Converting Cloud-Only Accounts to Synced Accounts in Entra ID

If you run Microsoft 365 or Azure in a hybrid setup, chances are you’ve deployed Entra ID Connect (formerly Azure AD Connect). This handy tool keeps your on-premises Active Directory (AD) in sync with Entra ID, so users can log in seamlessly whether they’re working on-prem or in the cloud.

When you create a user in your on-prem AD, Entra ID Connect syncs that account up to Entra ID.
In Entra ID, every account has a property called On-premises Sync Enabled.

• If it says Yes, that account is synced from your on-prem AD.
• If it says No, that account is cloud-only (meaning it exists only in Entra ID and has no on-prem AD equivalent).

Cloud-only accounts are fine in some cases (like guest users or quick test accounts), but sometimes you’ll want to convert a cloud-only account into a synced account so it’s managed from your on-prem AD.

1. Pause the Entra ID Connect Sync:

   Set-ADSyncScheduler -SyncCycleEnable $false
   

2. Create the user account in on-premises AD. Since the EntraID sync is paused, this will not replicate to EntraID. Edit the AD User account properties and assign the same email address to the email attribute and the proxyAddresses attribute.

3. Using powershell, we will generate the unique ImmutableID based off the new AD user account’s ObjectGUID.

   $guid = (Get-ADUser "<username>").ObjectGUID.guid
   $immutableID = [Convert]::ToBase64String([guid]::new($guid).ToByteArray())
   

4. Login to EntraID and assign the ImmutableID to the existing Cloud only account that we wish to associate with the onpremise AD account

   Connect-AzureAD
   Get-AzureADUser -objectID "<objectID of the AzureAD cloud account>" | Set-AzureADUser -ImmutableID $immutableID
   

5. Now that we have associated both accounts using the ImmutableID attribute, we can re-enable the Connect Sync scheduler

   Set-ADSyncScheduler -SyncCycleEnable $true
   

6. Force a sync so that we can see the changes right away

   Start-ADSyncSyncCycle -PolicyType Delta
   

Once the sync replication between On-Premises AD and EntraID occurs, the cloud only account will now show as an On-Premises Sync account. From now on, changes to the user account will flow from on-premises to EntraID.