Microsoft Azure AD Connect is very useful tool to sync users and passwords from on-premise active directory to Office365. On some occasions you may want to delete a user from local active directory but want to keep and manage it from Office365, you can simply achieve it by moving a user out of sync scope but it will move user from “active users” to “deleted users” in Office365 and when you restore the user, you have to create a new password which sometime user don’t like. Also, if you have to convert multiple users, creating a new password for each user is not ideal and save specially when you create a same password for all users.
This How-To address the issue of re-generating a new password.
Note: This how-to is for non federated active directory.
6 Steps total
Step 1: Disable Sync through powershell
Open Azure Powershell as an admin and run the following commands to disable sync
$Msolcred = Get-credential
a login Window will pop up, you have enter Office365 global admin login details
Connect-MsolService -Credential $MsolCred
Set-MsolDirSyncEnabled –EnableDirSync $false
Keep in mind that, once you have disabled the sync it will take sometime to enable it back but if you have disable – enable and then try again to disable, it will not work for next few hours (can take up to 72 hours) and you will get error message – this is default behaviour of Azure.
If you have a lot of users, disabling sync will take more time and even when you enable it again.
Run the following command to check the status of sync,
Note: You can run all following Powershell commands from same powershell session.
Step 2: Set ImmutableID of user to Null
Set-MsolUser -UserPrincipalName email@example.com -ImmutableId “$null”
This command will set ImmutableID to null which will make Azure AD connect think that, this user was never synced.
It’s worth knowing more about ImmutableID, the following blog is very informative about ImmutableID
Step 3: Move user out of sync scope
Now on local active directory, move user out of sync scope. In best practice when you have configured sync, you target a specific OU in active directory to sync users from, moving user to different OU will take user out of sync scope.
If you have targeted the sync to all users then you have delete user from your local active directory.
Step 4: Enable Sync again
Set-MsolDirSyncEnabled –EnableDirSync $true
as I mentioned above, enabling sync might take sometime. If you have disabled the sync and trying to enable it immediately by above command, you will receive an error message.
Step 5: Force the sync
As soon sync in enabled, the sync cycle will run again but if you set your sync intervals manually then you have run following commands to force the sync run again.
Start-ADSyncSyncCycle -PolicyType Initial
Step 6: Test the user
Now, last step is to ask user to login into Office365 with same password, it should work.
Also, you will see that in Office365 the user sync status will be shown as Incloud instead of Synced with local AD.
So by running above commands, you will be able to manage the user Incloud and user will be able to login with same password to Office365.