Convert Entra ID User between Synced and Cloud Only with Microsoft Graph

Andres Bohren
Convert Entra ID User between Synced and Cloud Only with Microsoft Graph

Hi All,

Convert Synced Account to Cloud Only

When we look at the User Object the Value of “On-premises sync enabled” is now set to Yes

First we need to capture the ObjectID of the Entra ID User Object

Connect-MgGraph -Scope User.ReadWrite.All -NoWelcome
Get-MgUser -UserId TestSharedMailbox@icewolf.ch
$DirectoryObjectId = (Get-MgUser -UserId TestSharedMailbox@icewolf.ch).id
$DirectoryObjectId


Connect-ExchangeOnline -ShowBanner:$false
Get-Mailbox TestSharedMailbox@icewolf.ch | ft UserPrincipalName, DisplayName, RecipientTypeDetails

Move the User Object to an Active Directory OU that is not in the Sync Scope

Import-Module -Name ADSync
Start-ADSyncSyncCycle -PolicyType delta

The User Object is in the “Deleted users” container in Entra ID

Get the deleted Object with Microsoft Graph

Get-MgDirectoryDeletedItem -DirectoryObjectId $DirectoryObjectId -ErrorAction SilentlyContinue

Restore the Object from the “Deleted Users” container

Restore-MgDirectoryDeletedItem -DirectoryObjectId $DirectoryObjectId -ErrorAction SilentlyContinue

As you can see the “Deleted users” Container is empty

When we look at the User Object the Value of “On-premises sync enabled” is now set to No

The Mailbox is back

Get-Mailbox TestSharedMailbox@icewolf.ch | ft UserPrincipalName, DisplayName, RecipientTypeDetails

We can check this also with Microsoft.Graph PowerShell with the Property: onPremisesSyncEnabled

Get-MgUser -UserId TestSharedMailbox@icewolf.ch -Property onPremisesSyncEnabled, UserPrincipalName, id | fl UserPrincipalName, onPremisesSyncEnabled, id

Convert back to Synced Account

Again we need to capture the Entra ID ObjectId

Get-MgUser -UserId TestSharedMailbox@icewolf.ch
$DirectoryObjectId = (Get-MgUser -UserId TestSharedMailbox@icewolf.ch).id
$DirectoryObjectId

Now we can delete the Cloud Only Object

Remove-MgUser -UserId $DirectoryObjectId

It will show up in the “Deleted users” Container in Entra Id

Now we can move the Object in Active Directory back to a Syced OU

Let’s invoke a Entra ID Cloud Sync

Import-Module -Name ADSync
Start-ADSyncSyncCycle -PolicyType delta

The User is matched, because the ImmutableID is still there and therefore removed from the “Deleted users” Container in EntraId

The User is now back to the On-premises sync enabled = Yes

Regards
Andres Bohren

EntraID Logo

PowerShell Logo