then needed to become a user managed in an on premise Active Directory synced with AD Connect, aka ‘Synced Users‘,  hence giving that user access to the services (mail, OneDrive for Business, …) of that cloud user. I could not find a clear and easy article on the web how to do this, so I hope now there is!

First off, this modification, or migration if you wish, should not be taken lightly, because you have to make sure first that the on premise AD user has all the same e-mail address(es), user principal name (UPN) and other properties as the cloud account he will be replacing.

Second, you should run it from a PowerShell session where you have access to your AD and the Active Directory module, and access to the PowerShell module version 1 of Azure AD, aka Office 365 PowerShell. (Install information for your reference: https://technet.microsoft.com/en-us/library/dn975125.aspx).

Now you can continue with these three lines of code (yes that’s all!):

The catch here is the ‘ImmutableID‘ property off course. That attribute was originally empty, but now contains the unique reference to the AD user. At the next sync sycle (or start-AdSyncSyncCycle) the AD account is ‘glued’ to AAD account making it a synced one. Repair work done!

Share this post on

Author: Harold Baele

Harold Baele
Microsoft Cloud Infrastructure Technical Consultant after 15 years of evangelism as Microsoft Certified Trainer. Living in Belgium with his wife and son.

Leave a Comment

All fields are required. Your email address will not be published.